Block PII and secrets in claude.ai, ChatGPT, Gemini
Surfaces used: browser extension Modes supported: Hosted Tiers: Teams
What you'll do
Put a guardrail in the browser itself. When an employee pastes a customer list, an AWS key, or an SSN into claude.ai, ChatGPT, or Gemini, the extension catches it before it is submitted, and either redacts, warns, or blocks based on your policy.
Why this is the right path for you
- If your employees use AI through the browser (claude.ai, chatgpt.com, gemini.google.com) and you worry about sensitive data going out, the extension is the only surface that sees that traffic.
- If your concern is API agents, not humans in a browser, use the gateway or the Python / Node SDK.
- If you first want to know where employees are using AI, start with Discover shadow AI.
When NOT to use this approach
The extension governs human browser use. It does not see what applications on the same laptop do. For coding assistants on the desktop, pair with coding hooks. For app traffic, pair with the gateway or SDK.
5-minute setup
Individual pilot
- Install from the Chrome Web Store: search for "Control Zero" (or use the link in dashboard -> Browser extension).
- Open the extension's options page, paste the project token, and connect. On hosted deployments you confirm a code emailed to your corporate address; on air-gapped or self-managed deployments (no outbound email), use Connect without email instead — the same project token connects with zero egress.
- Visit claude.ai. Paste:
My SSN is 123-45-6789 help me draft a letter. - The extension flags the SSN and (by default) redacts it before submit.
The Connect without email option needs no verification email — the backend resolves your org and project from the project token itself, contacting no external service (no Resend). Your admin enables tokenless enrollment per project; hosted tenants keep email verification on by default.
Org-wide distribution
For the current pilot, distribute the extension manually: share the pre-configured Teams bundle (dashboard -> Browser extension -> Download bundle) via an internal link or shared drive, or have users self-install. The MDM force-install policy shapes below are the configuration you will use once managed force-install ships; they do not force-install the extension today.
Once MDM force-install is available:
- In the dashboard -> Browser extension -> Enterprise deployment, grab the policy JSON and extension ID.
- In your MDM (Jamf, Intune, Google Admin, Workspace ONE, etc.), push the extension as force-installed with the provided
ExtensionSettingspolicy. - Users sign in automatically via your IdP (SAML / OIDC).
- Pre-fill the organization ID and API key via managed policy so users do not see a login prompt.
Example Chrome policy (Jamf / Intune):
{
"ExtensionInstallForcelist": ["<extension-id>;https://clients2.google.com/service/update2/crx"],
"3rdparty": {
"extensions": {
"<extension-id>": {
"orgId": "org_...",
"apiKey": "cz_live_..."
}
}
}
}
Verifying it's working
- Dashboard -> Coverage shows enrolled browsers and last seen.
- Open claude.ai as a test user, paste a known-bad string (fake SSN, fake API key). Confirm the extension redacts or blocks per your policy.
- Dashboard -> Audit shows the event with page URL (redacted), matched rule, and the action taken.
Common follow-ups
- "Which AI sites are my employees using?" -> Discover shadow AI
- "Which patterns does the extension catch?" -> DLP coverage (59 patterns + custom regex)
- "I want to set my own rules" -> Set up DLP rules
- "End-user instructions I can forward?" -> Browser extension end-user guide
Reference
- Surface page: Browser extension
- Concepts: Policies
- API: API reference