Addressing Shadow AI with F5 BIG-IP SSL Orchestrator

Table of Contents

 

What is Shadow AI?

Shadow AI is growing fast, and it might be slipping under your radar. Unauthorized generative AI tools are rapidly emerging as a critical blind spot for SecOps teams. They can increase the risk of data leaks, compliance violations, and costly breaches.

Shadow AI is the unsanctioned use of AI tools by employees, contractors, or partners without IT or security oversight.

 

What are the risks associated with Shadow AI?

Shadow AI introduces critical blind spots and vulnerabilities, such as:

  • Data exposure: Sensitive or proprietary information may be uploaded to external platforms, outside your organization’s control.
  • Compliance risks: Unauthorized AI usage can violate industry and government regulations like GDPR, HIPAA, or PCI DSS.
  • Hidden malware: AI platforms typically operate over HTTPS or TLS, limiting visibility and increasing the chance of encrypted threats slipping through undetected.

 

Demo Video

 

How can I address the risks of Shadow AI?

F5® BIG-IP® SSL Orchestrator® is a key solution to securing Shadow AI usage without undermining productivity or innovation. With deep visibility into encrypted traffic, BIG-IP SSL Orchestrator enables a multi-layered approach to detect, control, and manage Shadow AI activity efficiently.

Shadow AI usage is encrypted and cannot be inspected without decryption.  That’s why SSL Orchestrator is needed to inspect and control Shadow AI content.

Shadow AI usage can be blocked outright, but sometimes that can be counterproduct, tenant,ive. SSL Orchestrator can be configured to do this but also has the flexibility of sending “Coaching” pages to users, advising them that they are accessing Shadow AI content that may expose them to unnecessary risks.  These “Coaching” pages can be customized to include:

  • A message warning the user they may be exposing their company to increased risk.
  • The option to cancel the request or proceed to access the site.
  • The option to include a “Justification” message and proceed to access the site.
  • The option to include an html link in the “Coaching” page that directs the user to more information or spells out the Corporate IT Policy regarding Shadow AI.

With a URL Categorization (URLDB) subscription, you can choose from the following Categories to identify Shadow AI usage:

"Generative_AI"

"Generative_AI_-_Text_&_Code"

"Generative_AI_-_Conversation"

"Generative_AI_-_Multimedia"

Configuration Prerequisites

  • BIG-IP software version 17.1.2 or newer
  • SSL Orchestrator software version 11.1.8 or newer
  • SSL Orchestrator Policy and Service Chain configured
  • SSL Orchestrator Outbound Topology created and working properly

 

Configuring SSL Orchestrator: Service Extensions

SSL Orchestrator features many customization options we will refer to as Service Extensions.  These Service Extensions give a new Inspection Service that can be programmed directly inside the Service Chain. This gives the Service Chain a lot of security value without needing to add more external tools.  One such use-case for Service Extensions is User Coaching.

The GitHub repository for User Coaching Service Extension can be found here: User Coaching Service Extension and includes an installer to create all of the necessary objects:

## From the BIG-IP Shell, fetch the installer and make it executable: 
curl -sk https://raw.githubusercontent.com/f5devcentral/sslo-service-extensions/refs/heads/main/user-coaching/user-coaching-installer.sh -o user-coaching-installer.sh

chmod +x user-coaching-installer.sh

## Export the BIG-IP admin username and password for the installer to use: 
export BIGUSER='admin:password' 

## Launch the installer: 
./user-coaching-installer.sh

Using the information above, you can download the installer from GitHub in the first step:

Then change the permissions to make the installer executable:

Export the BIG-IP admin username and password:

Run the installer:

The installer will create the default coaching and blocking HTML (iFile objects), the user-coaching iRule, and the new User Coaching Inspection Service. Once this is complete, simply add the new Service to your SSL Orchestrator Service Chain(s). With the defaults in place, and an active URLDB subscription on the BIG-IP, any attempt to access an AI-categorized site will return the User Coaching page. Clicking the Agree button generates a log entry detailing the source (user) and destination (IP and host).

Next Steps: Add the User Coaching Inspection Service to a Service Chain

From the SSL Orchestrator UI, navigate to Configuration > Service Chains > click the name of the Service Chain you want to add the User Coaching Service to.

Move the User Coaching Service from Available to Selected.

