Three pillars. One governance core.
Tap a pillar to see what Cloudflare controls.
Pillar
Workforce AI
Employees use SaaS AI tools daily. Cloudflare SASE discovers shadow AI, blocks risky uploads, and applies prompt + DLP guards inline.
On this page
Nanosek delivers safe AI adoption services on Cloudflare across four priorities: protecting workforce use of generative AI, governing AI agent activity through MCP Server Portals and ZTNA, securing AI-powered applications, and supporting teams building with AI on Cloudflare Workers. The work covers shadow AI discovery, identity-aware access, AI security posture management (AI-SPM), prompt and response guardrails, AI-aware DLP, remote MCP server hosting, MCP server portals, AI Gateway routing, and managed operations.
Who this is for
Why safe AI adoption is hard
Limited visibility
Employees adopt AI tools before security teams can assess them. Industry research finds 85% of IT decision-makers say AI adoption outpaces IT review, with 93% of employees admitting to pasting information into AI tools without approval.
Complex risk management
AI introduces new attack surfaces — prompt injection, jailbreaks, model abuse, and untrusted agent activity — that classic security stacks were not designed to address.
Ineffective data governance
Sensitive data flows into LLMs through prompts, responses, and agent tool calls. Regex-based DLP cannot reason about intent or context.
Ungoverned AI agents and MCP servers
Local MCP servers running on employee laptops create blind spots, software-provenance gaps, and uncontrolled access to corporate resources.
No unified control plane
Different controls for browsers, devices, agents, and APIs make consistent policy enforcement and audit nearly impossible.
Nanosek's safe AI adoption approach
Define the AI posture
- Workshop the organization's current attitude on the AI adoption spectrum — block-first, opportunistic, or strategic.
- Inventory known AI tools, AI-enabled SaaS features, MCP usage, internal AI projects, and developer AI workflows.
- Map regulatory and data-classification constraints that should shape AI policy.
Discover shadow AI and shadow MCP
- Use Cloudflare Gateway, CASB, and Logpush to surface what AI tools the workforce is actually using.
- Identify local MCP servers and unmanaged agent activity reaching corporate resources.
- Score AI applications by risk and decide which to allow, isolate, redirect, or block.
Apply workforce AI controls
- Deploy identity-aware Gateway HTTP policies covering AI tool access, with isolation and copy-paste controls where useful.
- Configure AI-aware DLP for PII, source code, customer data, and credentials in prompts and responses.
- Add prompt guardrails for jailbreak attempts, code abuse, and PII requests.
- Enable AI-SPM via CASB integrations for ChatGPT Enterprise, Claude, and Google Gemini.
Govern AI agents with MCP Server Portals
- Move local MCP servers to managed remote MCP servers hosted on Cloudflare or supported providers.
- Front MCP endpoints with Cloudflare Access for ZTNA-based authentication and identity delegation.
- Centralize agent traffic through MCP Server Portals to scope tools, enforce least privilege, and audit usage.
Route AI traffic through AI Gateway
- Proxy LLM API and agent traffic through Cloudflare AI Gateway for caching, token rate limits, and provider failover.
- Apply prompt guardrails and sensitive-data redaction at the gateway layer for consistency across models.
- Send AI Gateway logs to SIEM for cost, abuse, and incident review.
Operate and improve
- Build dashboards, alerting, and review cadences for AI traffic, agent activity, and policy events.
- Tune controls based on usage data, false positives, and emerging AI risks.
- Document runbooks for incident response involving shadow AI, prompt-injection events, or anomalous agent behavior.
How Cloudflare protects AI traffic end-to-end
Four common AI security priorities
Secure workforce use of GenAI
Gateway, CASB, DLP, prompt guardrails, Browser Isolation
Discover shadow AI, score by risk, then apply identity-aware access and data controls.
Govern AI agents
Cloudflare Access, MCP Server Portals, remote MCP servers, service tokens
Move local MCP servers to managed deployments and centralize agent traffic through ZTNA portals.
