Getting Started
  • Getting Started
  • AI Access Security Documentation
  • All Documentation
>
Perform Initial AI Access Security Configuration
Focus
Download PDF
Focus
  1. Home
  2. AI Access Security
  3. Getting Started
  4. Perform Initial AI Access Security Configuration
Download PDF
AI Access Security

Perform Initial AI Access Security Configuration

Table of Contents

Perform Initial AI Access Security Configuration

Perform the initial AI Access Security configuration to enable safe adoption of GenAI applications across your organization.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by Panorama or Strata Cloud Manager)
  • Prisma Access (Managed by Panorama or Strata Cloud Manager)
One of the following:
  • AI Access Security license
  • CASB-PA license
  • CASB-X license
An initial configuration is required before you can begin using AI Access Security to safely adopt generative AI (GenAI) apps across your organization. This includes enabling role-based access, setting up and configuring Enterprise Data Loss Prevention (E-DLP) to prevent exfiltration of sensitive data, and creating a Vulnerability Protection profile to stop attempts to exploit system flaws or gain unauthorized access to systems.
This procedure assumes you already activated the AI Access Security license.
  1. Set up and configure Enterprise Data Loss Prevention (E-DLP).
    Enterprise DLP is the detection engine that prevents exfiltration of sensitive data to GenAI apps. Associate an Enterprise DLP data profile with a Security policy rule to define what is considered sensitive data and the action Enterprise DLP takes when sensitive data is detected.
    1. Set Up Enterprise DLP.
      • PanoramaInstall the Enterprise DLP plugin.
      • Strata Cloud ManagerEnable Enterprise DLP.
    2. Edit the Enterprise DLP cloud content, data filtering, and snippet settings as needed
    3. Review the supported advanced Detection Methods to use in your Enterprise DLP configuration.
      The are advanced traffic match detection techniques used to prevent exfiltration of sensitive data. They can be used alongside any combination of predefined, custom regex, or file property data patterns in an advanced data profile.
    4. Create data patterns and data profiles to define your sensitive data match criteria.
      Palo Alto Networks recommends creating advanced data profiles as they allow you to use advanced detection method techniques to strengthen your security posture.
    5. (Strata Cloud Manager only) Modify the DLP Rule to specify the impacted file types and file direction (upload or download) and the action Enterprise DLP takes when sensitive data is detected.
  2. Enable Role Based Access to define the access privileges for your security administrators.
    Configuring access privileges AI Access Security and Enterprise DLP, as well as for the management interface (Panorama™ management server or Strata Cloud Manager.
  3. Enable the Gen-AI-Best-Practice Snippet.
    This snippet gives your organization a starting point to implement Security policy rules that use best practices for GenAI app adoption recommended by Palo Alto Networks. This snippet allows you to quickly allow access to Sanctioned GenAI apps and blocks a wide range of potentially risky GenAI apps by default. This helps your organization maintain control over GenAI app usage while still enabling productivity-enhancing tools.
    AI Access Security associates the Gen-AI-Best-Practice snippet with the default Global configuration folder by default. You can choose to leave it associated with the Global configuration folder or reassign it to specific folders or enforcement points.
  4. Associate the Application-Tagging Snippet.
    This snippet is required to support tag-based policy rule enforcement. The Application-Tagging snippet contains tagging information to indicate which GenAI apps are approved for use within your organization. Tags are written to, and read from, the Application-Tagging snippet to determine whether an app is tagged as Sanctioned or Tolerated. Apps that are not explicitly tagged as Sanctioned or Tolerated are considered Unsanctioned. Tags are displayed in AI Access Security, the Activity Insights Applications page, and the Strata Cloud Manager Command Center from the information in the Application-Tagging snippet.
  5. Create a Vulnerability Protection profile.
    Vulnerability Protection profiles are associated with your Security policy rule and stop attempts to exploit system flaws or gain unauthorized access to systems.
  6. (NGFW only) Create an internal trust zone and an outbound untrusted zone.
    Zones are a logical way to group physical and virtual interfaces on the NGFW to control and log the traffic that traverses specific interfaces on your network. Policy rules on the NGFW use zones to identify where the traffic comes from and where it's going.
    The internal trust zone designates traffic originating from within your organization while the outbound untrusted zone designates traffic destined for the internet.
  7. Create application filters to dynamically group GenAI apps for which you want to apply the same Security policy requirements.
    AI Access Security includes dynamic predefined GenAI application filters based on the GenAI app use case.
  8. Create Custom Security policy rules to begin safely adopting GenAI apps in your organization.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.