Hear from our security engineers as we share how Netskope moved beyond blanket restrictions to a more adaptive, context-aware approach that lets us safely say “yes” to SaaS and GenAI. We’ll highlight real-world patterns of risky usage, common blind spots across managed and unmanaged apps, and the unique data exposure risks posed by GenAI assistants and copilots.
Learn how to:
- Discover and continuously assess SaaS and GenAI usage across your environment
- Protect sensitive data with granular, inline, and context-aware controls
- Apply consistent policies to managed, unmanaged, and AI-powered applications
- Partner with business stakeholders to securely accelerate SaaS and GenAI initiatives
For more information, check out our blog post.
View past events in this series!
Check out some customer questions below, or feel free to comment and continue the discussion!
Q: Can you share best practices for GenAI apps control in RTP policy structure given new app connectors and capabilities?
A: Discover: Log all AI category traffic. Govern: Block "High Risk" AI apps (CCI < 50). Protect: Apply DLP to activities such as "Post" activities for "All Generative AI." Coach: Use User Alerts to remind users of company AI policy when they visit these sites.
We recommend some of our new AI security products such as AI Agentic solutions to help provide a broad coverage.
Q: Use case of Identification of Shadow AI/Shadow IT?
A: Use the Skope IT "Application Events" and AI insights dashboards to filter by the "Generative AI" category. This identifies which AI tools are being used, by whom, and the volume of data being sent, allowing you to bring "Shadow AI" into your sanctioned governance framework.
Q: Did OpenAI ever agree to pin Netskope to their list of trusted CA certs in the MacOS desktop ChatGPT app? Is the recommendation to safely allow use of GenAI in cases of cert-pinned desktop software to simply block the software and require use of a browser, or is there a better option?
A: OpenAI has not broadly added third-party CAs to their desktop apps. The recommendation remains to block the desktop application (via App Context or Executable name) and require users to use the browser-based version, which respects the system's trusted root store and allows for full inspection.
Q: How do I allow a user to raise a ticket to operations with User Alert? We only have “back” or “proceed” buttons.
A: Currently, Netskope User Alerts provide "Proceed" or "Back" options. To facilitate ticketing, you can customize the "User Alert" message to include a hyperlink to your internal IT support portal or a specific mailto: link, allowing users to report the incident or request an exception directly.
Q: How do you balance between having DLP rules and SSL inspection breaking some of the common AI tools?
A: Use "Bypass" rules sparingly and only for trusted, business-critical domains that strictly require it. For AI tools, it is recommended to maintain SSL inspection to ensure DLP can see the prompts. If an app breaks, investigate if it uses certificate pinning; if so, consider blocking the app and allowing the browser version instead.
Q: What are the supported granular controls for new or emerging GenAI applications?
A: Netskope supports granular activities such as Post, Upload, and Download for hundreds of GenAI apps. For emerging apps not yet in the CCI (Cloud Confidence Index), you can use custom connectors or generic "Generative AI" category rules to apply broad DLP and activity constraints until specific app support is added.
Q: Can we fully secure Desktop and Browser AI agents? What can we not promise in security at the moment if we allow browser and desktop AI agents?
A: While Netskope provides deep visibility and control for browser-based AI via SSL inspection and DLP, desktop agents that use certificate pinning (like the ChatGPT macOS app) can be more challenging. We cannot "promise" security for encrypted traffic that bypasses inspection. The best practice is to steer users toward the browser-based versions where full DLP and activity controls (like "Post" or "Prompt" detection) can be enforced.
