Block PII and secrets in claude.ai, ChatGPT, Gemini
Surfaces used: browser extension Modes supported: Hosted Tiers: Teams
What you'll do
Put a guardrail in the browser itself. When an employee pastes a customer list, an AWS key, or an SSN into claude.ai, ChatGPT, or Gemini, the extension catches it before it is submitted, and either redacts, warns, or blocks based on your policy.
Why this is the right path for you
- If your employees use AI through the browser (claude.ai, chatgpt.com, gemini.google.com) and you worry about sensitive data going out, the extension is the only surface that sees that traffic.
- If your concern is API agents, not humans in a browser, use the gateway or the Python / Node SDK.
- If you first want to know where employees are using AI, start with Discover shadow AI.
When NOT to use this approach
caution
The extension governs human browser use. It does not see what applications on the same laptop do. For coding assistants on the desktop, pair with coding hooks. For app traffic, pair with the gateway or SDK.
5-minute setup
Individual pilot
- Install from the Chrome Web Store: search for "Control Zero" (or use the link in dashboard -> Browser extension).
- Click the extension icon, sign in with your Teams account, pick the project.
- Visit claude.ai. Paste:
My SSN is 123-45-6789 help me draft a letter. - The extension flags the SSN and (by default) redacts it before submit.
Org-wide MDM deployment
- In the dashboard -> Browser extension -> Enterprise deployment, grab the policy JSON and extension ID.
- In your MDM (Jamf, Intune, Google Admin, Workspace ONE, etc.), push the extension as force-installed with the provided
ExtensionSettingspolicy. - Users sign in automatically via your IdP (SAML / OIDC).
- Pre-fill the organization ID and API key via managed policy so users do not see a login prompt.
Example Chrome policy (Jamf / Intune):
{
"ExtensionInstallForcelist": ["<extension-id>;https://clients2.google.com/service/update2/crx"],
"3rdparty": {
"extensions": {
"<extension-id>": {
"orgId": "org_...",
"apiKey": "cz_live_..."
}
}
}
}
Verifying it's working
- Dashboard -> Coverage shows enrolled browsers and last seen.
- Open claude.ai as a test user, paste a known-bad string (fake SSN, fake API key). Confirm the extension redacts or blocks per your policy.
- Dashboard -> Audit shows the event with page URL (redacted), matched rule, and the action taken.
Common follow-ups
- "Which AI sites are my employees using?" -> Discover shadow AI
- "Which patterns does the extension catch?" -> DLP coverage (65 patterns + custom regex)
- "I want to set my own rules" -> Set up DLP rules
- "End-user instructions I can forward?" -> Browser extension end-user guide
Reference
- Surface page: Browser extension
- Concepts: Policies
- API: API reference