I'm looking for effective technical solutions to manage access to AI websites like ChatGPT, OpenAI, or Google Gemini in our company. While AI is becoming increasingly integral, we need to maintain strict controls to restrict access to unapproved sites to protect our company data. We have established corporate policies indicating that users should only use sites from an approved list.
To ensure everyone can responsibly use AI, we offer regular training and support. However, our Internal Audit and Management teams are pushing for stronger controls and are unhappy with our manual approach. We operate entirely on Windows and are fully remote, utilizing Sophos for web filtering and endpoint protection. Unfortunately, Sophos does not categorize AI sites like it does with Adult Content or Gambling, so we end up manually updating blocked URLs. We could automate this process, but it feels like that just shifts the maintenance burden. Any insights or solutions you've implemented would be greatly appreciated.
5 Answers
Look at it from a firewall strategy. We had to explain to our team that relying on AI for handling sensitive evidence can violate legal standards like CJIS. Once we clarified this, most exemption requests disappeared.
In our setup, we block the AI category via Zscaler, but we do allow licenses for tools like co-pilot since they serve a necessary function.
Using Umbrella is a great choice since they have an AI category. I've heard you can also tap into a public listing from Talos, which might help with your blocking.
Consider using Microsoft Purview along with Defender for Cloud Apps. This combo can provide strong governance and monitoring over app usage, including AI applications.
If you're focused on blocking specific URLs, maybe think about raising a ticket with Sophos? They might expedite building you a custom blocklist. Or, you could analyze domain usage from reports and take educated guesses on what to block!
Good idea! I hadn’t thought about analyzing the reports for patterns. Thanks for the suggestion!
That makes sense—laying out the legal ramifications can really help in getting buy-in for tighter controls.