diff --git a/src/content/docs/cloudflare-one/applications/app-library.mdx b/src/content/docs/cloudflare-one/applications/app-library.mdx
index 00bfc74f01611f..3a1a2c9a0dfc08 100644
--- a/src/content/docs/cloudflare-one/applications/app-library.mdx
+++ b/src/content/docs/cloudflare-one/applications/app-library.mdx
@@ -46,4 +46,4 @@ The Shadow IT Discovery dashboard will provide more details for discovered appli
The App Library synchronizes application review statuses with approval statuses from the [Shadow IT Discovery SaaS analytics](/cloudflare-one/insights/analytics/shadow-it-discovery/) dashboard.
-
+
diff --git a/src/content/docs/cloudflare-one/insights/analytics/shadow-it-discovery.mdx b/src/content/docs/cloudflare-one/insights/analytics/shadow-it-discovery.mdx
index 2a4f4740cd3e26..93ddb5b098b16d 100644
--- a/src/content/docs/cloudflare-one/insights/analytics/shadow-it-discovery.mdx
+++ b/src/content/docs/cloudflare-one/insights/analytics/shadow-it-discovery.mdx
@@ -21,7 +21,7 @@ To allow Cloudflare to discover shadow IT in your traffic, you must set up [HTTP
The first step in using the Shadow IT SaaS analytics dashboard is to review applications in the [Application Library](/cloudflare-one/applications/app-library/). The App Library synchronizes application review statuses with approval statuses from the Shadow IT Discovery SaaS analytics dashboard.
-
+
### 2. Monitor usage
diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/detection-entries.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/detection-entries.mdx
index bcce03e21b9727..3394061573ad3b 100644
--- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/detection-entries.mdx
+++ b/src/content/docs/cloudflare-one/policies/data-loss-prevention/detection-entries.mdx
@@ -7,7 +7,7 @@ sidebar:
import { Details } from "~/components";
-Cloudflare DLP can scan your web traffic and SaaS applications for specific data defined in custom detection entries. Detection entries allow you to define custom data patterns for DLP to detect using [DLP profiles](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/). Detection entries include custom [datasets](#datasets) with defined data and [document entries](#documents) with example fingerprints.
+Cloudflare DLP can scan your web traffic and SaaS applications for specific data defined in custom detection entries. Detection entries allow you to define custom data patterns for DLP to detect using [DLP profiles](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/). Detection entries include custom [datasets](#datasets) with defined data, [document entries](#documents) with example fingerprints, and [AI prompt topics](#ai-prompt-topics).
You can configure sensitive data to be hashed before reaching Cloudflare and redacted from matches in [payload logs](/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options/#log-the-payload-of-matched-rules).
@@ -132,3 +132,20 @@ Uploaded document entries are read-only. To update a document entry, you must up
5. Select **Save**.
Your new document entry will replace the original document entry. If your file upload fails, DLP will still use the original document fingerprint to scan traffic until you delete the entry.
+
+## AI prompt topics
+
+DLP uses [Application Granular Controls](/cloudflare-one/policies/gateway/http-policies/#application-granular-controls) to detect and categorize prompts and responses submitted to generative AI tools. Application Granular Controls analyzes prompts for both content and user intent. Supported prompt topic detections include:
+
+| Detection entry | Description |
+| ------------------------------------- | ------------------------------------------------------------------------------------------------ |
+| Content: PII | Prompt contains personal information such as names, SSNs, or email addresses |
+| Content: Credentials and Secrets | Prompt contains API keys, passwords, or other sensitive credentials |
+| Content: Source Code | Prompt contains actual source code, code snippets, or proprietary algorithms |
+| Content: Customer Data | Prompt contains customer names, projects, business activities, or confidential customer contexts |
+| Content: Financial Information | Prompt contains financial numbers or confidential business data |
+| Intent: PII | Prompt requests specific personal information about individuals |
+| Intent: Code Abuse and Malicious Code | Prompt requests malicious code for attacks, exploits, or harmful activities |
+| Intent: Jailbreak | Prompt attempts to circumvent AI security policies |
+
+To use an AI prompt topic, add it as an existing entry to a [custom DLP profile](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/#build-a-custom-profile).
diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options.mdx
index 51566afc714590..ccf19c2b497847 100644
--- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options.mdx
+++ b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-policies/logging-options.mdx
@@ -5,17 +5,19 @@ sidebar:
order: 2
---
-Data Loss Prevention allows you to capture, store, and view the data that triggered a specific DLP policy for use as forensic evidence. Users on all plans can [log the payload](#log-the-payload-of-matched-rules) of matched HTTP requests in their Cloudflare logs. Additionally, Enterprise users can [configure a Logpush job](#send-http-requests-to-logpush-destination) to send copies of entire matched HTTP requests to storage destinations.
