>
    Strata Copilot
    How Enterprise DLP Safeguards Against ChatGPT Data Leakage
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Administration
    4. Configure Enterprise DLP
    5. Enterprise DLP and AI Apps
    6. How Enterprise DLP Safeguards Against ChatGPT Data Leakage
    Download PDF
    Enterprise DLP

    How Enterprise DLP Safeguards Against ChatGPT Data Leakage

    Table of Contents

    How Enterprise DLP Safeguards Against ChatGPT Data Leakage

    Learn more about how Enterprise Data Loss Prevention (E-DLP) safeguard your sensitive data from exfiltration through ChatGPT.
    On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.
    You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Panorama or Strata Cloud Manager)
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    • Prisma Browser
    • Enterprise Data Loss Prevention (E-DLP) license
      Review the Supported Platforms for details on the required license for each enforcement point.
    Or any of the following licenses that include the Enterprise DLP license
    • Prisma Access CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
    • Data Security license
    Learn more about using Enterprise Data Loss Prevention (E-DLP) in your Security policy rules to prevent data exfiltration to ChatGPT.
    With the rise of generative Artificial Intelligence (AI), new Natural Language Processing and Generation (NPL/NLG) interface-based apps have seen unprecedented adoption. ChatGPT is a popular generative pre-trained transformer (GPT) language model application and presents an ever increasing risk of exfiltration of sensitive data. Palo Alto Networks maintains its commitment to a holistic approach on data security. Enterprise DLP offers immediate prevention of sensitive data exfiltration to AI apps like ChatGPT.

    Existing ChatGPT Traffic - Discovery

    Before you use Enterprise DLP to prevent data exfiltration to ChatGPT, it is important to understand by who and how often ChatGPT is accessed on your network. Panorama, Prisma Access (Managed by Panorama), Cloud Management, and Next-Generation CASB for Prisma Access and NGFW allows users to monitor all egress activity and easily identify new AI app usage by employees on your network.
    Panorama
    Use the Unified Log View for NGFW (Managed by Panorama) managed firewalls and Panorama Managed Prisma Access.
    • Use the Unified Log View (MonitorLogsUnified) to discover traffic to ChatGPT.
    • ChatGPT traffic is captured through the App ID openai-chatgpt and can be found with the following filter query:
      (app eq openai-chatgpt)
    Strata Cloud Manager
    Use the Log Viewer for NGFW (Managed by Strata Cloud Manager) and Prisma Access (Managed by Strata Cloud Manager).
    • Use Log Viewer (ActivityLogsLogs Viewer) to discover traffic to ChatGPT.
    • ChatGPT traffic is captured through the App ID openai-chatgpt and can be found with the following app filter query:
      app = 'openai-chatgpt'
    Next-Generation CASB
    • Use the Discovered Apps (Discovered AppsApplications) to discover traffic to ChatGPT.
      • Add Filter to narrow down the Category to Artificial Intelligence applications and Tag as Unknown.
        This filter allows you to narrow down all traffic to uncategorised AI applications on your network. Uncategorised applications display as unknown but can be manually recategorized as sanctioned, unsanctioned, or tolerated once the initial discovery is completed based on your organization's risk posture.
      • Alternatively, you can search for ChatGPT in the Search Application Name search bar.

    Block or Allow ChatGPT

    How to Block ChatGPT
    You can choose to block access to ChatGPT entirely using the App ID if the risk of employees having access to ChatGPT messaging and API features is too high. For Next-Generation CASB for Prisma Access and NGFW, you can block access to ChatGPT through the Artificial Intelligence category.
    • Panorama — Create an Application Block Rule to explicitly block traffic to ChatGPT.
      The application block rule applies to Panorama managed firewalls and Panorama Managed Prisma Access
    • Strata Cloud Manager—In Discovered Apps (ConfigurationSaaS SecurityDiscovered AppsApplications) and filter for ChatGPT to block access (ActionsBlock Access).
      Additionally, you can select ActionsTag to apply existing unsanctioned, tolerated, or sanctioned app policies for egress traffic to ChatGPT.
      This applies to Prisma Access (Managed by Strata Cloud Manager) and SaaS Security.
    • Next-Generation CASB—In Discovered Apps (VisibilityDiscovered AppsApplications) and filter for ChatGPT to block access (ActionsBlock Access).
      Additionally, you can select ActionsTag to apply existing unsanctioned, tolerated, or sanctioned app policies for egress traffic to ChatGPT.
    Allow ChatGPT and Prevent Exfiltration of Sensitive Data
    With Enterprise DLP you can create new or leverage existing data detection logic for data sent to ChatGPT through chat or API. Enterprise DLP can perform in-line content inspection to identify and stop sensitive data loss to generative AI apps such as ChatGPT without completely blocking access. This will allow your employees to continue to access ChatGPT while ensuring no sensitive data is mishandled and leaves your network.
    To allow access to ChatGPT on your network while preventing data leakage, you must create a Security policy rule using an Enterprise DLP data profile.

    © 2026 Palo Alto Networks, Inc. All rights reserved.