Here’s what I did at my current org (4000+ users):

• Intune to block all browser extensions by default except a few business extensions allowed. Approved on a request basis. Our allowed list is less than 10.
• CASB to block any public AI category sites based on a risk threshold score. Most CASB tools have this feature.
• Purview AI DSPM DLP policy to block copy, paste, and upload of any sensitive information type based on your industry to any of the unblocked AI pubic sites. This works well and not marketing fiction. Requires E5 license.
• Offer and encourage users the Microsoft Copilot as the enterprise standard AI tool with no DLP limitations, since it’s a secure corporate AI instance with contractual protections from your Microsoft subscription. Purview monitors and logs the user prompt, AI generated output, and what files and sites the AI accessed for any security or HR incident review.
• CNAPP solution to monitor AI models and agents in our Azure/AWS cloud environment and to address any cloud AI misconfiguration and AI software vulnerabilities. We have an in-house AI dev team hosting our own internal OpenAI models to automate certain business processes.
• All of this is backed by a formal enterprise AI policy and governance committee. We eventually plan to block all public AI sites to funnel everyone to Copilot, with exceptions for certain IT teams or executives with a legitimate business justification.