Skip to content

Avoid Banned GenAI Applications Playbook

The Avoid Banned GenAI Applications playbook is triggered when a user navigates to a GenAI application that is included in the risky AI application list. The user is blocked from using the unauthorized GenAI application and is guided to use the sanctioned tool. Access remains blocked even after the user provides a justification.

The playbook is fully editable through the playbook editor, including:

  • Messaging shown to users
  • Justification prompts
  • Policy links
  • Redirect destinations
  • Enforcement behavior

Organizations can tailor the experience to align with their internal GenAI governance policy.

Match Criteria

The playbook triggers when a user accesses an application included in the Risky GenAI Apps list.

Warning

Modification of the default match criteria should only be performed with a full understanding of the configuration. Incorrect updates may result in unintended blocking of application causing significant productivity disruptions. Confirm all updates with your organization administrators before proceeding in order align with your organization’s overall policy efforts and minimize disruption.

Out-of-the-Box Playbook Behavior

When triggered:

  1. The background session is blurred.

  2. A blocking warning is displayed to the user.

  3. The user is guided to use the organization’s sanctioned GenAI tool.

Users are prevented from working in the unsanctioned application.

If the user attempts to proceed:

  • They are prompted to provide a justification for why they need to use this tool instead of the sanctioned tool.
  • The justification is captured and forwarded to the security team.
  • A message confirms the request has been sent and instructs the user to use the sanctioned tool.
  • The user is presented with two final options:
    • Take me to the sanctioned tool - redirects to the sanctioned GenAI application.
    • Take me to our AI policy - redirects to the organization's AI policy page.

Note

Access to the unsanctioned application remains blocked even if a justification is provided.

Required Configuration Before Use

Out of the box, this playbook does not include:

  • A defined sanctioned application URL.
  • A defined URL that hosts the company's AI policy.
  • Finalized end-user messaging.

Important

For the playbook to function, administrators must update the playbook before deployment.

Required Updates Before Use

The playbook requires minimal customization to tailor it to your organization's AI policy before it can be used.

To apply the required updates:

  1. Go to Playbooks > Company Policies.

  2. Select the Avoid Banned GenAI Applications playbook to customize it.

    Note

    If the playbook is not displayed, add the playbook from the Playbook catalog.

  3. Within the playbook editor, notations highlight where configuration is required.

  4. Replace the default URL in the Navigate to Sanctioned GenAI Tool step with your organization's sanctioned GenAI tool URL, for example genai-tool.com.

    Note

    The Navigate to Sanctioned GenAI Tool step appears in two places within the playbook.

  5. Replace the default URL in the Navigate to Organization AI Policy step with the URL that hosts your organization's AI usage policy, for example usage-policy.com.

  6. Select Publish to publish the updated playbook.

The playbook is now live in your organization.

By default, the button text reads Take me to the sanctioned tool. To improve clarity, update the button caption to name the specific approved tool, for example: Take me to ChatGPT or Open Microsoft Copilot.

To update the button text:

  1. Go to Playbooks > Company Policies.

  2. Select the Avoid Banned GenAI Applications playbook to customize it.

  3. Within the playbook editor, select the Button step.

  4. Replace the default Button text with your desired text.

    Important

    Text within the Button text field is displayed to users and is configurable.

    The text within the Button name field is used by the playbook for conditional branching and must not be changed. Changing the Button name will cause the playbook to fail.

  5. Select Publish to publish the updated playbook.

Note

The Button step appears in two places within the playbook.