-
-## Log the payload of matched rules
+Data Loss Prevention allows you to capture, store, and view the data that triggered a specific DLP policy for use as forensic evidence. Users on all plans can log the [payload](#log-the-payload-of-matched-rules) or [generative AI prompt content](#log-generative-ai-prompt-content) of matched HTTP requests in their Cloudflare logs. Additionally, Enterprise users can [configure a Logpush job](#send-http-requests-to-logpush-destination) to send copies of entire matched HTTP requests to storage destinations.
The data that triggers a DLP policy is stored in the portion of the HTTP request known as the payload. Payload logging is especially useful when diagnosing the behavior of DLP policies. Since the values that triggered a rule may contain sensitive data, they are encrypted with a customer-provided public key so that only you can examine them later. The stored data will include a redacted version of the match, plus 75 bytes of additional context on both sides of the match.
-### 1. Generate a key pair
+## Set a DLP payload encryption public key
+
+Before you begin logging DLP payloads, you will need to set a DLP payload encryption public key.
-Follow [these instructions](/waf/managed-rules/payload-logging/command-line/generate-key-pair/) to generate a public/private key pair in the command line.
+### Generate a key pair
-### 2. Upload the public key to Cloudflare
+To generate a public/private key pair in the command line, refer to [these instructions](/waf/managed-rules/payload-logging/command-line/generate-key-pair/).
+
+### Upload the public key to Cloudflare
1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Network**.
2. In the **DLP Payload Encryption public key** field, paste your public key.
@@ -25,9 +27,13 @@ Follow [these instructions](/waf/managed-rules/payload-logging/command-line/gene
The matching private key is required to view logs. If you lose your private key, you will need to [generate](#1-generate-a-key-pair) and [upload](#2-upload-the-public-key-to-cloudflare) a new public key. The payload of new requests will be encrypted with the new public key.
:::
-### 3. Enable payload logging for a DLP policy
+## Log the payload of matched rules
-You can enable payload logging for any Allow or Block HTTP policy that uses the [DLP Profile](/cloudflare-one/policies/gateway/http-policies/#dlp-profile) selector.
+DLP can log the payload of matched HTTP requests in your Cloudflare logs.
+
+### Turn on payload logging for a DLP policy
+
+You can enable payload logging for any Allow or Block HTTP policy that uses the [_DLP Profile_](/cloudflare-one/policies/gateway/http-policies/#dlp-profile) selector.
1. Go to **Gateway** > **Firewall policies** > **HTTP**.
2. Edit an existing Allow or Block DLP policy, or [create a new policy](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy).
@@ -36,7 +42,9 @@ You can enable payload logging for any Allow or Block HTTP policy that uses the
Data Loss Prevention will now store a portion of the payload for HTTP requests that match this policy.
-### 4. View payload logs
+### View payload logs
+
+To view DLP payload logs:
1. Go to **Logs** > **Gateway** > **HTTP**.
2. Go to the DLP log you are interested in reviewing and expand the row.
@@ -69,6 +77,21 @@ Based on your report, DLP's machine learning will adjust its confidence in futur
- DLP will redact all predefined alphanumeric characters in the log. For example, `123-45-6789` will become `XXX-XX-XXXX`.
- You can define sensitive data with [Exact Data Match (EDM)](/cloudflare-one/policies/data-loss-prevention/detection-entries/#exact-data-match). EDM match logs will redact your defined strings.
+## Log generative AI prompt content
+
+DLP can detect and log the prompt topic sent to an AI tool.
+
+### Turn on AI prompt content logging for a DLP policy
+
+You can enable payload logging for any Allow or Block HTTP policy that uses the [_Application_](/cloudflare-one/policies/gateway/http-policies/#application) selector with a supported [Application Granular Controls](/cloudflare-one/policies/gateway/http-policies/#application-granular-controls) application.
+
+1. Go to **Gateway** > **Firewall policies** > **HTTP**.
+2. Edit an existing Allow or Block DLP policy, or [create a new policy](/cloudflare-one/policies/data-loss-prevention/dlp-policies/#2-create-a-dlp-policy).
