Skip to content

File Upload to Non-Sanctioned GenAI Playbook

The File Upload to Non-Sanctioned GenAI playbook is triggered when a user attempts to upload a file to a GenAI application that is not on the organization's sanctioned list. Unlike the browsing-based playbooks, this playbook specifically targets user file upload events.

The playbook is fully editable through the playbook editor, including:

  • Warning and notice messaging
  • Justification prompt text
  • Redirect destination
  • Button labels and styles
  • Acknowledgment messaging
  • Enforcement behavior

Organizations can tailor the experience to align with their internal GenAI governance policy.

Match Criteria

The playbook triggers when either:

All of the following conditions are met:

  • A file upload occurs.
  • The application is in the generative-ai-apps list.
  • The application is not in the generative-ai-sanctioned-apps list.

Or all of the following conditions are met:

  • A file upload occurs.
  • The domain is in the generative-ai-hostnames list.
  • The domain is not in the generative-ai-sanctioned-hostnames list.

Therefore, the playbook targets uploading to GenAI tools that the organization has not explicitly approved, while leaving sanctioned tools uninterrupted.

Warning

Modification of the default match criteria should only be performed with a full understanding of the configuration. Incorrect updates may result in unintended blocking of application causing significant productivity disruptions. Confirm all updates with your organization administrators before proceeding in order align with your organization’s overall policy efforts and minimize disruption.

Out-of-the-Box Playbook Behavior

When triggered:

  1. The background session is blurred.

  2. A blocking warning is displayed to the user.

  3. The user is presented with two options:

    • Take me to the sanctioned tool - the user is redirected to the sanctioned GenAI application.
    • I accept the risk - the playbook continues.

If a user chooses to accept the risk:

  • They are prompted to provide a justification for why they need to upload files to this tool instead of the sanctioned tool.
  • The justification is captured and forwarded to the security team.
  • A message confirms the request will be reviewed and warns users to ensure no company information is shared with this tool.
  • The user must select I approve to acknowledge the warning.

After acknowledgment, the playbook ends, and the user can perform a file upload to the non-sanctioned tool.

Required Configuration Before Use

Out of the box, this playbook does not include:

  • A defined sanctioned application URL.
  • A populated generative-ai-sanctioned-apps list.

  • A populated generative-ai-sanctioned-hostnames list, if applicable.

    Note

    Only required if the generative-ai-hostnames list has been manually updated. For example, when there is a home-grown AI tool that is mapped by its domain.

  • Finalized end-user messaging.

Important

For the playbook to function, administrators must update the playbook before deployment.

Required Updates Before Use

The playbook requires minimal customization to tailor it to your organizations' AI policy before it can be used.

Important

Ensure the generative-ai-sanctioned-apps list has been populated.

Until the generative-ai-sanctioned-apps list is populated, the playbook will trigger on every GenAI application, including tools the organization intends to allow.

To apply the required updates:

  1. Go to Playbooks > Company Policies.

  2. Select the File Upload to Non-Sanctioned GenAI playbook to customize it.

    Note

    If the playbook is not displayed, add the playbook from the Playbook catalog.

  3. Within the playbook editor, notations highlight where configuration is required.

  4. Replace the default URL in the Navigate to Sanctioned GenAI Tool step with your organization's sanctioned GenAI tool URL, for example genai-tool.com.

  5. Select Publish to publish the updated playbook.

The playbook is now live in your organization.

By default, the button text reads Take me to the sanctioned tool. To improve clarity, update the button caption to name the specific approved tool, for example: Take me to ChatGPT or Open Microsoft Copilot.

To update the button text:

  1. Go to Playbooks > Company Policies.

  2. Select the File Upload to Non-Sanctioned GenAI playbook to customize it.

  3. Within the playbook editor, select the Button step.

  4. Replace the default Button text with your desired text.

    Important

    Text within the Button text field is displayed to users and is configurable.

    The text within the Button name field is used by the playbook for conditional branching and must not be changed. Changing the Button name will cause the playbook to fail.

  5. Select Publish to publish the updated playbook.

Note

The Button step appears in two places within the playbook.