By Yair Knijn · April 22, 2025
The security manager who banned ChatGPT in a memo, while 400 endpoints talked to 30 AI domains
A security operations manager I worked with sent a one-page memo: no ChatGPT, no Claude, no consumer AI for company work. He closed the ticket. The acceptable-use policy now carried an AI paragraph, legal had signed off, and the audit binder said AI tools were governed.
The memo assumes that telling people not to do something is the same as stopping them. Weeks later we pulled the recursive resolver logs for his fleet. Around 400 endpoints were resolving roughly 30 distinct AI and LLM domains: chat.openai.com, claude.ai, gemini.google.com, a stack of Copilot endpoints, and assistants nobody in security had heard of. The memo changed a document. On the wire, nothing moved.
Why the AI acceptable-use memo never changed behavior
An acceptable-use clause is intent enforced by goodwill and the threat of HR. People under deadline route around it without feeling like rule-breakers; they feel productive. Most teams I talk to assume their staff already paste company data into AI tools and stay quiet, and that assumption is usually right. The fight is not malice; it is convenience, and convenience wins every time the control is a sentence in a PDF.
The manager also had no feedback loop. He never measured the behavior the memo targeted, so he could not say whether it worked. A control you cannot observe is a wish.
Seeing shadow SaaS and shadow AI in DNS query logs
Nearly every AI tool resolves a hostname before it does anything else, which makes DNS the earliest, fleet-wide vantage point you have. No endpoint agent reading clipboards, no proxy terminating TLS, and you still answer the question that matters first: which AI services is my organization contacting, from how many devices, and how often.
The same query stream surfaces shadow SaaS in general. A developer hitting an unknown code-completion backend appears the moment their machine asks the resolver for an address. Categorize the domains, count clients per domain, and the 30-domain reality stops being a guess.
The data-exfiltration angle: paste fields are egress
Treat every LLM chat box as an upload form, because that is what it is. A paste into a prompt sends whatever sat on the clipboard: a customer list, a contract clause, a chunk of source, an incident timeline. Industry data-privacy research keeps finding that a large share of organizations have already leaked internal data this way.
Frame the prompt field as egress and the DNS layer stops being informational. Block resolution of an unsanctioned LLM domain and you close the upload path before a byte leaves the endpoint. No DLP tuning, no content inspection, no TLS interception. The transfer never gets a destination.
Selective enforcement: allow sanctioned AI, block the rest
A blanket AI block is the memo's mirror image and fails the same way: people need these tools, so all-or-nothing gets bypassed or gets you overruled. The workable position is selective. Sanction the tools you hold a data-processing agreement with; deny resolution for the rest.
- Allow the enterprise tier you contracted, where prompts are excluded from training.
- Block the consumer endpoints of those same vendors, where the terms are far weaker.
- Deny the long tail of unvetted writing, code, and image assistants nobody reviewed.
- Log every allow and block so the policy is auditable, not anecdotal.
Reporting AI usage to leadership with real numbers
The memo manager could tell his board a policy existed, not how many people ignored it. DNS-layer category data turns that vacuum into a chart: endpoints touching AI this month, top domains, the sanctioned-versus-unsanctioned split, the trend after enforcement turns on. Leadership funds what it can watch decline.
ClearScreen runs this at the resolver, so each customer tenant is a policy group that allows the AI you sanctioned and denies the rest, with a query log behind every decision. Trade the memo for a control you can measure. See how the AI category enforces on the features page.