+3. In the policy builder, scroll down to **Configure policy settings** and turn on **Capture generative AI prompt content in logs**.
+4. Select **Save**.
+
+Data Loss Prevention will now store the user prompt and AI model response for requests that match this policy.
+
## Send DLP forensic copies to Logpush destination
:::note[Availability]
diff --git a/src/content/docs/cloudflare-one/policies/gateway/application-app-types.mdx b/src/content/docs/cloudflare-one/policies/gateway/application-app-types.mdx
index 00c06c8f5d7b32..4bef2034208b01 100644
--- a/src/content/docs/cloudflare-one/policies/gateway/application-app-types.mdx
+++ b/src/content/docs/cloudflare-one/policies/gateway/application-app-types.mdx
@@ -49,75 +49,75 @@ Gateway sorts applications into the following app type groups:
## Application controls
-With [Cloud App Control](/cloudflare-one/policies/gateway/http-policies/#cloud-app-control), you can choose specific actions and operations to match application traffic. Supported applications and operations include:
-
-
-
-| Operations group | Operations group ID | Operation name | Operation ID | Application Controls group | Application control ID | DLP content |
-| ---------------- | ------------------- | ------------------ | ------------ | -------------------------- | ---------------------- | ----------- |
-| Chat | `1650` | SendPrompt | `8004` | Prompt | `1652` | ✅ |
-| Chat | `1650` | UploadFile | `8008` | Upload | `1653` | ❌ |
-| Chat | `1650` | UploadFilePayload | `8013` | Upload | `1653` | ✅ |
-| Chat | `1650` | ShareResponse | `8006` | Share | `1654` | ❌ |
-| Chat | `1650` | ShareCanvas | `8007` | Share | `1654` | ❌ |
-| Chat | `1650` | TranscribeVoice | `8011` | Voice | `1655` | ❌ |
-| Chat | `1650` | EnableVoiceMode | `8003` | Voice | `1655` | ❌ |
-| Settings | `1651` | AllowTraining | `8009` | | | ❌ |
-| Settings | `1651` | AllowVoiceTraining | `8010` | | | ❌ |
-| Settings | `1651` | AllowVideoTraining | `8016` | | | ❌ |
-| Settings | `1651` | ExportData | `8020` | | | ❌ |
+With [Application Granular Controls](/cloudflare-one/policies/gateway/http-policies/#application-granular-controls), you can choose specific actions and operations to match application traffic. Supported applications and operations include:
+
+
+
+| Operation name | Operation ID | Application Control name | Application Control ID | Contains payload | Operation Group | Operation Group ID |
+| ------------------ | ------------ | ------------------------ | ---------------------- | ---------------- | --------------- | ------------------ |
+| SendPrompt | `8004` | Prompt | `1652` | ✅ | Chat | `1650` |
+| UploadFile | `8008` | Upload | `1653` | ❌ | Chat | `1650` |
+| UploadFilePayload | `8013` | Upload | `1653` | ✅ | Chat | `1650` |
+| ShareResponse | `8006` | Share | `1654` | ❌ | Chat | `1650` |
+| ShareCanvas | `8007` | Share | `1654` | ❌ | Chat | `1650` |
+| TranscribeVoice | `8011` | Voice | `1655` | ❌ | Chat | `1650` |
+| EnableVoiceMode | `8003` | Voice | `1655` | ❌ | Chat | `1650` |
+| AllowTraining | `8009` | | | ❌ | Settings | `1651` |
+| AllowVoiceTraining | `8010` | | | ❌ | Settings | `1651` |
+| AllowVideoTraining | `8016` | | | ❌ | Settings | `1651` |
+| ExportData | `8020` | | | ❌ | Settings | `1651` |
-| Operations group | Operations group ID | Operation name | Operation ID | Application Controls group | Application control ID | DLP content |
-| ---------------- | ------------------- | ----------------- | ------------ | -------------------------- | ---------------------- | ----------- |
-| Chat | `1656` | SendPrompt | `8021` | Prompt | `1657` | ✅ |
-| Chat | `1656` | UploadFile | `8022` | Upload | `1658` | ❌ |
-| Chat | `1656` | UploadFilePayload | `8023` | Upload | `1658` | ✅ |
-| Chat | `1656` | TranscribeVoice | `8025` | Voice | `1659` | ❌ |
+| Operation name | Operation ID | Application Control name | Application Control ID | Contains payload | Operation Group | Operation Group ID |
