This integration enables organizations to redirect all public GenAI traffic to SurePath AI through Netskope's proxy chaining capability (also known as Forward-to-Proxy). Using this method, all GenAI traffic defined by a custom URL category is sent through the Netskope proxy system, which then forwards the traffic to the SurePath AI Proxy before reaching the final destination. This approach provides complete visibility in both Netskope and SurePath AI logging systems, allowing admins to use either platform for troubleshooting or analysis.

Organizations implementing this integration should understand that all users whose traffic matches the configured policy will have their public GenAI access redirected to SurePath AI. These users will be required to authenticate using SSO before gaining access to any GenAI services governed by SurePath AI. For POC or pilot deployments, admins can configure specific criteria in the Netskope Real-time Protection policy to redirect traffic for a subset of users or groups. Most organizations use a user group-based approach during limited deployments and expand the policy to all users for production deployment.

Before configuring Netskope, admins should ensure the SurePath AI Root CA is distributed to endpoints and gather the necessary configuration information from the SurePath AI platform.

SurePath AI recommends that organizations distribute the SurePath AI Root CA to all endpoints as a trusted certificate authority before beginning the Netskope configuration. While the certificate will also be installed in Netskope's trusted CA store during the configuration steps, distributing it directly to endpoints provides additional protection against certificate trust errors.

If any services or domains are exempted from TLS decryption in Netskope's configuration, the SurePath AI certificate will be presented directly to end users when they access those GenAI services. Without the SurePath AI Root CA installed in the endpoint's trusted certificate store, users may receive certificate trust errors or warnings in their browsers or applications. Distributing the certificate to endpoints ensures a seamless user experience regardless of which services are decrypted by Netskope versus which services are decrypted by SurePath AI.

To download and distribute the certificate:

Admins must collect several items from the SurePath AI platform that will be used during the Netskope configuration steps. These include the proxy address that Netskope will forward traffic to, the curated list of GenAI sites that defines which domains should be redirected, and the SurePath AI security certificate that will be installed in Netskope's trusted CA store.

The SurePath AI proxy address is the hostname that Netskope will use as the destination for forwarded GenAI traffic.

SurePath AI maintains and curates a list of GenAI sites across the public internet, including vendor names and associated risk levels. This list is downloaded in Netskope-specific format and imported into Netskope as a URL list.

The downloaded file will be named similar to surepath-ai-public-services-netskope-YYYY-MM-DD.txt. Admins should not add additional URLs to this file. If there are sites that need to be added to the catalog, the admin should contact their SurePath AI technical representative for guidance on the appropriate approach.

The SurePath AI security certificate must be downloaded and installed in Netskope's trusted CA store during the configuration steps. This allows Netskope to trust SurePath AI's TLS inspection and prevents certificate warnings when SurePath AI decrypts and inspects GenAI traffic.

The Netskope configuration process involves several distinct steps: creating a URL list containing all GenAI domains from the SurePath AI catalog, organizing that list into a custom URL category for policy application, adding the SurePath AI security certificate to Netskope's trusted certificate store, creating a proxy configuration that points to the SurePath AI proxy address, and finally creating a forwarding policy that redirects matching traffic through the configured proxy.

The URL list contains all the individual hostnames and domains from the SurePath AI public services catalog. This list will be referenced by the custom URL category in subsequent steps.

The URL list should now appear in the list of configured URL lists. The number of services listed in the SurePath AI catalog will not match the number of lines in the file. The line count will be higher because some GenAI services require multiple hostnames to capture all relevant traffic.

The custom URL category groups the URL list into a reusable object that can be referenced in Netskope policies. This category defines what traffic should be considered "GenAI traffic" for the purpose of the forwarding policy.

The custom category should now appear in the list of configured custom categories.

Installing the SurePath AI root certificate in Netskope's trusted CA store ensures that Netskope will trust SurePath AI's TLS inspection. This prevents certificate warnings from being presented to end users when SurePath AI decrypts and inspects GenAI traffic.

The certificate should now appear in the list of Trusted CAs.

The proxy configuration defines the SurePath AI proxy as a forwarding destination that Netskope can send traffic to. The proxy settings include the hostname and port number that Netskope will connect to when forwarding GenAI traffic.

At this point, admins can either save the configuration or continue with the optional X-Authenticated-User configuration described in the next section.

Netskope supports inserting the X-Authenticated-User (XAU) header into proxy requests, which passes the end user's username to SurePath AI. This header is required for organizations using SurePath AI Discovery mode. For non-Discovery organizations, the XAU header is optional but recommended because it eliminates the need for users to authenticate when accessing public GenAI services governed by SurePath AI. When the XAU header is present and SurePath AI recognizes the traffic as coming from a trusted Netskope connector, the user's identity is automatically associated with the traffic without requiring an additional authentication prompt. This creates a fully transparent experience for end users.

The forwarding policy instructs Netskope to redirect traffic matching the custom URL category to the SurePath AI proxy. This is the policy that actually enables the integration and begins redirecting GenAI traffic.

The policy should now appear in the policy list. Admins should review and adjust the policy order to ensure the SurePath AI forwarding rule is evaluated appropriately within the organization's overall Netskope policy structure. The SurePath AI forwarding policy should typically be positioned before other AI-related policies to ensure GenAI traffic is redirected before other rules can take effect.

This publishes the configuration changes and makes the integration active.

After the configuration is applied and deployed to test users or groups, admins can verify the integration using the Ready tool at https://ready.surepath.ai. Users whose traffic is being redirected should see successful validation results for both certificate trust and network configuration. If either test fails, admins should verify that the URL list, custom category, certificate installation, and forwarding policy are all configured correctly and that the policy is being applied to the intended user population.

Both Netskope and SurePath AI maintain logs of GenAI traffic that can be used for troubleshooting. Admins should verify that traffic appears in both systems when users access GenAI services covered by the Public Services catalog.