Skip to content

Avoid Non-Sanctioned GenAI Applications Playbook

The Avoid Non-Sanctioned GenAI Applications playbook is triggered when a user navigates to a GenAI application that is not on the organization's sanctioned list. Unlike the Corporate GenAI Policy Guidance playbook, this playbook does not allow the user to continue using the non-sanctioned tool. Access remains blocked even after the user provides a justification.

The playbook is fully editable through the playbook editor, including:

  • Warning and policy messaging
  • Justification prompt text
  • Redirect destinations
  • Button labels and styles
  • Post-justification messaging

Organizations can tailor the experience to align with their internal GenAI governance policy.

Match Criteria

The playbook triggers when either:

Both of the following conditions are met:

  • The application is in the generative-ai-apps list.
  • The application is not in the generative-ai-sanctioned-apps list.

Or both of the following conditions are met:

  • The domain is in the generative-ai-hostnames list.
  • The domain is not in the generative-ai-sanctioned-hostnames list.

Therefore, the playbook targets GenAI tools that the organization has not explicitly approved, while leaving sanctioned tools uninterrupted.

Warning

Modification of the default match criteria should only be performed with a full understanding of the configuration. Incorrect updates may result in unintended blocking of application causing significant productivity disruptions. Confirm all updates with your organization administrators before proceeding in order align with your organization’s overall policy efforts and minimize disruption.

Out-of-the-Box Playbook Behavior

When triggered:

  1. The background session is blurred.

  2. A blocking warning is displayed to the user.

  3. A policy message informs the user they should instead use a sanctioned GenAI tool.

  4. The user is presented with two options:

    • Take me to the sanctioned tool - the user is redirected to the sanctioned GenAI application.
    • I accept the risk - the playbook continues.

If a user chooses to accept the risk:

  • They are prompted to provide a justification for why they need to use this tool instead of the sanctioned tool.
  • The justification is captured and forwarded to the security team.
  • A message confirms the request has been sent and instructs the user to use the sanctioned tool.
  • The user is presented with two final options:
    • Take me to the sanctioned tool - redirects to the sanctioned GenAI application.
    • Take me to our AI policy - redirects to the organization's AI policy page.

Note

Access to the unsanctioned application remains blocked even if a justification is provided.

Required Configuration Before Use

Out of the box, this playbook does not include:

  • A defined sanctioned application URL.
  • A defined URL that hosts the company's AI policy.
  • A populated generative-ai-sanctioned-apps list.

  • A populated generative-ai-sanctioned-hostnames list, if applicable.

    Note

    Only required if the generative-ai-hostnames list has been manually updated. For example when there is a home-grown AI tool that is mapped by its domain.

  • Finalized end-user messaging.

Important

For the playbook to function, administrators must update the playbook before deployment.

Required Updates Before Use

The playbook requires minimal customization to tailor it to your organization's policy stance before it can be used.

Important

Ensure the generative-ai-sanctioned-apps list has been populated.

Until the generative-ai-sanctioned-apps list is populated, the playbook will trigger on every GenAI application, including tools the organization intends to allow.

To apply the required updates:

  1. Go to Playbooks > Company Policies.

  2. Select the Avoid Non-Sanctioned GenAI Applications playbook to customize it.

    Note

    If the playbook is not displayed, add the playbook from the Playbook catalog.

  3. Within the playbook editor, notations highlight where configuration is required.

  4. Replace the default URL in the Navigate to Sanctioned GenAI Tool step with your organization's sanctioned GenAI tool URL, for example genai-tool.com.

    Note

    The Navigate to Sanctioned GenAI Tool step appears in two places within the playbook.

  5. Replace the default URL in the Navigate to Organization AI Policy step with the URL that hosts your organization's AI usage policy, for example usage-policy.com.

  6. Select Publish to publish the updated playbook.

The playbook is now live in your organization

By default, the button text reads Take me to the sanctioned tool. To improve clarity, update the button caption to name the specific approved tool, for example: Take me to ChatGPT or Open Microsoft Copilot.

To update the button text:

  1. Go to Playbooks > Company Policies.

  2. Select the Avoid Non-Sanctioned GenAI Applications playbook to customize it.

  3. Within the playbook editor, select the Button step.

  4. Replace the default Button text with your desired text.

    Important

    Text within the Button text field is displayed to users and is configurable.

    The text within the Button name field is used by the playbook for conditional branching and must not be changed. Changing the Button name will cause the playbook to fail.

  5. Select Publish to publish the updated playbook.

Note

The Button step appears in two places within the playbook.