Elevate Your Egnyte Expertise. Join our Customer Community to connect with a network of peers and share game-changing strategies. Join Today

Help Desk
Contact Support

Welcome to
Help Desk

Product Updates
 Training
Support
 Ideas Community Contact Support

AI Safeguards - Overview

What Are AI Safeguards?

AI Safeguards enable administrators to govern how AI operates within Egnyte. Policies control which files the AI can use to generate responses and which users can access AI-powered functionalities.

Two distinct governance needs are addressed:

  • Data Visibility: Policies control which files are excluded from AI visibility, preventing them from being used to generate responses. This applies within Egnyte Collaborate and requests processed through the Egnyte MCP Server.
  • Access Control: Policies restrict which users and groups have access to AI-powered functionalities. This supports phased rollouts and permanent exclusion of groups that do not need AI access.

This feature is currently available only on the Elite and Ultimate plans. Please contact the Egnyte account manager or Egnyte Sales team for more information.

Benefits

  • Prevent information from sensitive files such as contracts, HR records, and classified documents from appearing in AI responses.
  • Roll out AI access to selected early adopters and expand coverage gradually over time.
  • Control AI access per user and/or group without changing underlying file permissions.
  • Sanitize content returned from the Egnyte MCP Server to external AI tools.
  • Monitor AI activity across the domain before enabling any restrictions, using Report Only policies.

Common Use Cases

The following use cases are covered step-by-step in AI Safeguards - Admin Guide.

  1. Initial rollout: AI access is restricted to a single group during initial deployment. Access can be expanded to additional groups over time by extending the blocking policy.
  2. Department-scoped access: Departments can use AI but only within their designated folder. Cross-department access and all other users are blocked.
  3. Monitoring mode: Report Only policies are used to observe AI activity across the domain before any restrictions are applied.
  4. Sensitive content protection: AI is prevented from processing files classified as Confidential or PII, with selected compliance teams retaining access.
  5. Competitive confidentiality: Metadata tags are used to prevent AI from surfacing a client's files to users working on a competing project.

Overview

AI Safeguards policies are managed in Settings -> Configuration -> AI -> AI Safeguards section. Administrators can create, edit, reorder, and change the state of policies from this page.

Policy Criteria Types

Each policy is built using one or more criteria. Four types are available:

  • Location: One or more folders. All subfolders are included by default when a parent folder is selected.
  • Content Classification policies: Classification tags applied by Secure & Govern Content Classification Policies. Exclusive to the Ultimate plan.
  • Metadata tags: Metadata applied to files in Egnyte Collaborate. Currently only single-select and multi-select metadata types are supported.

  • Users/Groups: Specific users and group identifiers. 

    - Multiple criteria rows within a single policy are joined with AND. All rows must match for the policy to activate. 
    - Multiple values within a single criterion use OR. Only one value needs to match. 

Policy States

Each policy can be in one of three states. Administrators can choose whether a newly saved policy defaults to Active or Report Only.

  • Active: Restrictions are applied.
  • Report Only: Restrictions are tracked for reporting but not applied. Useful for monitoring activity before restrictions.
  • Inactive: Restrictions are not applied.

Policy Priority and Evaluation

Policies are evaluated sequentially, starting from Policy 1. The priority number is shown on the left of each policy row. Evaluation behavior depends on the matching policy's state:

  • Report Only: Evaluation continues to the next policy after a match. Multiple Report Only policies can match the same request, each adding a Flagged audit report entry.
  • Active: Evaluation stops immediately once a match is found. One Blocked report entry is created. No further policies are evaluated for that request.

Report Only policies intended to monitor the same scope as an Active policy must be placed above it in the priority list. An Active policy stops evaluation. Report Only policies placed below Active policies will not be evaluated for requests that the Active policy already matched.

Priority order can be changed using the drag-and-drop handle on the left of each policy row.

Special Behavior: Users/Groups-Only Policies

A policy using only the Users/Groups criterion enters a special mode. In addition to restricting AI processing, it removes all AI-related entry points from the user interface for matched users. AI Assistant, Agents, Knowledge Bases, and all other AI surfaces are hidden entirely, with no visible indication that a restriction is in place.

External tools connecting through the Egnyte MCP Server can still connect on behalf of these users. AI Safeguards policies apply to all inbound requests and the content returned is sanitized accordingly.

This mode is recommended for hard blocks during initial rollout or for groups that should never have AI access.

Audit Reports

Audit reports are available in the Reports panel under Audit AI Safeguards:

  • Blocked: Files considered for use by the AI but blocked from generating responses.
  • Flagged (report-only): Files that would have been blocked, but were not, because the matching policy was set to Report Only. Useful for investigating activity without disrupting workflows.

Both reports provide the same options as other audit reports in Egnyte, allowing to narrow down the scope of the report accordingly to the information types it exposes.

The report itself allows to investigate incidents.

Policy States

Each policy can be in one of three states:

  1. Active: Configured restrictions are applied.
  2. Inactive: Configured restrictions are not applied.
  3. Report Only: Configured restrictions are tracked for reporting purposes but are not enforced, allowing for active monitoring without interruptions

Admins can select whether a newly saved policy defaults to the Active or Report Only state.

User Experience

When a user interacts with a file protected by an Active policy (and they are not excluded entirely from using AI), the file is not processed and the user is informed that the item is protected by AI Safeguards. Files restricted through the MCP Server are not returned to the requesting application.

If user would like an excluded file to be available for AI processing: 
- Contact your Egnyte administrator to find out why the file is restricted.
- Request policy configuration adjustments.

When at least one Active policy is in place on the domain, the "AI Safeguards active" indicator is shown in the AI Assistant panel.

Additional information is shown in the context menu, and when user tries to interact with a restricted file.

Limitations

  • Users on Egnyte for Android older than v.9.5 or Mobile App for iOS older than v.9.5 may still see AI entry points even when a Users or Groups-only policy applies to them.
  • Changes to policies may take up to one hour to finish processing and take effect.
  • Changes to AI Safeguards policies are not currently recorded in the Configuration Settings report.

Additional Resources


 

Was this article helpful?
0 out of 0 found this helpful

For technical assistance, please contact us.