Hi everyone! I'm curious about how enterprise organizations are navigating the use of public AI tools like ChatGPT, Copilot, and Claude, while still allowing employees to access them without entirely blocking their use. In our situation, we want to leverage the advantages of these tools but need to mitigate risks related to sensitive data exposure and compliance with internal policies. I'm particularly eager to learn about your company's strategies and the technical or procedural measures you've implemented. Specifically, I'm looking for insights on:
- DLP rules for browsers or cloud services (like copy/paste controls, upload restrictions, form input scanning, OCR, etc.)
- Proxy or CASB solutions that facilitate controlled access to public AI services
- Integrations with M365, Google Workspace, SIEM/SOAR for monitoring and auditing
- Enterprise-safe modes leveraging dedicated tenants or API access
- Internal guidelines and acceptable-use policies outlining shareable content
- Redaction and data classification solutions to prevent unsafe inputs.
Any shared experiences, good or bad, along with architecture diagrams or best practices would be greatly appreciated! Thanks in advance!
3 Answers
Completely blocking AI tools isn't really an option anymore, but we do have to manage data exposure risks. We revamped our policies and user training, then implemented browser DLP and proxy rules. Gaining clarity on what data users can access really helped shape our decisions on what AI tools are permissible.
Why not just block all AI tools and only allow access to approved ones? That's the approach we're taking. We've rolled out some in-house AI options for specific tasks, and standardized on MS Co-Pilot for general use.
The concern is that many AI tools use uploaded data to improve their language models. The performance of tools like Copilot isn’t always up to par compared to others, especially for coding tasks, so it's crucial to choose wisely.
It's probably best to host your own solutions and limit access to public options altogether.
What kind of browser DLP solutions are you using?