Elevate Your Egnyte Expertise. Join our Customer Community to connect with a network of peers and share game-changing strategies. Join Today

Help Desk
Contact Support

Welcome to
Help Desk

Product Updates
 Training
Support
 Ideas Community Contact Support

AI Safeguards – Admin Guide

This guide covers how to configure AI Safeguards policies. For a feature introduction and settings overview, refer to AI Safeguards - Overview.

This feature is currently available only on the Elite and Ultimate plans. Please contact the Egnyte account manager or Egnyte Sales team for more information.

Getting Started

Navigate to SettingsConfiguration →  AI. The AI Safeguards section is at the bottom of the page.

AI Safeguards -1.png

Select New policy to open the policy creation modal. Each policy requires a name and at least one criterion. Use the Criteria section to select the criterion type, the matching direction (Included in or Not included in), and the specific values. Additional criteria rows can be added with the Add criteria button. Each additional row is joined with AND condition.

The Summary section at the bottom of the dialog shows a plain-language description of what the policy will do. Use the dropdown on the Create button to save the policy as Active by clicking Create or save as Report Only by clicking the dropdown and selecting the Create a ‘Report only’ policy.

 

- It is recommended to begin with Report Only policies to observe what would be restricted before enforcing any restrictions.
- Policies can be switched between Active and Report Only states at any time from the policy list.
- Report Only policies that monitor the same scope as an Active policy must be placed above Active policy in the priority list.
- An Active policy stops evaluation. Report Only policies placed after the Active policy will not execute for requests that the Active policy already matched.

Use Case 1: Monitoring Mode — Visibility Before Enforcement

Goal: Understand how AI is being used across the domain before applying any restrictions. All policies are set to Report Only. No requests are blocked. This phase is recommended to run for several weeks to build a report and understand user activity.

Policy set

Create the following four policies. Because all are Report Only, evaluation continues through all of them for every request and the order does not affect which entries are generated.

  • Create a policy named Sensitive folder access. Add one criterion: Location Included in [/Shared/Legal, /Shared/Finance, /Shared/HR]. Save the policy as Report Only.
  • Create a policy named Classified content access. Add one criterion: Content Classification Included in [Confidential, PII, Sensitive]. Save the policy as Report Only.
  • Create a policy named Metadata-tagged sensitive files. Add one criterion: Metadata tags Included in [restricted, internal-only]. Save the policy as Report Only.
  • Create a policy named All non-IT AI usage. Add one criterion: Users/Groups Not included in [IT]. Save the policy as Report Only.

Result

When switching any of these policies to Active, place any remaining Report Only policies covering the same or overlapping scope above the active policy. An Active policy stops evaluation. Therefore, Report Only policies placed after the Active policy will not execute for requests that the Active policy already matched. 

In this example, the Classified content access policy was switched to Active and moved below all Report Only policies.

How Requests Are Evaluated

  • Because all policies are Report Only, evaluation continues through all four policies for every request. A single request can match multiple policies and generate a Flagged entry for each policy.
  • An IT user accessing an unclassified file outside the sensitive folders does not match any policy and produces no report entries at all.
  • No entries appear in the Blocked report throughout this phase due to not having any Active policies.

Report Entries

  • Flagged: every request matching any configured scope. A single request can generate multiple Flagged entries if it matches several policies.
  • Blocked: empty throughout this phase.

Transitioning to Enforcement

Once enough data has been gathered and reviewed, convert selected policies to Active accordingly to your business needs. Keep any Report Only policies covering the same or overlapping scope above the newly Active policy in the list to continue generating Flagged entries alongside the new Blocked entries.

Use Case 2: Initial Rollout — IT Group Only

Goal: Restrict AI access to a named administrator group during initial deployment. All other users are blocked.

Policy set

  • Create a policy named Block all non-IT users. Add one criterion: Users/Groups - Not included in [IT]. This blocks every user who is not a member of the IT group. Save the policy.
  • Optionally, create a second policy named Track IT AI activity. It would generate a Flagged report entry for every AI request made by members of the IT group. You could use it to track IT Group’s activity but it’s not mandatory and can be omitted, if you only want to apply restrictions with the Block all non-IT users policy.
    If user decide to still have this policy, add one criterion: Users/Groups - Included in [IT]. Place this policy above the blocking policy in the priority list.  Save the policy as Report Only.

