All controls within the SurePath AI platform are driven by admin-defined policy. There are two types of policy within the SurePath AI platform, the Default Policy which applies to all members of a SurePath AI tenant and Group Policy which applies to a specific group of users within a SurePath AI tenant.
Combined, these policies either allow users to access specific GenAI sites, dictate which sensitive data entities need to be monitored, and determine which private models, data sources, and assistants are available inside the private portal. This article will help administrators understand how these policies and how to configure them to enforce their organization's GenAI policy.
The policy basics
SurePath AI, like other security products, practices a least privilege approach to the workforce use of GenAI. Because of this, administrators must add access to all resources that SurePath AI protects. Policies apply to both public services and the SurePath AI portal.
Group Policy controls
Public GenAI services
Allow services like ChatGPT, Claude, or Microsoft Copilot
PII detection settings and entities
Configure which sensitive data types should be monitored, redacted, or blocked such as SSN, Phone Number, and others
Content Controls
High-risk requests, confidential data, and others
Redirect/Block controls
Choose which action to take when a user attempts to access a restricted GenAI site
Private Models (portal)
Choose which models are available for users in the portal and the default model
Data Sources (portal)
Select which Data Sources users have access to when making requests to the private portal
Assistants (portal)
Select which Assistants users have access within the portal
Policies can only be used to add access to users, not to further restrict them. This means that users can be members of multiple group policies, each of which, can add additional access to the user.
Default Policy
The SurePath AI default policy applies to all users in a SurePath AI tenant. The default policy should be the most restrictive policy granting access to only services or resources that have been approved to the entire organization. Group policies should be used to provide access to services and resources to targeted groups of users.
If the organization has approved all users access to a specific GenAI site, like Microsoft Copilot, then adding it in the Default Policy makes the most sense since all users will gain access to the services and resources from the Default Policy. Another valid configuration would to allow no access to any services or resources
Group Policy
Group Policies are used to add or allow additional access to services and/or resources over what is granted via the Default Policy. Group Policies are applied to users by associating a group (either manually created or imported via the Directory Sync feature) to a SurePath AI Group Policy.
Group policies are additive and a user can have multiple group policies applied at the same time. Group Policies contain all the same settings as the Default Policy just applied to a more specific set of users.
Sensitive Data settings
Sensitive Data settings are also built from least restrictive to most restrictive. Because of the additive nature of Group Policies and that Group Policies add access or in other words, eliminate restrictions. Because of this, if Sensitive Data settings are disabled in the Default Policy, they can not be enabled or changed in Group Policy, as the Default policy must be more restrictive than Group Policy.
With Sensitive Data, the most restrictive Sensitive Data settings must be implemented at the Default Policy level and then exceptions can be made within Group Policy to allow or lessen the action regarding the detection of sensitive data.
If there were a group of users that didn't need to be monitored for the use of phone numbers, within the Group Policy, an exception could be made for the PII entity of phone number. However, unless the Default Policy has the sensitive data settings enabled, no change can be made at the Group Policy.
Sensitive Data Settings ranked from most restrictive to least restrictive
| Content Controls | PII Detection |
Most restrictive | Block | Block |
... | Detect only | Delete |
... | Ignore | Mask |
... |
| Tag |
... |
| Synthesize |
Least restrictive |
| Detect only |
Verifying a user's policy
The policy that is being applied to a user can be verified using the admin interface at https://admin.surepath.ai:
In the CONFIGURE section of the menu, under Users & Groups, select End Users
Search for the user whose policy needs to be examined and click the > icon on the right side of the user row
At the bottom of the fly-out, in the Policies section, all applied policies can viewed including all the allowed services and assigned resources.
Policy at tenant creation
Given that, without SurePath AI, the ability to know how the workforce is using GenAI and what violations of company policy are taking place, when a SurePath AI tenant is first deployed, it comes configured in a log-only or discovery mode. This allows administrators and security stakeholders to capture usage data and evaluate the risks occurring within the organization.
SurePath AI policy cheat sheet
Policies are built from most restrictive to least restrictive
Default policies apply to all users within a tenant
Group policies give users additional access to services and resources
Policies are additive
Users can have multiple group policies applied at the same time