SurePath AI provides Proxy Auto-Configuration (PAC) files that automatically route GenAI traffic through SurePath AI for governance and monitoring. PAC files are JavaScript functions that run in web browsers and applications to determine the appropriate proxy server for each network request. This approach enables organizations to direct only GenAI-related traffic to SurePath AI while allowing all other traffic to follow normal routing paths.

PAC-based traffic steering is particularly useful for organizations that distribute configuration through Mobile Device Management (MDM) platforms such as Google Workspace, Microsoft Intune, Jamf Pro, or Rippling. The PAC file approach requires no additional agents or endpoint software beyond standard browser and operating system support for proxy auto-configuration.

When GenAI traffic is routed through SurePath AI using a PAC file, the platform applies your configured policies including service access controls, content controls, and PII detection. All governed sessions are recorded in User Activity for visibility, auditing, and compliance reporting.

A PAC file contains a JavaScript function called FindProxyForURL(url, host) that evaluates each network request and returns a proxy directive. SurePath AI PAC files are configured with a curated list of GenAI service domains. When a browser or application requests a URL, the PAC function evaluates whether the destination matches a known GenAI service. If it does, the request is routed through the SurePath AI proxy infrastructure where policies are applied. If the destination is not a GenAI service, the request proceeds directly without interception.

SurePath AI PAC files ensure that only GenAI traffic is subject to SurePath AI governance, minimizing performance impact and maintaining normal routing for non-GenAI destinations. This selective routing approach provides targeted control without requiring comprehensive proxy infrastructure for all web traffic.

To use SurePath AI PAC files, you must first create a Proxy Connector in the SurePath AI admin interface. The Proxy Connector generates a unique PAC file URL for your organization that includes authentication and routing information.

The generated PAC file URL follows the format https://pacfile.surepath.ai/{connector-id}/current.pac where the connector-id is a unique identifier embedded in the URL. This URL must be used exactly as provided by the admin interface—do not modify or reconstruct the URL manually when configuring your endpoints or MDM platform.

Once you have obtained your PAC file URL, you can distribute it to endpoints using your organization's preferred configuration management approach. The PAC URL can be configured at the operating system level, browser level, or both depending on your requirements.

Common deployment methods include:

Detailed instructions for each distribution method are available in the Traffic Integration / Interception collection of the SurePath AI help center. Choose the deployment method that aligns with your existing device management infrastructure.

The PAC file includes a default list of public GenAI service domains that are routed through SurePath AI. In some scenarios, you may need to customize which domains are intercepted by adding or removing specific services from the default list.

You can add domains to the PAC file's service list by appending the addService query parameter to your PAC file URL. This is useful when you want to intercept traffic to GenAI services that are part of preview features or are not yet included in the default public service catalog.

The addService parameter accepts a comma-separated list of domain patterns. Wildcard patterns using the asterisk notation are supported for matching subdomains.

Example PAC file URL with additional services:

In this example, all subdomains of newaiservice.com and the specific domain api.customgpt.example.com will be routed through SurePath AI in addition to the default service list.

You can remove domains from the PAC file's service list by appending the removeService query parameter to your PAC file URL. This is useful when your organization does not want SurePath AI to intercept traffic to specific GenAI services, for example when you have alternative governance mechanisms in place or when specific services should remain unrestricted.

The removeService parameter accepts a comma-separated list of domain patterns using the same wildcard syntax as addService.

Example PAC file URL with removed services:

In this example, all subdomains of specificservice.com will not be routed through SurePath AI even if they appear in the default service list.

You can use both addService and removeService parameters simultaneously to fine-tune the exact set of domains that should be intercepted. The modifications are applied to the default service list each time the PAC file is requested.

Example combining both parameters:

Important notes about service list customization:

PAC file chaining enables organizations that already have existing PAC file infrastructure to integrate SurePath AI without replacing their current proxy configuration. When chaining is enabled, the SurePath AI PAC file first evaluates whether a request matches a GenAI service. If it does, the request is routed through SurePath AI. If the request does not match a GenAI service, the PAC file automatically defers to your existing PAC file to determine the appropriate routing.