Result

 

To expand access over time, add groups and individual users to the values in the blocking policy. There is no need to create additional policies.

How Requests Are Evaluated

  • IT user making an AI request: the optional tracking policy matches and logs the activity. Because it is Report Only, evaluation continues to the next policy. The blocking policy does not match because Not included in [IT] is false for IT members. The request is permitted.
  • Any other user making an AI request: the optional tracking policy does not match, no activity is logged and evaluation continues. The blocking policy matches and the request is blocked.

Report Entries

  • Flagged: IT user activity only. Populated only if the optional tracking policy is configured. Skipping the Report only policy leaves the Flagged report empty for this use case.
  • Blocked: All attempts from users that are not part of the IT group.

Use Case 3: Continuous Governance — Department-Scoped Access

Goal: Allow specific departments to use AI only within their designated folder. HR staff may use AI against files in /Shared/HR and Finance staff in /Shared/Finance. Cross-department access is blocked and all users outside of HR and Finance are blocked from access to AI entirely.

Policy set

  • Create a policy named Block HR outside /Shared/HR. Add two criteria: Users/Groups Included in [HR Group], and Location Not included in [/Shared/HR]. This policy executes when an HR Group member accesses any folder other than /Shared/HR. Save the policy.
  • Create a policy named Block Finance outside /Shared/Finance. Add two criteria: Users/Groups Included in [Finance Group], and Location Not included in [/Shared/Finance]. Save the policy.

  • Create a policy named Block all other users. Add one criterion: Users/Groups Not included in [HR Group, Finance Group]. This catch-all is required. Without it, users outside of both departments, pass through the first two policies without a match and have unrestricted AI access. With this policy, they will not have access to AI-powered capabilities anywhere in the platform. Save the policy.
  • Optionally, create a fourth policy named Track all HR and Finance activity. Add one criterion: Users/Groups Included in [HR Group, Finance Group] with no location filter. The absence of a location filter is deliberate to captures all HR and Finance requests, including permitted ones inside their own folders that would otherwise produce no report entries. Place this policy at the top of the list, above the three blocking policies. Save the policy as Report Only.

- This policy set assumes each user belongs to at most one of the listed department groups.
- A user who is a member of both HR Group and Finance Group will be blocked from /Shared/Finance by the HR policy.

Result

When adding a new department, with intention for it to follow the same access pattern, first create a new blocking policy following the same pattern:

Block Group_ABC outside /Shared/Group_ABC with two criteria: Users/Groups Included in [Group_ABC], and Location Not included in [/Shared/Group_ABC]. Save the policy and place it above the catch-all policy.

Then, update the catch-all policy to also include Group_ABC. Failing to update the catch-all means the new group is blocked across all folders by that policy, including /Shared/Group_ABC.

Then, if you also created the Report Only policy for tracking activity and want to track Group_ABC’s activity too, extend it with Group_ABC

How Requests Are Evaluated

  • HR member accessing /Shared/HR: The optional tracking policy matches and logs the activity. The HR blocking policy does not match because the user is inside their permitted folder. 
    The Finance blocking policy does not match because the user is not in Finance Group and does not try to access /Shared/Finance either. The catch-all does not match because the user is in HR Group. The request is permitted.
  • Finance member accessing /Shared/Finance: The same logic as in point above applies. The request is permitted.
  • HR member accessing /Shared/Finance: The optional tracking policy matches and logs the activity. The HR blocking policy matches because the user is in HR group and the location is not /Shared/HR. Evaluation stops. The request is blocked. The Finance blocking policy and catch-all are not evaluated for this request.
  • Finance member accessing /Shared/HR: The same logic as in point above applies. The request is blocked.
  • Any other user making a request: The optional tracking policy does not match. The HR and Finance blocking policies do not match. The catch-all matches and evaluation stops. User is not granted access to AI-powered capabilities.

Report Entries

  • Flagged: All HR and Finance requests, both permitted and blocked, if the optional tracking policy is configured.
  • Blocked: HR and Finance members accessing folders outside their designated folder.

Use Case 4: Sensitive Content Protection

Goal: Prevent AI from processing files classified as Confidential or PII for most users. A dedicated Compliance Group retains access. All classified-content activity can optionally be logged.