+| ----------------- | ------------ | ------------------------ | ---------------------- | ---------------- | --------------- | ------------------ |
+| SendPrompt | `8021` | Prompt | `1657` | ✅ | Chat | `1656` |
+| UploadFile | `8022` | Upload | `1658` | ❌ | Chat | `1656` |
+| UploadFilePayload | `8023` | Upload | `1658` | ✅ | Chat | `1656` |
+| TranscribeVoice | `8025` | Voice | `1659` | ❌ | Chat | `1656` |
-| Operations group | Operations group ID | Operation name | Operation ID | Application Controls group | Application control ID | DLP content |
-| ---------------- | ------------------- | ---------------------- | ------------ | -------------------------- | ---------------------- | ----------- |
-| Chat | `2596` | SendPrompt | `11947` | Prompt | `2598` | ✅ |
-| Chat | `2596` | ClarifyingPrompt | `11951` | Prompt | `2598` | ✅ |
-| Chat | `2596` | CreateUploadUrl | `11948` | Upload | `2599` | ❌ |
-| Chat | `2596` | UploadFile | `11955` | Upload | `2599` | ✅ |
-| Settings | `2597` | UploadOrganizationFile | `11950` | Upload | `2599` | ❌ |
-| Chat | `2596` | ShareChat | `11952` | Share | `2600` | ❌ |
-| Chat | `2596` | VoiceTranscription | `11953` | Voice | `2601` | ❌ |
-| Chat | `2596` | ExportChat | `11949` | | | ❌ |
-| Chat | `2596` | DeleteThread | `11954` | | | ❌ |
-| Settings | `2597` | DeleteOrganizationFile | `11956` | | | ❌ |
+| Operation name | Operation ID | Application Control name | Application Control ID | Contains payload | Operation Group | Operation Group ID |
+| ---------------------- | ------------ | ------------------------ | ---------------------- | ---------------- | --------------- | ------------------ |
+| SendPrompt | `11947` | Prompt | `2598` | ✅ | Chat | `2596` |
+| ClarifyingPrompt | `11951` | Prompt | `2598` | ✅ | Chat | `2596` |
+| CreateUploadUrl | `11948` | Upload | `2599` | ❌ | Chat | `2596` |
+| UploadFile | `11955` | Upload | `2599` | ✅ | Chat | `2596` |
+| UploadOrganizationFile | `11950` | Upload | `2599` | ❌ | Settings | `2597` |
+| ShareChat | `11952` | Share | `2600` | ❌ | Chat | `2596` |
+| VoiceTranscription | `11953` | Voice | `2601` | ❌ | Chat | `2596` |
+| ExportChat | `11949` | | | ❌ | Chat | `2596` |
+| DeleteThread | `11954` | | | ❌ | Chat | `2596` |
+| DeleteOrganizationFile | `11956` | | | ❌ | Settings | `2597` |
-| Operations group | Operations group ID | Operation name | Operation ID | Application Controls group | Application control ID | DLP content |
-| ---------------- | ------------------- | --------------------- | ------------ | -------------------------- | ---------------------- | ----------- |
-| Chat | `2126` | SendPrompt | `10048` | Prompt | `2127` | ✅ |
-| Chat | `2126` | PromptCompletion | `10050` | Prompt | `2127` | ✅ |
-| Chat | `2126` | RetryPromptCompletion | `10040` | Prompt | `2127` | ✅ |
-| Chat | `2126` | UploadFile | `10039` | Upload | `2128` | ✅ |
-| Chat | `2126` | ConvertDocument | `10041` | Upload | `2128` | ✅ |
-| Chat | `2126` | ShareConversation | `10043` | Share | `2129` | ❌ |
-| Chat | `2126` | GetShares | `10052` | Share | `2129` | ❌ |
-| Chat | `2126` | CreateConversation | `10038` | | | ❌ |
-| Chat | `2126` | GetConversation | `10046` | | | ❌ |
-| Chat | `2126` | UpdateConversation | `10047` | | | ❌ |
-| Chat | `2126` | DeleteConversation | `10045` | | | ❌ |
-| Settings | `2125` | UpdateAccount | `10036` | | | ❌ |
-| Settings | `2125` | InitiateDataExport | `10037` | | | ❌ |
-| Chat | `2126` | GiveFeedback | `10042` | | | ❌ |
-| Chat | `2126` | SetConversationTitle | `10044` | | | ❌ |
-| Settings | `2125` | GetOrganisation | `10049` | | | ❌ |
-| Chat | `2126` | GetFilePreview | `10051` | | | ❌ |
+| Operation name | Operation ID | Application Control name | Application Control ID | Contains payload | Operation Group | Operation Group ID |
