This integration enables organizations to redirect all public GenAI traffic to SurePath AI through Netskope's proxy chaining capability (also known as Forward-to-Proxy). Using this method, all GenAI traffic defined by a custom URL category is sent through the Netskope proxy system, which then forwards the traffic to the SurePath AI Proxy before reaching the final destination. This approach provides complete visibility in both Netskope and SurePath AI logging systems, allowing admins to use either platform for troubleshooting or analysis.

Organizations implementing this integration should understand that all users whose traffic matches the configured policy will have their public GenAI access redirected to SurePath AI. These users will be required to authenticate using SSO before gaining access to any GenAI services governed by SurePath AI.

For POC or pilot deployments, admins can configure specific criteria in the Netskope Real-time Protection policy to redirect traffic for a subset of users or groups. Most organizations use a user group-based approach during limited deployments and expand the policy to all users for production deployment.

Before configuring Netskope, admins should ensure the SurePath AI Root CA is distributed to endpoints and gather the necessary configuration information from the SurePath AI platform.

SurePath AI recommends that organizations distribute the SurePath AI Root CA to all endpoints as a trusted certificate authority before beginning the Netskope configuration. While the certificate will also be installed in Netskope's trusted CA store during the configuration steps, distributing it directly to endpoints provides additional protection against certificate trust errors.

If any services or domains are exempted from TLS decryption in Netskope's configuration, the SurePath AI certificate will be presented directly to end users when they access those GenAI services. Without the SurePath AI Root CA installed in the endpoint's trusted certificate store, users may receive certificate trust errors or warnings in their browsers or applications. Distributing the certificate to endpoints ensures a seamless user experience regardless of which services are decrypted by Netskope versus which services are decrypted by SurePath AI.

To download and distribute the certificate:

Admins must collect several items from the SurePath AI platform that will be used during the Netskope configuration steps. These include the proxy address that Netskope will forward traffic to, the curated list of GenAI sites that defines which domains should be redirected, and the SurePath AI security certificate that will be installed in Netskope's trusted CA store.

The SurePath AI proxy address is the hostname that Netskope will use as the destination for forwarded GenAI traffic.

SurePath AI maintains and curates a list of GenAI sites across the public internet, including vendor names and associated risk levels. This list is downloaded in Netskope-compatible format and imported into Netskope as a Destination Profile.

The downloaded file will be named similar to surepath-ai-public-services-netskope-YYYY-MM-DD.txt. Admins should not add additional URLs to this file. If there are sites that need to be added to the catalog, the admin should contact their SurePath AI technical representative for guidance on the appropriate approach.

The SurePath AI security certificate must be downloaded and installed in Netskope's trusted CA store during the configuration steps. This allows Netskope to trust SurePath AI's TLS inspection and prevents certificate warnings when SurePath AI decrypts and inspects GenAI traffic.

The X-Authenticated-User header is a critical component of this integration that enables transparent user identification without requiring SSO authentication prompts.

When properly configured, the XAU header dramatically improves the user experience by eliminating the need for users to authenticate when accessing public GenAI services.

When Netskope forwards traffic to the SurePath AI proxy, it can insert the X-Authenticated-User header into each request. This header contains the username of the end user whose traffic is being proxied. SurePath AI validates that the traffic is coming from a trusted Netskope connector and then automatically associates the user's identity with their GenAI activity without requiring an additional authentication step. This creates a fully transparent experience where users can access GenAI services without any interruption or authentication prompts.

Organizations using SurePath AI Discovery mode must configure the XAU header, as it is the only method for SurePath AI to identify which users are accessing GenAI services. Without the XAU header, Discovery mode cannot attribute activity to individual users.

For non-Discovery organizations, the XAU header is optional but strongly recommended. Without XAU, users will be redirected to an SSO authentication page the first time they access any GenAI service governed by SurePath AI. While this authentication is typically cached for a period of time, enabling XAU eliminates this authentication requirement entirely and provides the best user experience.

The XAU header configuration is completed during the proxy configuration step outlined in this document.

The Netskope configuration process involves several distinct steps: creating a Destination Profile containing all GenAI domains from the SurePath AI catalog, organizing that profile into a custom URL category for policy application, adding the SurePath AI security certificate to Netskope's trusted certificate store, creating a proxy configuration that points to the SurePath AI proxy address, and finally creating a forwarding policy that redirects matching traffic through the configured proxy.

The Destination Profile contains all the individual hostnames and domains from the SurePath AI public services catalog. This profile will be referenced by the custom URL category in subsequent steps.

The Destination Profile should now appear in the list of configured Destination Profiles. The number of services listed in the SurePath AI catalog will not match the number of entries in the profile. The entry count will be higher because some GenAI services require multiple hostnames to capture all relevant traffic.

The custom URL category groups the Destination Profile into a reusable object that can be referenced in Netskope policies. This category defines what traffic should be considered "GenAI traffic" for the purpose of the forwarding policy.

The custom category should now appear in the list of configured custom categories.

Installing the SurePath AI root certificate in Netskope's trusted CA store ensures that Netskope will trust SurePath AI's TLS inspection. This prevents certificate warnings from being presented to end users when SurePath AI decrypts and inspects GenAI traffic.

The certificate should now appear in the list of Trusted CAs.

The proxy configuration defines the SurePath AI proxy as a forwarding destination that Netskope can send traffic to. The proxy settings include the hostname and port number that Netskope will connect to when forwarding GenAI traffic.

At this point, admins can either save the configuration or continue with the optional X-Authenticated-User configuration described in the next section.

Netskope supports inserting the X-Authenticated-User (XAU) header into proxy requests, which passes the end user's username to SurePath AI. This header is required for organizations using SurePath AI Discovery mode. For non-Discovery organizations, the XAU header is optional but recommended because it eliminates the need for users to authenticate when accessing public GenAI services governed by SurePath AI. When the XAU header is present and SurePath AI recognizes the traffic as coming from a trusted Netskope connector (configured as a Network Ingress Connector in the SurePath AI admin), the user's identity is automatically associated with the traffic without requiring an additional authentication prompt. This creates a fully transparent experience for end users.

The forwarding policy instructs Netskope to redirect traffic matching the custom URL category to the SurePath AI proxy. This is the policy that actually enables the integration and begins redirecting GenAI traffic.

The policy should now appear in the policy list. Admins should review and adjust the policy order to ensure the SurePath AI forwarding rule is evaluated appropriately within the organization's overall Netskope policy structure. The SurePath AI forwarding policy should typically be positioned before other AI-related policies to ensure GenAI traffic is redirected before other rules can take effect.

This publishes the configuration changes and makes the integration active.

After the configuration is applied and deployed to test users or groups, admins can verify the integration using the SurePath AI Ready tool. Users whose traffic is being redirected should see successful validation results for both certificate trust and network configuration. If either test fails, admins should verify that the Destination Profile, custom category, certificate installation, and forwarding policy are all configured correctly and that the policy is being applied to the intended user population.

Organizations that previously configured this integration using the URL list approach can migrate to Destination Profiles without disrupting the existing forwarding policy. Because the forwarding policy references the custom URL category rather than the URL list directly, only the URL list and custom category objects need to be updated.

Before migrating, admins should download an updated copy of the SurePath AI public services catalog to ensure the Destination Profile reflects the current list of GenAI services.

Once the migration is confirmed to be working, the original URL list can be removed by navigating to Policies, clicking URL Lists under PROFILES, and deleting the list. The forwarding policy does not require any changes during or after the migration.