Click Deploy

Click OK

Click OK

 

The SSL Orchestrator configuration is complete.  Let’s test it out and see what it looks like.

From a client computer when attempting to go to https://mem.ai I am presented with the following:

Clicking Agree takes you to the website.

Clicking cancel returns you to the previous website.

Customizing the Coaching Policy

The Coaching Policy is easily customizable.  It can also be configured to block the request.

Enable Blocking Mode

Let’s enable blocking mode.  From the BIG-IP UI, navigate to Local Traffic > iRules > iRule List.

Click the “user-coaching-rule” at the bottom.

Set the CATEGORY_TYPE to “sub_and_custom”

Copy the COACHING_CATEGORIES

Paste them into the BLOCKING_CATEGORIES

Comment out the COACHING_CATEGORIES and click Update

From a client computer, when attempting to go to https://mem.ai the request is blocked.

Enable Justification Option

Let’s enable the Justification option.  Go back to the “user-coaching-rule” iRule.  Scroll down until you see the section to REQUIRE_JUSTIFICATION.  Change the value from 0 to 1, then click Update.

Let’s test it out and see what it looks like.

From a client computer when attempting to go to https://mem.ai I am presented with the following:

Notice I am asked to enter a justification to access the site.  I entered: I have a legitimate reason to access this site

All of this will be logged.

Customize the Coaching Page

The Coaching Page itself can be customized to include images, email links and so much more. Let’s add some custom HTML files and configure the Coaching Policy to use them. From Local Traffic, go to iRules > iFile List.

Click Create

Give it a name, “Custom-Coaching-1” in this example.

Click the + to add the html file

Click Choose File.

Select your HTML file and click Open.

Give it a name and click Import.

Click Finished.

Multiple Custom Coaching Pages can be added here. In fact, I’ll add one more to show you something different.

To use this Custom Coaching Page, navigate to Local Traffic > iRules > iRule List.

Click the “user-coaching-rule” at the bottom.

Scroll down to the COACHING lookup section and replace user-coaching-html with your custom HTML page, Custom-Coaching-1 in this example.

Click Update

From a client computer when attempting to go to https://mem.ai I am presented with the following customized Coaching Page:

Add an HTML link to the Coaching Page

Let’s customize this even further by including an HTML link in the Coaching Page.  This could be a link to the corporate internet guidelines or an email address to contact with any questions.

Navigate to Local Traffic > iRules > iRule List.

Click the “user-coaching-rule” at the bottom.

Scroll down to the COACHING lookup section and replace user-coaching-html with your custom HTML page, Custom-Coaching-2 in this example.

Click Update

From a client computer when attempting to go to https://mem.ai I am presented with the following customized Coaching Page:

At the bottom of the Coaching Page is a link to an email address if there are any questions.

Use a Custom Category

Without a URL Categorization subscription, you can create a Custom Category and populate it with known Shadow AI web sites.  While not exhaustive, this list of AI URLs can be used as a starting point:

Custom List of AI URLs

Run this curl command from the CLI:

curl -s https://raw.githubusercontent.com/f5devcentral/sslo-script-tools/main/sslo-generative-ai-categories/sslo-create-ai-category.sh |bash

It may take a minute to complete the task.

This will create a Custom Category named “SSLO_AI_TOOLS”.  You can edit this from the SSL Orchestrator UI by navigating to Policies > URL Categories.

Expand Custom Categories and click SSLO_AI_TOOLS

Here you can see the URLs in this category.  URLs can be added or removed from this category as needed.

Navigate to Local Traffic > iRules > iRule List.

Click the “user-coaching-rule” at the bottom.

Add the “SSLO_AI_TOOLS” category to the COACHING_CATEGORIES. Remove the 4 other subscription-based categories.

Set the CATEGORY_TYPE to “custom_only”

Click Update

From a client computer when attempting to go to https://mem.ai I am presented with the following customized Coaching Page:

Conclusion

SSL Orchestrator gives you the flexibility to decide how to address Shadow AI in your environment.  Content can be blocked outright or “Coaching” pages can be used to warn users about the risks associated with Shadow AI sites.  A URLDB subscription is recommended, but a Custom Category can be used without incurring additional costs.

Related Content:

Updated Jul 01, 2025
Version 3.0
security
No CommentsBe the first to comment