+| --------------------- | ------------ | ------------------------ | ---------------------- | ---------------- | --------------- | ------------------ |
+| SendPrompt | `10048` | Prompt | `2127` | ✅ | Chat | `2126` |
+| PromptCompletion | `10050` | Prompt | `2127` | ✅ | Chat | `2126` |
+| RetryPromptCompletion | `10040` | Prompt | `2127` | ✅ | Chat | `2126` |
+| UploadFile | `10039` | Upload | `2128` | ✅ | Chat | `2126` |
+| ConvertDocument | `10041` | Upload | `2128` | ✅ | Chat | `2126` |
+| ShareConversation | `10043` | Share | `2129` | ❌ | Chat | `2126` |
+| GetShares | `10052` | Share | `2129` | ❌ | Chat | `2126` |
+| CreateConversation | `10038` | | | ❌ | Chat | `2126` |
+| GetConversation | `10046` | | | ❌ | Chat | `2126` |
+| UpdateConversation | `10047` | | | ❌ | Chat | `2126` |
+| DeleteConversation | `10045` | | | ❌ | Chat | `2126` |
+| UpdateAccount | `10036` | | | ❌ | Settings | `2125` |
+| InitiateDataExport | `10037` | | | ❌ | Settings | `2125` |
+| GiveFeedback | `10042` | | | ❌ | Chat | `2126` |
+| SetConversationTitle | `10044` | | | ❌ | Chat | `2126` |
+| GetOrganisation | `10049` | | | ❌ | Settings | `2125` |
+| GetFilePreview | `10051` | | | ❌ | Chat | `2126` |
diff --git a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx
index 5b536ea7b9f0c8..9f947567291aca 100644
--- a/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx
+++ b/src/content/docs/cloudflare-one/policies/gateway/http-policies/index.mdx
@@ -420,9 +420,9 @@ The review approval status of an application from [Shadow IT Discovery](/cloudfl
When using Terraform to create a policy with the [Do Not Inspect](#do-not-inspect) action, you must use the `app.hosts_ids` and `app.supports_ids` selectors. For example, to create a Do Not Inspect policy for Google Cloud Platform traffic, create a policy with both `any(app.hosts_ids[*] in {1245})` and `any(app.supports_ids[*] in {1245})`.
:::
-#### Cloud App Control
+#### Application Granular Controls
-When using the _is_ operator with the _Application_ selector, you can use Cloud App Control to choose specific actions and operations to match application traffic. For example, you can block file uploads to ChatGPT without blocking all ChatGPT traffic:
+When using the _is_ operator with the _Application_ selector, you can use Application Granular Controls to choose specific actions and operations to match application traffic. For example, you can block file uploads to ChatGPT without blocking all ChatGPT traffic:
| Selector | Operator | Value | Controls | Action |
| ----------- | -------- | --------- | -------- | ------ |
diff --git a/src/content/partials/cloudflare-one/app-library-review-apps.mdx b/src/content/partials/cloudflare-one/app-library-review-apps.mdx
index e2f59fc93e0861..1512745778e41d 100644
--- a/src/content/partials/cloudflare-one/app-library-review-apps.mdx
+++ b/src/content/partials/cloudflare-one/app-library-review-apps.mdx
@@ -22,7 +22,5 @@ To set the status of an application:
Once you mark the status of an application, its badge will change. You can filter applications by their status to review each application in the list for your organization. The review status for an application in the App Library and Shadow IT Discovery will update within one hour.
:::note
-Approval status does not impact a user's ability to access an application. Users are allowed or blocked according to your [Access](/cloudflare-one/policies/access/) and [Gateway policies](/cloudflare-one/policies/gateway/).
+Approval status does not impact a user's ability to access an application. Users are allowed or blocked according to your [Access](/cloudflare-one/policies/access/) and [Gateway policies](/cloudflare-one/policies/gateway/). To filter traffic based on approval status, use the [_Application Status_](/cloudflare-one/policies/gateway/http-policies/#application-approval-status) selector.
:::
-
-{/* TODO update this note to call out the Gateway app status selector */}