User experience
When prompts are blocked
When the collector blocks a user prompt, the user sees a banner that includes:
- Message indicating that the prompt was blocked
- Request ID that users can copy and provide to Support
For example:
Malicious Prompt was detected and blocked.
Request ID: prq_b6m7di4yao3lc4q75j5lddx5y7licu5v ⧉
When data is transformed
When the collector transforms data submitted to the AI provider, the AI system receives redacted sensitive values and defanged malicious URLs, IP addresses, and domains. Some sites may show original user input in the chat history.
Users see a banner message that includes:
- Message indicating that sensitive data was redacted or malicious references were defanged
- Request ID that users can copy and provide to Support
For example:
Your organization's security policy modified sensitive or malicious content before sending it to the AI provider.
Request ID: prq_b6m7di4yao3lc4q75j5lddx5y7licu5v ⧉
Users see transformed values in AI responses when the AI includes those values in its output.
Inconsistent behavior across AI provider sites
AI provider sites handle AIDR security interventions differently based on their client-side web processing. A web application implementation can change at any time. These behaviors are outside AIDR's control and can create inconsistent user experiences across platforms.
Example
The ChatGPT conversation interface captures user input and updates chat history based on what the AI model processed. This can create unexpected behavior depending on how AIDR processes user input:
-
When AIDR transforms data in a user prompt:
- User enters a prompt containing sensitive data.
- ChatGPT adds the user input to the chat interface. It remains unchanged briefly until ChatGPT updates it based on the model's response.
- AIDR browser collector intercepts the prompt, processes it, and sends the transformed version to the AI model.
- ChatGPT receives the model response and:
- Updates the user prompt displayed in the chat interface with the actual prompt received by the model.
- Adds the model response to the chat history.
Example exchange:- User enters: "Do you know Muffin Man?"
- User's input is added to the chat history unmodified: "Do you know Muffin Man?"
- AIDR's Confidential and PII Entity detector replaces the person name with a placeholder before sending the prompt to the AI model.
- When the model responds:
- AIDR browser extension shows a banner message.
- User input in the chat history becomes "Do you know <PERSON>".
- Model response is added to the chat history and may read: "I do not know who <PERSON> is from that message..."
-
When AIDR blocks a user prompt, the behavior differs because no content reaches the AI model:
- User enters a prompt that AIDR blocks - for example, a harmful intent blocked by the Malicious Prompt detector.
- ChatGPT adds the user input to the chat interface.
- AIDR browser collector intercepts the prompt, processes it, and blocks it from being sent to the model.
- AIDR browser extension shows a banner message.
- Because no model response arrives, ChatGPT doesn't update the conversation. The user prompt remains in the chat history and can't be removed or modified.
Other AI providers (Claude, Gemini, enterprise platforms) may handle these scenarios differently due to variations in their client-side implementations.
For example, Claude AI currently behaves like ChatGPT when AIDR transforms a user prompt, but doesn't add the prompt to the conversation when AIDR blocks it.
Report Only mode
If browser policy input rules are set to Report, or the policy is in Report Only Mode , the user experience is unaffected.
AIDR logs detections without blocking prompts or modifying data.
Output rules in browser policies always run in Report Only Mode.