Adding content for implementation guide

Author: dcpena

src/assets/images/learning-paths/holistic-ai-security/ai-app-type-app-library.png

@@ -0,0 +1,9 @@
+---
+title: Appendix
+pcx_content_type: overview
+sidebar:
+  group:
+    hideIndex: true
+  order: 6
+---
+

src/assets/images/learning-paths/holistic-ai-security/casb-posture-findings-openai.png

@@ -0,0 +1,205 @@
+---
+title: Use Cloudflare Workers to create custom user coaching pages
+pcx_content_type: overview
+sidebar:
+  label: Use Cloudflare Workers to create custom user coaching pages
+  order: 2
+---
+
+Cloudflare Workers are an easy method to stand up custom user coaching pages. The customs status pages can be handled dynamically based on the information that Gateway sends about a blocked request.
+
+## Example 
+
+```
+const COMPANY_NAME = "Your Company Inc.";
+const APPROVED_TOOL_URL = 'https://chat.yourcompany.com'; // Your sanctioned AI tool URL
+const APPROVED_TOOL_NAME = 'Corporate AI Assistant'; // The user-friendly name of your tool
+const IT_HELPDESK_EMAIL = '[email protected]'; // Email for the "report a problem" button
+const COMPANY_LOGO_URL = 'Your_Logo.svg'; // A publicly accessible URL for your company logo. Replace with your own.
+
+export default {
+async fetch(request) {
+// 1. Get the blocked URL from the query string passed by Gateway.
+const url = new URL(request.url);
+const blockedUrlParam = url.searchParams.get('blocked_url');
+
+// Decode and sanitize the blocked URL for display.
+let blockedHostname = "the requested site";
+let fullBlockedUrl = "an unapproved external tool";
+if (blockedUrlParam) {
+try {
+const decodedUrl = decodeURIComponent(blockedUrlParam);
+fullBlockedUrl = decodedUrl;
+blockedHostname = new URL(decodedUrl).hostname;
+} catch (e) {
+// If the URL is malformed, use the raw param safely.
+fullBlockedUrl = blockedUrlParam;
+blockedHostname = blockedUrlParam;
+}
+}
+
+// 2. Prepare the "Report a problem" mailto link.
+const mailtoSubject = Business Justification for AI Tool: ${blockedHostname};
+const mailtoBody = `Hello IT/Security Team,
+
+I was attempting to access the following website and was redirected to this coaching page:
+${fullBlockedUrl}
+
+My business justification for needing this specific tool is:
+[**Please describe your business need here**]
+
+Thank you,
+[Your Name]`;
+
+const mailtoLink = mailto:${IT_HELPDESK_EMAIL}?subject=${encodeURIComponent(mailtoSubject)}&body=${encodeURIComponent(mailtoBody)};
+
+// 3. Generate the full HTML page.
+const html = generateHTML(blockedHostname, mailtoLink);
+
+// 4. Return the HTML as a response.
+return new Response(html, {
+headers: {
+'Content-Type': 'text/html;charset=UTF-8',
+},
+});
+},
+};
+
+/**
+* Generates the full HTML for the coaching page.
+* @param {string} blockedHostname - The hostname of the site the user tried to access.
+* @param {string} mailtoLink - The pre-built mailto link for reporting an issue.
+* @returns {string} - The complete HTML document as a string.
+*/
+function generateHTML(blockedHostname, mailtoLink) {
+// Using a template literal for easy-to-read HTML with embedded variables.
+return `
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>AI Tool Usage Policy</title>
+<style>
+:root {
+--primary-color: #00529B;
+--secondary-color: #0078D4;
+--background-color: #f4f6f8;
+--text-color: #333;
+--card-bg-color: #ffffff;
+--button-primary-bg: #0078D4;
+--button-primary-hover: #005a9e;
+--button-secondary-bg: #e0e0e0;
+--button-secondary-hover: #c7c7c7;
+--button-text-color: #ffffff;
+--button-secondary-text: #333;
+}
+body {
+font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif;
+background-color: var(--background-color);
+color: var(--text-color);
+margin: 0;
+display: flex;
+justify-content: center;
+align-items: center;
+min-height: 100vh;
+padding: 20px;
+box-sizing: border-box;
+}
+.container {
+background-color: var(--card-bg-color);
+border-radius: 8px;
+box-shadow: 0 4px 12px rgba(0,0,0,0.1);
+max-width: 600px;
+width: 100%;
+text-align: center;
+padding: 40px;
+border-top: 5px solid var(--primary-color);
+box-sizing: border-box;
+}
+.logo {
+max-width: 150px;
+margin-bottom: 24px;
+}
+h1 {
+color: var(--primary-color);
+font-size: 24px;
+margin-bottom: 16px;
+}
+p {
+font-size: 16px;
+line-height: 1.6;
+margin-bottom: 24px;
+}
+.highlight {
+font-weight: bold;
+color: var(--text-color);
+}
+.button-container {
+display: flex;
+flex-direction: column;
+gap: 12px;
+margin-top: 32px;
+}
+@media (min-width: 600px) {
+.button-container {
+flex-direction: row;
+justify-content: center;
+}
+}
+.button {
+display: inline-block;
+padding: 12px 24px;
+border-radius: 5px;
+text-decoration: none;
+font-weight: bold;
+font-size: 16px;
+transition: background-color 0.2s ease;
+cursor: pointer;
+border: none;
+}
+.button-primary {
+background-color: var(--button-primary-bg);
+color: var(--button-text-color);
+}
+.button-primary:hover {
+background-color: var(--button-primary-hover);
+}
+.button-secondary {
+background-color: var(--button-secondary-bg);
+color: var(--button-secondary-text);
+}
+.button-secondary:hover {
+background-color: var(--button-secondary-hover);
+}
+</style>
+</head>
+<body>
+<div class="container">
+<img src="${COMPANY_LOGO_URL}" alt="${COMPANY_NAME} Logo" class="logo">
+<h1>Access to this AI Tool is Restricted</h1>
+<p>
+You were redirected to this page because your attempt to access <span class="highlight">${blockedHostname}</span>
+was blocked by our company's security policy.
+</p>
+<p>
+To protect our company's confidential data, intellectual property, and customer information, we must ensure that AI tools are used responsibly. Unapproved tools may pose risks related to data privacy, security, and licensing.
+</p>
+<p>
+We encourage you to use our officially approved and secure solution, the
+<span class="highlight">${APPROVED_TOOL_NAME}</span>, for your business needs.
+</p>
+<div class="button-container">
+<a href="${mailtoLink}" class="button button-secondary">Report a Problem</a>
+<a href="${APPROVED_TOOL_URL}" class="button button-primary">Use Approved Tool</a>
+</div>
+</div>
+</body>
+</html>
+`;
+}
+```
+
+If successful, your custom user coaching page will look like the image below. It will appear anytime a user attempts to access an unapproved AI tool.
+
+![Exmaple of a custom coaching page utilizing the code example above.](~/assets/images/learning-paths/holistic-ai-security/custom-coaching-page.png)