Protect AI-powered apps
WAF, AI Gateway, Bot Management, API Shield, Rate Limiting
Protect LLM-backed endpoints from prompt-injection, abuse, and cost-inflation attacks.
Build securely with AI
Workers, AI Gateway, Workers AI, Access service tokens
Add observability, rate limits, and guardrails to AI features built on Cloudflare's developer platform.
| Priority | Cloudflare capability | Where Nanosek starts |
|---|---|---|
| Secure workforce use of GenAI | Gateway, CASB, DLP, prompt guardrails, Browser Isolation | Discover shadow AI, score by risk, then apply identity-aware access and data controls. |
| Govern AI agents | Cloudflare Access, MCP Server Portals, remote MCP servers, service tokens | Move local MCP servers to managed deployments and centralize agent traffic through ZTNA portals. |
| Protect AI-powered apps | WAF, AI Gateway, Bot Management, API Shield, Rate Limiting | Protect LLM-backed endpoints from prompt-injection, abuse, and cost-inflation attacks. |
| Build securely with AI | Workers, AI Gateway, Workers AI, Access service tokens | Add observability, rate limits, and guardrails to AI features built on Cloudflare's developer platform. |
Deployment steps
- 01 Define the AI posture across the business — conservative, opportunistic, or strategic.
- 02 Discover shadow AI and shadow MCP usage with Gateway, CASB, and Logpush data.
- 03 Apply workforce AI controls — access policy, DLP, AI-SPM, prompt guardrails.
- 04 Govern AI agents via remote MCP servers, ZTNA, and MCP Server Portals.
- 05 Route LLM and agent traffic through AI Gateway for cost, guardrails, and DLP.
- 06 Operate, tune, and review controls with dashboards, alerts, and runbooks.
Risks and mitigations
Over-blocking AI tools harms productivity and pushes users to unsanctioned shortcuts.
Use isolation, copy-paste controls, and redirects to approved tools instead of blanket blocks where possible.
DLP false positives on AI prompts disrupt legitimate workflows.
Start AI-aware DLP in monitor mode, baseline traffic, and tune detections before enforcement.
MCP server portal rollout breaks existing agent workflows.
Inventory current agent activity, run portals in parallel with local connections during cutover, and migrate by workflow.
AI Gateway adds latency or breaks streaming for sensitive workloads.
Validate streaming behavior per provider, tune caching only for deterministic prompts, and run load tests before cutover.
| Risk | Mitigation |
|---|---|
| Over-blocking AI tools harms productivity and pushes users to unsanctioned shortcuts. | Use isolation, copy-paste controls, and redirects to approved tools instead of blanket blocks where possible. |
| DLP false positives on AI prompts disrupt legitimate workflows. | Start AI-aware DLP in monitor mode, baseline traffic, and tune detections before enforcement. |
| MCP server portal rollout breaks existing agent workflows. | Inventory current agent activity, run portals in parallel with local connections during cutover, and migrate by workflow. |
| AI Gateway adds latency or breaks streaming for sensitive workloads. | Validate streaming behavior per provider, tune caching only for deterministic prompts, and run load tests before cutover. |
Deliverables
- AI posture statement and policy summary aligned with business risk appetite.
- Shadow AI and shadow MCP discovery report with risk-scored applications.
- Workforce AI control configuration — Gateway, CASB, DLP, prompt guardrails.
- AI agent governance design — remote MCP servers, ZTNA, MCP Server Portals.
- AI Gateway configuration with caching, token limits, guardrails, and redaction.
- Logging, SIEM integration, dashboards, runbooks, and operating model.
Frequently asked questions
How does Cloudflare differ from a classic SWG for AI traffic?
What is an MCP server portal and why does it matter?
Do we need to replace our existing SASE platform to do this?
Can Nanosek help even before policy is set?
Move from shadow AI to governed AI
Nanosek helps organizations adopt AI safely with Cloudflare — covering workforce AI use, AI agent governance, and AI-powered applications under one unified control plane and managed operations model.