Cloudflare AI Security

Two Pillars of Protection for the AI Era

Pillar 1

End-User Protection

Pillar 2

App & Agent Security

Two Distinct AI Threat Models

Pillar 1: End-User Protection

Employees using AI chat tools

Scenario: Users interact with ChatGPT, Claude, Copilot, Gemini via browser

Threats:

Corporate data leakage to AI providers
Shadow AI usage without IT visibility
Malicious responses compromising users
Compliance violations (PII, secrets)

Solution Stack:

Zero Trust + AI Security for Apps (WAF)

Pillar 2: App & Agent Security

Applications calling LLMs via API

Scenario: Your apps/agents call OpenAI, Anthropic, or internal models

Threats:

Prompt injection attacks via API
LLM response poisoning
Cost overruns & runaway usage
Data exfiltration in responses

Solution Stack:

AI Gateway

Pillar 1

End-User AI Protection

Zero Trust + AI Security for Apps (WAF)

The Shadow AI Problem

What IT Can't See

Employees pasting source code into ChatGPT
Customer PII shared with AI assistants
API keys and secrets in prompts
Strategic documents uploaded for summarization
Proprietary algorithms explained to AI

The Scale

42+ AI applications tracked in Gateway
75% of employees use AI tools at work*
60% do so without IT approval*

*Industry surveys 2024

Real Risk Scenarios

Data Breach: Engineer pastes production database credentials while debugging with AI

IP Theft: Product manager uploads unreleased roadmap for "quick summary"

Compliance: HR uploads employee records to AI for analysis

Legal: Attorney shares privileged client communications

Pillar 1: Solution Architecture

Employee

Cloudflare One

Access + Gateway

AI Security (WAF)

Prompt Analysis

AI Service

ChatGPT, etc.

Cloudflare One (Zero Trust)

Access: Identity-based authentication to AI apps
Gateway: DNS/HTTP filtering + DLP inspection
Browser Isolation: Render AI interfaces remotely
CASB: Shadow AI discovery & control

AI Security for Apps (WAF)

Prompt Injection Scoring: 1-99 risk scale
PII Detection: AI-powered fuzzy + regex exact
Unsafe Topics: Built-in + custom categories
Full Logging: Prompts + responses captured

Zero Trust AI Controls

Access

Require SSO/MFA for AI tools
Group-based policies (only R&D can use Copilot)
Device posture checks before AI access
Session duration limits

Gateway

42+ AI apps in application library
Allow/Block specific AI services
DLP scanning on prompts & uploads
Full conversation logging

Browser Isolation

AI interfaces render on Cloudflare edge
Block copy/paste of sensitive data
Disable file uploads to AI chats
Prevent downloads of AI outputs

Data Loss Prevention

700+ built-in detectors (SSN, CC, etc.)
Custom patterns for proprietary data
Exact Data Match for sensitive lists
Action: Block, warn, or log

AI Security for Apps (WAF)

Cloudflare WAF analyzes LLM-bound traffic in real-time, scoring prompts for injection risk, detecting PII, and flagging unsafe content.

Prompt Injection Scoring

Every prompt receives a score from 1-99

1-10High Risk

11-50Medium Risk

51-99Low Risk

WAF field: cf.llm.prompt.injection_score

PII Detection

Two detection methods:

Fuzzy (AI): Context-aware, finds obfuscated PII

Exact (Regex): Pattern matching for SSN, CC, etc.

WAF field: cf.llm.prompt.pii_detected

Unsafe Topic Detection

Block harmful content categories:

Violence & weapons
Illegal activities
Hate speech
Custom topics (e.g., competitors)

WAF field: cf.llm.prompt.flagged_topics

WAF Rules for AI Security

Example: Block High-Risk Prompts

WAF Custom Rule

(cf.llm.prompt.injection_score lt 20)
  and
(http.request.uri.path contains "/api/chat")

Action: Block | Challenge | Log

Example: Alert on PII

WAF Custom Rule

(cf.llm.prompt.pii_detected eq true)
  and
(cf.llm.prompt.pii_types contains "ssn")

Available WAF Fields

`cf.llm.prompt.injection_score`	1-99
`cf.llm.prompt.pii_detected`	Boolean
`cf.llm.prompt.pii_types`	Array
`cf.llm.prompt.flagged_topics`	Array
`cf.llm.prompt.is_safe`	Boolean

Requirements

Enterprise plan required
Label endpoints with cf-llm content type
Works with any LLM backend

Pillar 1: Customer Benefits

Complete Visibility

See all AI tools employees are using
Full conversation logging with user attribution
Shadow AI discovery across the org
Real-time dashboards and alerts

Compliance Ready

PII never reaches AI providers
Audit trails for every interaction
GDPR, HIPAA, SOC2 alignment
Data residency controls

Granular Control

Per-user, per-group, per-app policies
Block, warn, or log based on context
Custom topic filtering
Flexible exception handling

Enable Innovation Safely

Say "yes" to AI with guardrails
Empower employees without risk
No productivity sacrifice for security
Unified policy across all AI tools