src/assets/images/learning-paths/holistic-ai-security/custom-coaching-page.png

@@ -0,0 +1,11 @@
+---
+title: Build security policies for general AI use
+pcx_content_type: overview
+sidebar:
+  label: Overview
+  order: 4
+---
+
+Once your monitoring tools have given you a clear picture of AI usage in your organization, you can begin building security policies to meet your objectives. The Gateway policy builder offers extensive options for both application categorization and function granularity to help you create policies that achieve your goals.
+
+You should build security policies based on the perceived risk level, potential for data leaks, and your organization's confidence in a tool. For instance, if you approved Google Gemini for your corporate use, you may apply different policies to it than you would to other AI applications. This section will detail the types of policies Cloudflare recommends for securing AI tools in your organization.

src/assets/images/learning-paths/holistic-ai-security/gateway-prompt-log.png

@@ -0,0 +1,112 @@
+---
+title: Set policy based on approval status
+pcx_content_type: overview
+sidebar:
+  label: Set policy based on approval status
+  order: 1
+---
+
+If you use specific AI tools within your organization, you may want to create policies to explicitly allow the usage of those tools while continuing to evaluate additional usage within your organization. 
+
+## Create a Gateway policy for monitoring and evaluating all AI tool usage 
+
+1. In [**Zero Trust**](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
+2. In the **HTTP** tab, select **Add a policy**.
+3. Name the policy.
+4. Under **Traffic**, build a logical expression that defines the traffic you want to allow for AI at your organization.
+
+  | Selector | Operator | Value |
+  | -------- | -------- | ----- |
+  | Application | in | *Artificial Intelligence* |
+
+5. For **Action**, select **Allow**.
+6. Select **Create policy**.
+
+For more information, refer to [Block unauthorized applications](/cloudflare-one/policies/gateway/http-policies/common-policies/#block-unauthorized-applications).
+
+## Create a Gateway policy to redirect users towards approved AI tools
+
+Conversely, you can build policies that take specific actions based on an AI tool's approval status. For example, if you want to redirect users from unapproved applications to approved applications, you can create custom status pages to provide user coaching.
+
+User coaching is a valuable tool for encouraging employees to change their behavior. By redirecting users to a status page, you can help them understand the risks of using unsanctioned AI tools and educate them on the dangers of inputting sensitive data.
+
+Cloudflare Workers are an easy method to stand up custom user coaching pages. The customs status pages can be handled dynamically based on the information that Gateway sends about a blocked request. In the appendix of this document, you can find sample code for a Cloudflare Worker built for this purpose that you can test and adopt if desired.
+
+## Redirect users towards approved AI tools
+
+1. In [**Zero Trust**](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
+2. In the **HTTP** tab, select **Add a policy**.
+3. Name the policy.
+4. Under **Traffic**, build a logical expression that defines the traffic you want to allow for AI at your organization.
+
+  | Selector | Operator | Value |
+  | -------- | -------- | ----- |
+  | Application | in | *Artificial Intelligence* |
+
+5. For **Action**, select **Block**.
+6. To **Modify the Gateway block behavior**, determine how you want to redirect your users.
+  - Redirect users to a custom block page to coach the user: 
+    1. Select **Use account-level block setting**.
+    2. Check **Add an additional message to your custom block page when traffic matches** this policy and enter your custom message.
+  - Redirect users to an approved AI tool automatically: 
+    1. Select **Override account setting with URL redirect**.
+    2. Enter the URL to the approved application you want to redirect the user to use instead.
+7. Select **Create policy**.
+
+For more information, refer to [Configure policy block behavior](/cloudflare-one/policies/gateway/block-page/#configure-policy-block-behavior).
+
+## Capture prompts to prevent data loss 
+
