Documentation Index

Fetch the complete documentation index at: https://knowledge.catonetworks.com/llms.txt

Use this file to discover all available pages before exploring further.

Configuring the AI Security User Access Policy (EA)

Prev Next

Overview

Prevent employees from accessing unauthorized AI applications and guide them toward approved resources. Configure the User Access Policy to define how the AI Security Browser Plugin responds when users attempt to access AI applications:

  • Block access to unauthorized AI applications
  • Redirect users to a sanctioned AI resource
  • Engage users to verify they are accessing a safe resource before continuing

Common Use Cases

Redirecting Users from Unapproved AI Apps to Microsoft 365 Copilot

An organization standardizes on Microsoft 365 Copilot as the approved AI tool for business use. The admin creates a specific Allow rule for Microsoft 365 Copilot and places it above a broader Redirect rule for AI applications. Approved Copilot traffic matches the Allow rule. Other AI application traffic matches the Redirect rule and sends users to Microsoft 365 Copilot.

Example Redirect rule settings:

  • Source: All users
  • Application Category: AI Applications
  • Action: Redirect
  • Redirect URL: Microsoft 365 Copilot URL

Engaging Users Before Accessing ChatGPT

An organization allows users to access ChatGPT but wants to remind them not to enter sensitive or regulated data. The admin creates an Engage User rule for ChatGPT that shows an AI usage notification that users must approve before continuing.

Example Engage User rule settings:

  • Source: All users
  • Application: ChatGPT
  • Action: Engage User
  • User Notification: AI Security Engage User notification with usage guidance

Understanding the User Access Policy

User Access Policy rules determine how AI Security handles browser-based AI application access for users with the AI Security Browser Plugin installed. For each request, the policy checks the rulebase and applies the action from the first matching rule, such as blocking an unauthorized AI application or redirecting the user to an approved corporate AI resource.

User Access Policy and User Interaction Policy

The User Access Policy and User Interaction Policy can both apply to the same AI application. The AI Security engine first determines whether the user can access the AI application. For allowed apps, the User Interaction Policy is applied to the user's prompts and interactions.

If the User Access Policy blocks access or redirects the user to a different AI resource, User Interaction Policy rules are not applied to the original application access.

Rule Actions

Each rule includes traffic criteria that must be matched and the action applied to matching access. Cato assigns the AI Security Risk Level for each AI application, and you can use this classification in rules to apply the same access control to apps with the same risk level.

These are the available actions and whether the User Interaction Policy applies:

  • Allow: Allows access to the AI application. User Interaction Policy rules can apply because the user continues to the application.
  • Block: Blocks access to the AI application. User Interaction Policy rules are not applied because access is blocked.
  • Redirect: Redirects the user from the requested AI application to a configured URL. User Interaction Policy rules are only applied to the application defined by the redirect URL.
  • Engage User: Shows an AI Security user notification before access continues. User Interaction Policy rules apply only if the user approves accessing the AI application.

Rule Order

Rules are evaluated from top to bottom. When a request matches a rule, the rule action is applied, and the policy does not evaluate later rules for that request.

Rule order matters when a specific approved AI resource and a broader AI application rule could both match the same request. Place the specific rule first so the approved access is handled before the broader rule applies a block, redirect, or engage action.

Exceptions

Exceptions let you keep a broad rule while excluding specific users, groups, or AI applications from that rule. When a request matches an exception, the rule action is skipped, and policy evaluation continues to the next rule. This lets you apply broad access control to most users while allowing approved deviations without duplicating the rule.

Creating User Access Policy Rules

User Access Policy rules control how AI Security handles browser-based access to AI applications. Each rule defines the traffic to match by user, group, or application, and the action to apply when that traffic is detected.

For Block or Engage User rules with a custom message, make sure an AI Security user notification template exists before creating the rule. If you need to exclude specific users or applications from a rule without removing it entirely, use exceptions rather than creating a duplicate rule with a narrower scope.

To create a User Access Policy rule:

  1. From the navigation menu, select Security > AI Security.
  2. Click the User Access Policy tab.
  3. Click New Rule. The rule settings panel opens.
  4. Enter a Rule Name.
  5. Under Source, select the users or groups this rule applies to.
  6. Under Application, select the AI application or application category to match.
  7. From the Action drop-down menu, select how AI Security responds when a user accesses a matching AI application.
  8. If you selected Redirect, enter the Redirect URL.
  9. If you selected Block or Engage User, select a User Notification template.
  10. Use the Enabled toggle to enable the rule.
  11. Click Save. The policy is updated.

Creating Exceptions

You can use exceptions to ignore a specific rule and continue with the lower-priority rules. For example, if rule #3 blocks access to Microsoft Copilot for all users, you can create an exception that does not block access for the RnD department.

The exception for a rule is a sub-set of the rule, and some settings apply to both the rule and the exception:

  • When you disable the rule, the exception is also disabled
  • When you move the rule and change the priority, the exception is also moved

To add an exception:

  1. From the navigation menu, select Security > AI Security.
  2. Click the User Access Policy tab.
  3. By the rule you want to create an exception for, click the three dots and select Add Exception.
    a. Define the Name and a description for the exclusion.
    b. Under Source, select the users or groups the exclusion applies to.
    c. Under Appllication, select the AI application, category, or risk level that the exception applies to.
  4. Click Save.

Creating AI Security Notification Templates

Customize notification templates to control what users see when a block or engage rule applies. Use block notifications to explain why access was denied and engage notifications to guide users toward safe AI decisions.

Block Notifications

Create a block notification to explain to users why access to an AI application was denied.

To create an AI Security block notification template:

  1. From the navigation menu, select Account > User Notifications.
  2. Click New > AI Security User Notification.
  3. Enter a Template Name.
  4. From the Policy Type drop-down menu, select AI Security Interaction.
  5. From the Page Type drop-down menu, select Block.
  6. Under Notification Settings, enter a Title and Description for the notification message.
  7. (Optional) Select Show detection explanation message to include details about what triggered the block.
  8. Click Save.

Engage Notifications

Create an engage notification to guide users toward safe AI decisions before they access an AI application.

Define choices that let users acknowledge the policy and continue, or redirect them to a sanctioned AI resource.

Control how often the same user sees the notification by setting the notification frequency. When the notification is suppressed, users proceed directly to the application without being engaged.

To create an AI Security engage notification template:

  1. From the navigation menu, select Account > User Notifications.
  2. Click New > AI Security User Notification.
  3. Enter a Template Name.
  4. From the Policy Type drop-down menu, select AI Security Access.
  5. From the Page Type drop-down menu, select User Engage.
  6. Under Notification Settings, enter a Title and Description for the notification message.
  7. (Optional) To present users with choices, click Add Option. For each option, enter the Text label and select the Action: Continue, Block, or Redirect.
  8. From the Notification Frequency drop-down menu, select how often the notification is shown to the user.
  9. Click Save.