Skip to content

Corporate GenAI Policy Guidance Playbook

The Corporate GenAI Policy Guidance playbook is triggered when a user navigates to a GenAI application that is not on the organization's sanctioned list. Unlike the Banned GenAI Applications playbook, this playbook allows the user to continue using the tool after providing a justification and acknowledging the risk.

The playbook is fully editable through the playbook editor, including:

  • Warning and policy messaging
  • Justification prompt text
  • Redirect destinations
  • Button labels and styles
  • Acknowledgment messaging

Organizations can customize the experience to align with their internal GenAI governance policy.

Match Criteria

The playbook triggers when either:

Both of the following conditions are met:

  • The application is in the generative-ai-apps list.
  • The application is not in the generative-ai-sanctioned-apps list.

Or both of the following conditions are met:

  • The domain is in the generative-ai-hostnames list.
  • The domain is not in the generative-ai-sanctioned-hostnames list.

Therefore, the playbook targets GenAI tools that the organization has not explicitly approved, while leaving sanctioned tools uninterrupted.

Warning

Modification of the default match criteria should only be performed with a full understanding of the configuration. Incorrect updates may result in unintended blocking of application causing significant productivity disruptions. Confirm all updates with your organization administrators before proceeding in order align with your organization’s overall policy efforts and minimize disruption.

Out-of-the-Box Playbook Behavior

When triggered:

  1. The background session is blurred.

  2. A blocking warning is displayed to the user.

  3. A policy message informs the user they should instead use a sanctioned GenAI tool.

  4. The user is presented with two options:

    • Take me to the sanctioned tool - the user is redirected to the sanctioned GenAI application.
    • I accept the risk - the playbook continues.

If the user chooses to accept the risk:

  • They are prompted to provide a justification for why they need to use this tool instead of the sanctioned tool.
  • The justification is captured and forwarded to the security team for their review.
  • A message confirms the request will be reviewed and warns the user to ensure no company information is shared with this tool.
  • The user must select I approve to acknowledge the warning.

After acknowledgment, the playbook ends, and the user can continue using the non-sanctioned tool.

Required Configuration Before Use

Out of the box, this playbook does not include:

  • A defined sanctioned application URL.
  • A populated generative-ai-sanctioned-apps list.

  • A populated generative-ai-sanctioned-hostnames list, if applicable.

    Note

    Only required if the generative-ai-hostnames list has been manually updated. For example, when there is a home-grown AI tool that is mapped by its domain.

  • Finalized end-user messaging.

Important

For the playbook to function, administrators must update the playbook before deployment.

Required Updates Before Use

The playbook requires minimal customization to tailor it to your organization's AI policy before it can be used.

Important

Ensure the generative-ai-sanctioned-apps list has been populated.

Until the generative-ai-sanctioned-apps list is populated, the playbook will trigger on every GenAI application, including tools the organization intends to allow.

To apply the required updates:

  1. Go to Playbooks > Company Policies.

  2. Select the Corporate GenAI Policy Guidance playbook to customize it.

    Note

    If the playbook is not displayed, add the playbook from the Playbook catalog.

  3. Within the playbook editor, notations highlight where configuration is required.

  4. Replace the default URL in the Navigate to Sanctioned GenAI Tool step with your organization's sanctioned GenAI tool URL, for example genai-tool.com.

  5. Select Publish to publish the updated playbook.

The playbook is now live in your organization.

By default, the button text reads Take me to the sanctioned tool. To improve clarity, update the button caption to name the specific approved tool, for example: Take me to ChatGPT or Open Microsoft Copilot.

To update the button text:

  1. Go to Playbooks > Company Policies.

  2. Select the Corporate GenAI Policy Guidance playbook to customize it.

  3. Within the playbook editor, select the Button step.

  4. Replace the default Button text with your desired text.

    Important

    Text within the Button text field is displayed to users and is configurable.

    The text within the Button name field is used by the playbook for conditional branching and must not be changed. Changing the Button name will cause the playbook to fail.

  5. Select Publish to publish the updated playbook.