Policy set

  • Create a policy named Block non-Compliance access to classified content. Add two criteria: Users/Groups Not included in [Compliance Group], and Content Classification Included in [Confidential, PII]. This blocks any user outside the Compliance Group from using classified files in AI responses. Save the policy.
  • Create a policy named Block classified content in Legal folder. Add two criteria: Location Included in [/Shared/Legal], and Content Classification Included in [Confidential, PII]. The AND logic means this policy will execute when a file is within /Shared/Legal folder and carries a Confidential or PII classification. This blocks even the Compliance Group from using classified content in the Legal folder. Save the policy.
  • Optionally, create a third policy named Track all access to classified content. Add one criterion: Content Classification Included in [Confidential, PII]. Place this policy above both Active policies. This policy generates a Flagged entry for every classified-content AI request, including permitted Compliance Group activity that would otherwise produce no report entries. Save the policy as Report Only.

Result

How Requests Are Evaluated

  • Compliance Group member accessing a Confidential file outside /Shared/Legal: The optional tracking policy matches and logs the activity. Evaluation continues. The first blocking policy does not match because the user is in the Compliance Group. The second blocking policy does not match because the file is not in /Shared/Legal. The request is permitted.
  • Regular user accessing a Confidential file: The optional tracking policy matches and logs the activity. Evaluation continues. The first blocking policy matches because the user is not in the Compliance Group and the file is classified. Evaluation stops. The request is blocked. The second blocking policy is not evaluated for this request.
  • Compliance Group member accessing a Confidential file inside /Shared/Legal: The optional tracking policy matches and logs the activity. Evaluation continues. The first blocking policy does not match. Evaluation continues. The second blocking policy matches because the file is in /Shared/Legal and is classified. Evaluation stops. The request is blocked.
  • Any user accessing a non-classified file in any folder: No policy matches. The request is permitted and produces no report entries.

Report Entries

  • Flagged: Every classified-content access regardless of outcome, if the optional tracking policy is configured. Without it, Compliance Group access produces no report entries.
  • Blocked: Non-Compliance users accessing classified files, and Compliance users accessing classified files in /Shared/Legal.

A Compliance user accessing a classified file in /Shared/Legal appears in both reports simultaneously. The optional tracking policy generates a Flagged entry and the Legal folder policy generates a Blocked entry for the same request.

Use Case 5: Competitive Confidentiality — Metadata-Based File Hiding

Goal: Prevent AI from surfacing one client's materials to users working on a competing account. An advertising agency manages files for competing clients. Files belonging to each client are tagged with a client-specific metadata value in Egnyte Collaborate. Policies use the Metadata tags criterion to ensure that users working on one account cannot use AI on files tagged as belonging to a competing client.

Policy set

  • Create a policy named Block Taz Industries team from Acme Corp files. Add two criteria: Users/Groups Included in [Taz Industries Account Group ], and Metadata tags Included in [client: Acme Corp]. This blocks Taz Industries Group members from using AI on any file tagged with the Acme Corp client tag. Save the policy.
  • Create a policy named Block Acme Corp team from Taz Industries files. Add two criteria: Users/Groups Included in [Acme Corp Account Group ], and Metadata tags Included in [client: Taz Industries]. Save the policy.

Result

 

This pattern extends to any number of competing clients. Add one policy per combination of Group and competing client tag.

How Requests Are Evaluated

  • Taz Industries Group member accessing a file tagged client: Acme Corp: The first policy matches because the user is in Taz Industries Account Group and the file carries the Acme Corp tag. Evaluation stops. The request is blocked.
  • Acme Corp Group member accessing a file tagged client: Taz Industries: The first policy does not match. The second policy matches because the user is in Acme Corp Account Group and the file carries the Taz Industries tag. Evaluation stops. The request is blocked.
  • Taz Industries Group member accessing a file tagged client: Taz Industries: Neither policy matches because the user is working on their own client files. The request is permitted.
  • Acme Corp Group member accessing a file tagged client: Acme Corp: The same logic applies symmetrically. The request is permitted.

Report Entries

  • Flagged: No Flagged entries are generated for this use case. No Report Only policies are configured.
  • Blocked: Any Group member attempting to use AI on a competing client file.

Additional Resources

Was this article helpful?
0 out of 0 found this helpful

For technical assistance, please contact us.