All controls within the SurePath AI platform are driven by admin-defined policy. There are two types of policy within the SurePath AI platform, the Default Policy which applies to all members of a SurePath AI tenant and Group Policy which applies to a specific group of users within a SurePath AI tenant.
Combined, these policies either allow users to access specific GenAI sites, dictate which sensitive data entities need to be monitored, and determine which private models, data sources, and assistants are available inside the private portal. This article will help administrators understand how these policies and how to configure them to enforce their organization's GenAI policy.
SurePath AI policy cheat sheet
Policies are built from most restrictive to least restrictive
Default policies apply to all users within a tenant
Group policies give users additional access to services and resources
Group policies are additive to the default policy
Users can have multiple group policies applied at the same time
Policy at tenant creation
Given that, without SurePath AI, the ability to know how the workforce is using GenAI and what violations of company policy are taking place, when a SurePath AI tenant is first deployed, it comes configured in a log-only or discovery mode. This allows administrators and security stakeholders to capture usage data and evaluate the risks occurring within the organization.
Workforce interactions with GenAI services are simply monitored and violations are logged without altering the user experience. In this mode of operation, valuable data is generated regarding the use of GenAI within the organization and can be used to help define the first iterations of policy within the SurePath AI tenant. When an organization is ready to apply policy, the Default Public Service Action setting can be toggled from Allow to Block in either the default or group policy level and the defined policy will be applied.
The policy basics
SurePath AI, like other security products, practices a least privilege approach to the workforce use of GenAI. Because of this, administrators must add access to all resources that SurePath AI protects using the default and group policies. These policies govern the use of both public services and the SurePath AI portal.
Group Policy controls
Group policies can only be used to provide additional access and lessen restrictions on users. This means that users can be members of multiple group policies, each of which can add additional access to the user.
External service control
Public GenAI services | Allow services like ChatGPT, Claude, or Microsoft Copilot |
PII detection settings and entities | Configure which sensitive data types should be monitored, redacted, or blocked such as SSN, Phone Number, and others |
Content Controls | High-risk requests, confidential data, and others |
Redirect/Block controls | Choose which action to take when a user attempts to access a restricted GenAI site |
Portal controls
Private models | Choose which models are available for users in the portal and the default model |
Data Sources | Select which Data Sources users have access to when making requests to the private portal |
Assistants | Select which Assistants users have access within the portal |
Default Policy
The SurePath AI default policy applies to all users in a SurePath AI tenant. The default policy should be the most restrictive policy granting access to only services or resources that have been approved to the entire organization. Group policies should be used to provide access to services and resources to targeted groups of users.
If the organization has approved all users access to a specific GenAI site, like Microsoft Copilot, then adding it in the Default Policy makes the most sense since all users will gain access to the services and resources from the Default Policy. Another valid configuration would to allow no access to any services or resources
Group Policy
Group Policies are used to add or allow additional access to services and/or resources over what is granted via the Default Policy. Group Policies are applied to users by associating a group (either manually created or imported via the Directory Sync feature) to a SurePath AI Group Policy.
Group policies are additive and a user can have multiple group policies applied at the same time. Group Policies contain all the same settings as the Default Policy just applied to a more specific set of users.
Sensitive Data settings
Sensitive Data settings are also built from least restrictive to most restrictive. Because of the additive nature of Group Policies and that Group Policies add access or in other words, eliminate restrictions. Because of this, if Sensitive Data settings are disabled in the Default Policy, they can not be enabled or changed in Group Policy, as the Default policy must be more restrictive than Group Policy.
With Sensitive Data, the most restrictive Sensitive Data settings must be implemented at the Default Policy level and then exceptions can be made within Group Policy to allow or lessen the action regarding the detection of sensitive data.
If there were a group of users that didn't need to be monitored for the use of phone numbers, within the Group Policy, an exception could be made for the PII entity of phone number. However, unless the Default Policy has the sensitive data settings enabled, no change can be made at the Group Policy.
Sensitive Data Settings ranked from most restrictive to least restrictive
| Content Controls | PII Detection |
Most restrictive | Block | Block |
... | Detect only | Delete |
... | Ignore | Mask |
... |
| Tag |
... |
| Synthesize |
Least restrictive |
| Detect only |
Example use cases of SurePath AI policy
Allow the entire company to use Microsoft Copilot and allow a specific group of users to access ChatGPT
Default policy
Add Microsoft Copilot to the Default Policy of the organization.
Group policy
Add ChatGPT to the Group Policy that is assigned to the group of users that require the access.
For the entire organization, delete all PII entities from generative AI prompts to external services with an exception for a specific group of users that only logs the exception but doesn't alter the prompt
Default policy
Enable the desired PII entities in the PII Detection settings and set the Action to Delete
Group policy
Set the PII Detection settings to Log only
NOTE: Since group policies can only allow access or reduce restrictions, in this example, the Block action won't be an option in the group policy settings, only actions that are less restrictive can be selective.
For the entire organization, monitor for the URL PII entity in generative AI prompts to external services with an exception for a specific group of users that doesn't monitor for the URL entity type
Default policy
Enable the URL PII entity
Group policy
Disable the URL PII entity
NOTE: Since group policies can only allow access or reduce restrictions, in this example, PII entities can only be disabled in group policies. PII entities that are not enabled in the Default Policy can not be enabled in a group policy.
Allow all users access to a company-wide data source and the engineering team access to an engineering-specific data source
Default policy
Add the company-wide data source to the Default Policy
Group policy
Add the engineering-specific data source to the engineering Group Policy
Verifying a user's policy
The policy that is being applied to a user can be verified using the admin interface at https://admin.surepath.ai:
In the CONFIGURE section of the menu, under Users & Groups, select End Users
Search for the user whose policy needs to be examined and click the > icon on the right side of the user row
At the bottom of the fly-out, in the Policies section, all applied policies can viewed including all the allowed services and assigned resources.