[DLP] AI prompt logs fast follow (#24678)

maxvp · web-flow · commit f0a3db4fce84 · 2025-08-26T18:53:52.000Z
diff --git a/src/content/docs/cloudflare-one/applications/app-library.mdx b/src/content/docs/cloudflare-one/applications/app-library.mdx
@@ -38,7 +38,7 @@ The **Policies** tab shows any [Gateway](/cloudflare-one/policies/gateway/) and
 
 ### Usage
 
-The **Usage** tab shows any logs for [Gateway traffic requests](/cloudflare-one/insights/logs/gateway-logs/), [Access authentication events](/cloudflare-one/insights/logs/audit-logs/#authentication-logs), and [Shadow IT Discovery user sessions](/cloudflare-one/insights/analytics/shadow-it-discovery/) sent to the selected application. This section requires logs to be turned on for each feature.
+The **Usage** tab shows any logs for [Gateway traffic requests](/cloudflare-one/insights/logs/gateway-logs/), [Access authentication events](/cloudflare-one/insights/logs/audit-logs/#authentication-logs), [Shadow IT Discovery user sessions](/cloudflare-one/insights/analytics/shadow-it-discovery/), and [generative AI prompt logs](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#view-prompt-logs) sent to the selected application. This section requires logs to be turned on for each feature.
 
 The Shadow IT Discovery dashboard will provide more details for discovered applications. To access Shadow IT Discovery in [Zero Trust](https://one.dash.cloudflare.com/), go to **Analytics**, then select **Shadow IT Discovery**.
 
diff --git a/src/content/docs/cloudflare-one/applications/casb/casb-integrations/openai.mdx b/src/content/docs/cloudflare-one/applications/casb/casb-integrations/openai.mdx
@@ -15,7 +15,7 @@ This integration covers the following OpenAI products:
 - GPTs (custom GPTs)
 
 :::note
-Before you begin, ensure that OpenAI has enabled ChatGPT Enterprise Compliance API access for your organization. You will need an Admin API key issued for your organization, your Organization ID, and your Workspace ID. These are available in your [ChatGPT Admin Settings](https://chatgpt.com/admin/settings).
+Before you begin, ensure that OpenAI has enabled ChatGPT Enterprise Compliance API access for your organization. You will need a Project API key issued for your organization, your Organization ID, and your Workspace ID. These are available in your [OpenAI Project API Keys](https://platform.openai.com/settings/organization/projects).
 
 If Compliance API access is not yet turned on for your organization, refer to [Enable Compliance API access](#enable-combliane-api-access).
 :::
diff --git a/src/content/docs/cloudflare-one/insights/analytics/ai-prompt-logs.mdx b/src/content/docs/cloudflare-one/insights/analytics/ai-prompt-logs.mdx
@@ -0,0 +1,7 @@
+---
+pcx_content_type: navigation
+title: AI prompt logs
+external_link: /cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-generative-ai-prompt-content
+sidebar:
+  order: 5
+---
diff --git a/src/content/docs/cloudflare-one/insights/analytics/shadow-it-discovery.mdx b/src/content/docs/cloudflare-one/insights/analytics/shadow-it-discovery.mdx
@@ -2,7 +2,7 @@
 pcx_content_type: reference
 title: Shadow IT SaaS analytics
 sidebar:
-  order: 5
+  order: 4
 ---
 
 import { Render } from "~/components";
diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options.mdx
@@ -48,7 +48,7 @@ To view DLP payload logs:
 
 1. Go to **Logs** > **Gateway** > **HTTP**.
 2. Go to the DLP log you are interested in reviewing and expand the row.
-3. Select **Decrypt Payload Log**.
+3. Select **Decrypt payload log**.
 4. Enter your private key and select **Decrypt**.
 
 You will see the [ID of the matched DLP Profile](/api/resources/zero_trust/subresources/dlp/subresources/profiles/methods/list/) followed by the decrypted payload.
@@ -92,6 +92,18 @@ You can enable payload logging for any Allow or Block HTTP policy that uses the
 
 Data Loss Prevention will now store the user prompt and AI model response for requests that match this policy.
 
+### View prompt logs
+
+To view generative AI prompt log details:
+
+1. Go to **Logs** > **Gateway** > **HTTP**.
+2. Go to the DLP log you are interested in reviewing and expand the row.
+3. Select **Decrypt payload log**.
+4. Enter your private key and select **Decrypt**.
+5. In **Summary** > **GenAI prompt captured**, select **View prompt**.
+
+Gateway logs will provide a summary of the conversation, including the topic and AI model used, and the user prompt and AI model's raw response if available. A text prompt must be present for DLP to capture the prompt.
+
 ## Send DLP forensic copies to Logpush destination
 
 :::note[Availability]
diff --git a/src/content/docs/learning-paths/holistic-ai-security/monitor-ai-use/review-out-of-band-ai.mdx b/src/content/docs/learning-paths/holistic-ai-security/monitor-ai-use/review-out-of-band-ai.mdx
@@ -6,6 +6,6 @@ sidebar:
   order: 3
 ---
 
-If your organization does not use the Cloudflare device client, or does not proxy HTTP traffic, you can still get valuable data about shadow AI usage if you use the Google Workspace, Microsoft 365, or GitHub integrations for the Cloudflare Cloud Access Security Broker (CASB).
+If your organization does not use the Cloudflare device client, or does not proxy HTTP traffic, you can still get valuable data about shadow AI usage if you use the [Google Workspace](/cloudflare-one/applications/casb/casb-integrations/google-workspace/), [Microsoft 365](/cloudflare-one/applications/casb/casb-integrations/microsoft-365/), or [GitHub](/cloudflare-one/applications/casb/casb-integrations/github/) integrations for the Cloudflare Cloud Access Security Broker (CASB).
 
 The CASB provides detailed information about your SaaS environment, including changes to sensitive data, content, and application settings. It works even if your users do not have the Cloudflare device client installed. By using CASB integrations with your core Single Sign-On (SSO) provider, you can see if users have authenticated to any third-party applications. This offers a clear, non-invasive way to understand tool usage across your organization without needing to deploy a client.
diff --git a/src/content/docs/learning-paths/holistic-ai-security/secure-approved-ai-models-tools/index.mdx b/src/content/docs/learning-paths/holistic-ai-security/secure-approved-ai-models-tools/index.mdx
@@ -10,7 +10,7 @@ sidebar:
 
 As you decide which AI tools to sanction within your organization, you can develop security controls with the expectation of consistent use.
 
-Cloudflare supports API-based cloud access security broker (CASB) integrations with popular AI services like OpenAI (ChatGPT), Anthropic (Claude), and Google Gemini. These integrations allow you to report on AI tool usage and flag sensitive data with Data Loss Prevention (DLP) Profiles.
+Cloudflare supports API-based cloud access security broker (CASB) integrations with popular AI services like [OpenAI (ChatGPT)](/cloudflare-one/applications/casb/casb-integrations/openai/), [Anthropic (Claude)](/cloudflare-one/applications/casb/casb-integrations/anthropic/), and [Google Gemini](/cloudflare-one/applications/casb/casb-integrations/google-workspace/gemini/). These integrations allow you to report on AI tool usage and flag sensitive data with Data Loss Prevention (DLP) Profiles.
 
 Since these integrations are out-of-bound connections to SaaS applications, they do not require inline user traffic to create detections. This means you can immediately gain visibility into how your employees are using sanctioned AI tools without having to install the Cloudflare device client on every user's machine.
 