This approach is particularly valuable when you already have a PAC URL configured on your endpoints that routes traffic through corporate proxies, handles split-tunnel VPN scenarios, or implements other network routing policies. Rather than replacing your existing PAC file, you can integrate SurePath AI as an additional layer that handles GenAI traffic specifically.

To enable PAC file chaining, append the chain query parameter to your PAC file URL with the absolute URL of your existing PAC file. The chain URL value must be URL encoded to properly handle special characters in the query string.

For example, if your existing PAC file is located at:

The URL-encoded PAC file URL with chaining would be:

Note that the colon (:) and forward slashes (/) in the chain URL are encoded as %3A and %2F respectively. Most configuration management platforms and browsers will automatically URL encode values when configuring proxy settings, but if you are manually constructing the URL, ensure proper encoding is applied.

When a browser or application retrieves this PAC file, it will receive combined logic that:

The chained PAC file is evaluated transparently, so all existing proxy routing policies defined in your corporate PAC file remain in effect for non-GenAI traffic. This enables seamless integration without disrupting existing network routing configurations.

You can combine PAC file chaining with service list customization by using multiple query parameters. Remember that each parameter value must be URL encoded:

Important considerations for PAC file chaining:

SurePath AI PAC files include a services endpoint that returns the list of GenAI service domains configured for your connector in JSON format. This feature is currently in preview and may change or be adjusted in future releases.

To view the service list for your connector, append services.json to your connector path:

The response is a JSON object containing an array of domain patterns:

This endpoint respects the addService and removeService query parameters, allowing you to preview the effective service list with your customizations:

The services endpoint is useful for:

As a preview feature, the structure and availability of the services endpoint may change based on customer feedback and evolving requirements. Organizations should not build critical dependencies on this endpoint in its current form.

Some clients do not fully support TLS proxying or PAC semantics. For these unsupported user agents, the PAC output intentionally returns DIRECT; for matched GenAI service domains, bypassing SurePath AI. This behavior cannot be overridden by the failopen parameter.

Current unsupported user agents:

Effects for users when a request comes from an unsupported user agent:

Admin guidance:

The PAC content is generated based on the user agent that retrieves the PAC file. If an unsupported component (for example, a system auto-proxy service) downloads the PAC and is treated as unsupported, the returned PAC embeds DIRECT; for matched domains. Any client that subsequently uses that PAC— even if it supports HTTPS proxying— will follow that embedded DIRECT; logic. Ensure that the component fetching the PAC is representative of the clients that will use it, or adjust your configuration accordingly.

Fail-open controls how proxy evaluation behaves for matched GenAI service domains when a client cannot complete proxy authentication or TLS proxying. When fail-open is active, the PAC output places a DIRECT; fallback after the proxy directive so the request can proceed without interception.

Behavior:

Control via query parameter:

The fail-open decision is made when the PAC is requested and influences the generated PAC content (for example, adding a DIRECT; fallback). If a system component retrieves the PAC and triggers fail-open, all clients that later use that PAC will evaluate with that DIRECT; fallback, regardless of their own capabilities. To avoid unintended fail-open, force normal behavior with ?failopen=false or ensure the PAC is retrieved by a representative client.

Notes:

SurePath AI automatically maintains and updates the PAC file content to include the latest Public Service Catalog entries. When new GenAI services are added to the catalog or existing services are updated, the PAC file is automatically updated to reflect these changes. This ensures that your organization's endpoints receive current routing logic without requiring manual intervention.

Once you configure the PAC file URL on your endpoints, you do not need to update or manage the URL itself. The PAC file URL remains constant throughout the life of the Proxy Connector. SurePath AI handles all updates to the service list and routing logic behind the same URL endpoint, ensuring seamless updates as the GenAI landscape evolves.

The only time you need to modify the PAC file URL is when you want to customize behavior using query parameters such as addService, removeService, or chain. These customizations are applied by updating the PAC URL configuration on your endpoints through your MDM platform or manual reconfiguration. The query parameters themselves become part of your configured URL and do not need to change unless your customization requirements change.

This automatic update mechanism means that your organization benefits from SurePath AI's ongoing curation of GenAI services without requiring periodic reconfiguration or maintenance of the PAC file infrastructure.