Pillar 2

App & Agent AI Security

AI Gateway

The App & Agent Security Challenge

The New Application Stack

Modern apps increasingly rely on LLM APIs:

Customer-facing chatbots
Internal copilots and assistants
Automated content generation
AI agents acting autonomously
Multi-agent orchestration (MCP)

Cost Reality

A single runaway loop can burn through $10,000+ in API costs in minutes

OWASP Top LLM Threats

LLM01: Prompt Injection
Malicious inputs hijack model behavior

LLM02: Insecure Output
Model responses executed as code

LLM05: Supply Chain
Compromised models or training data

LLM06: Sensitive Info Disclosure
Models leak training data or PII

AI Gateway: The Security Layer

Your App

AI Gateway

Single endpoint for all AI

OpenAI

Anthropic

Google

Workers AI

20+ Providers

Universal API endpoint

Caching

90% latency reduction

Rate Limiting

Prevent runaway costs

Guardrails

DLP + content filtering

AI Gateway: DLP for Prompts & Responses

Scan both directions — protect data going to LLMs AND validate what comes back. No TLS decryption required.

Prompt Scanning (Outbound)

Detect PII before it reaches the LLM
Block API keys, passwords, secrets
Flag proprietary code patterns
Custom regex for business data

Actions: Block, redact, warn, log

Response Scanning (Inbound)

Catch hallucinated PII in responses
Detect prompt leakage attacks
Block toxic or harmful content
Validate response format/structure

Actions: Block, sanitize, flag for review

Why This Matters

Traditional DLP can't inspect API traffic to AI providers. AI Gateway provides native visibility without SSL inspection complexity.

AI Gateway: Dynamic Routing

Visual flow builder for intelligent request routing — failovers, A/B testing, budget controls, and conditional logic.

Routing Capabilities

Fallbacks: Auto-failover when provider is down
A/B Testing: Split traffic between models
Conditionals: Route by user, content, metadata
Budget Limits: Cap spend per model/user
Rate Limits: Requests per minute controls

Example Flow:
Try GPT-4 → If rate limited → Fallback to Claude → If budget exceeded → Use Workers AI

Observability

Every request logged with full context:

Latency (TTFT, total)

Token counts

Cost per request

Success/error rates

Cache hit ratio

Guardrail triggers

Securing AI Agents & MCP

Model Context Protocol (MCP) enables AI agents to access tools and data. AI Gateway provides visibility and control.

What is MCP?

Standard protocol for AI ↔ Tool communication
Agents can query databases, call APIs, access files
Multi-agent orchestration patterns emerging
Supported by Anthropic, OpenAI, and others

The Risk

Agents with tool access can exfiltrate data, modify systems, or be manipulated via prompt injection to act maliciously.

AI Gateway for MCP

Protocol Detection: Identify MCP traffic automatically
Tool Allowlisting: Restrict which tools agents can call
Request Logging: Full audit trail of agent actions
Rate Limiting: Prevent runaway agent loops
DLP on Tool Outputs: Scan data returned to agents

Deploy on Workers: Host MCP servers with built-in OAuth and Durable Objects for state

Pillar 2: Customer Benefits

Cost Control

Caching reduces API calls by up to 90%
Budget caps prevent bill shock
Per-user/per-model spending limits
Real-time cost visibility

Resilience

Automatic failover between providers
No single point of failure
Provider-agnostic architecture
Graceful degradation patterns

Security

DLP on prompts AND responses
Prompt injection detection
Centralized secret management (BYOK)
Full request/response logging

Observability

Unified dashboard for all AI usage
Performance metrics (latency, tokens)
Error tracking and debugging
Custom alerting rules

Summary: Two Pillars of AI Security

Pillar 1

End-User AI Protection

Use Case: Employees using ChatGPT, Claude, Copilot in browsers

Solution:

Cloudflare One (Access + Gateway)
Browser Isolation
AI Security for Apps (WAF)

Key Outcomes:
Shadow AI visibility, DLP enforcement, compliance, user protection

Pillar 2

App & Agent AI Security

Use Case: Applications/agents calling LLM APIs programmatically

Solution:

AI Gateway
DLP for prompts & responses
Dynamic routing & guardrails

Key Outcomes:
Cost control, resilience, prompt security, full observability

Unified Platform: Both pillars managed from a single Cloudflare dashboard

Getting Started

Pillar 1: End-User Protection

Deploy Cloudflare One
WARP client + Gateway policies

Enable AI App Controls
Select AI apps from library, set DLP rules

Configure AI Security (WAF)
Label endpoints, set scoring thresholds

Monitor & Refine
Review logs, tune policies

Pillar 2: App & Agent Security

Create AI Gateway
Set up gateway in dashboard

Point Apps to Gateway
Replace provider URLs with gateway endpoint

Enable Guardrails
DLP, rate limits, budget caps

Build Routing Flows
Failovers, A/B tests, conditionals

Questions? Let's discuss your AI security requirements.