+You can build policies that enable Prompt Capture for AI applications in specific, complex scenarios. This gives you the flexibility to apply advanced functionality to certain applications, tool types, or user groups, such as contractors or new employees, especially if they pose a higher risk for using unsanctioned applications due to lack of awareness or training.
+
+1. In [**Zero Trust**](https://one.dash.cloudflare.com/), go to **Gateway** > **Firewall policies**.
+2. In the **HTTP** tab, select **Add a policy**.
+3. Name the policy.
+4. Under **Traffic**, build a logical expression that defines the traffic you want to allow for AI at your organization.
+
+  | Selector | Operator | Value |
+  | -------- | -------- | ----- |
+  | Application | in | *Artificial Intelligence* |
+
+5. Under **Identity**, build a logical express that defines the user identity you want to capture and log their prompts to review for data loss prevention.
+
+  | Selector | Operator | API Value |
+  | -------- | -------- | ----- |
+  | Application | in | `any(identity.groups.name[*] in {\"contractors\" \"cohort-224\"})`|
+
+6. For **Action**, select **Allow**.
+7. Select **Create policy**.
+
+## Order your policies for specific inspection and enforcement
+
+In most scenarios, Gateway evaluates HTTP policies in [top-down order](/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/).
+Therefore, you can capture prompts in specific scenarios to gain visibility without disrupting your users' work, all while holistically protecting against sensitive data loss.
+
+For example, if you want to prevent sensitive data being shared with AI but want to allow all users to use AI but capture the prompts for specific identity-defined user groups, you would need to order your policies in the following way.
+
+1. The policy that blocks sensitive data being shared would need to be ordered first in this policy group. This will allow it to be enforced before the next policy in the policy group.
+
+  | Operator | Selector | Operator | Value | Action |
+  | -------- | -------- | -------- | ----- | ------ |
+  |          | Application | in | *Artificial Intelligence* | |
+  | And      | DLP Profile | in | *my-sensitive-data* | Block |
+
+2. Next, create the policy that allows the use of AI and specifies the prompt capture for specific user groups.
+
+  | Selector | Operator | Value |
+  | -------- | -------- | ----- |
+  | Application | in | *Artificial Intelligence*|
+
+3. Under **Traffic**:
+
+  |  Selector | Operator | Value|
+  | -------- | --------  | ------ |
+  | Application  | in | *Artificial Intelligence*|
+
+4. Under **Identity**:
+
+  | Selector | Operator| API Value | Action |
+  | -------- | -------- | -------- | ------ |
+  | User Group Names    | in | `any(identity.groups.name[*] in {\"contractors\" \"cohort-224\"})`| Allow |
+
+By structuring your policies in this way, you ensure that any instance of sensitive data is blocked from AI applications, no matter which user group is involved. If Cloudflare does not detect sensitive data, it will allow the prompt while capturing it for the targeted user groups–in this case, users belonging to the `contractors` and `cohort-224` groups. If that same user group were to then use sensitive data in a prompt, it would be detected and blocked.

src/assets/images/learning-paths/holistic-ai-security/shadowit-dashboard-ai-apps.png

@@ -0,0 +1,17 @@
+---
+title: Concepts
+pcx_content_type: overview
+sidebar:
+  label: Overview
+  order: 1
+---
+
+The goal of this learning path is to provide Cloudflare One users with the strategy and tools to securely adopt generative AI within their organizations. This guide will help address new security challenges and mitigate risks like shadow AI and data loss.
+
+## Objectives
+
+- Determine risk tolerance: Identify areas of concern and risk tolerance for AI use to establish a baseline for your organization's AI security strategy.
+- Monitor AI usage: Utilize Cloudflare One's tools, such as the Shadow IT dashboard and API CASB integrations, to gain visibility into both sanctioned and unsanctioned AI application usage.
+- Build security policies: Create granular security policies using Cloudflare Gateway to control AI usage, prevent data loss with DLP, and manage user behavior through actions like blocking or redirecting.
+- Secure sanctioned models: Apply Zero Trust principles to sanctioned AI models and internal services like Model Context Protocol (MCP) servers to ensure secure access and protect sensitive data from being exposed
+