Amar Jeer

Cisco Umbrella and Shadow AI: Why DNS Filtering Can't See Personal ChatGPT, Claude, and Gemini Use

May 29, 2026
7
 MIN READ
Cisco Umbrella and Shadow AI: Why DNS Filtering Can't See Personal ChatGPT, Claude, and Gemini Use

What Cisco Umbrella actually inspects

Umbrella resolves DNS queries and applies category and reputation policy to the domain. When a user types chat.openai.com, Umbrella sees the request for that hostname and decides allow or block. That is useful for blocking known-bad domains and for keeping users off categories like gambling or adult content.

The problem is that allow and block at the domain level is the entire decision surface. Once the domain is permitted, Umbrella's DNS path is done. The TLS session that follows opens up between the browser and OpenAI, and nothing inside that session is visible to a DNS resolver.

Personal vs enterprise accounts on the same domain

This is where shadow AI lives. chat.openai.com is the same hostname for your personal ChatGPT account, your free account, your Plus account, and your ChatGPT Enterprise tenant. Same for Claude on claude.ai, same for Gemini on gemini.google.com. DNS cannot tell those apart because the distinction is not in the domain. It is in the OAuth token, the workspace ID, the tenant cookie, the OIDC claim. All of that is sealed inside TLS and decided by the application after the connection is established.

An employee who is blocked from chat.openai.com at home will be blocked at work too. An employee who is allowed at work is also allowed on their personal account. There is no in-between with DNS.

What an endpoint SWG sees that DNS does not

dope.security runs an agent on the device. Traffic is inspected on the endpoint itself, with SSL break-and-inspect performed locally, no backhaul to a cloud proxy. That means the full URL path, headers, body, AI prompts, file uploads, and tenant identifiers are all available to policy.

Concretely, on the same chat.openai.com request:

The agent sees the workspace identifier. dope.security's Cloud Application Control reads the ChatGPT Workspace ID, the Claude OIDC claim, the Microsoft 365 tenant ID, the Google Workspace domain, and lets you allow your enterprise tenant while blocking everyone else. Same domain. Different decision. That is the layer Umbrella cannot reach.

The agent sees the prompt. Dopamine DLP (US Patent 12,464,023) intercepts the file uploads and the prompt body itself before it leaves the device. Block, monitor, or allow with classification, all on-device, using zero-retention APIs. No customer data trains anyone's model.

The agent sees the action. Uploading a 40MB customer list to a personal Gemini account looks identical to Umbrella as opening a tab. To an endpoint SWG, it is a file upload event with a classified payload going to a non-sanctioned tenant.

The three-layer AI governance gap, mapped against Umbrella

Modern AI governance has three layers, and Umbrella covers part of one of them.

Layer one: shadow AI discovery

Knowing which AI tools your employees actually use, on which accounts, on which devices. Umbrella can show you that chat.openai.com was resolved. It cannot show you that 312 of those resolutions came from personal accounts and 47 came from your enterprise tenant. dope.security's Shadow IT discovery surfaces that split, by user, by device, including unsanctioned MCP servers and AI wrappers.

Layer two: SWG policy

Allow, warn, block, with the full URL, TLS body, and DLP context. Umbrella can block a domain, but it cannot warn on a specific upload, allow research-only access, or block a paste of PII into the prompt window. An endpoint SWG can.

Layer three: Cloud Application Control

Restrict access to approved tenants only. This is the layer where personal ChatGPT, Claude, Gemini, Google, and Microsoft 365 logins get blocked at the tenant level while enterprise accounts pass through. Umbrella does not operate at this layer because the layer does not exist at DNS. dope.security ships it as a core part of dope.SWG.

What this looks like in practice

A boutique investment bank running Umbrella came to dope.security because their AI committee asked one question their security team could not answer: how many of our employees are using personal ChatGPT accounts to summarize client documents? Umbrella showed traffic to chat.openai.com. It could not show whose account or what was being uploaded. After the cutover, the same question had a precise answer inside a week, with one-click remediation: block personal, allow enterprise.

Greylock Partners ran a similar evaluation and ditched Cisco Umbrella for dope.security in 27 days. The DNS-only architecture missed HTTPS traffic, and the SWG component Cisco offered still backhauled through Cisco data centers, which added latency on a distributed, device-first VC team.

Why this matters more in 2026 than it did in 2024

Two years ago, AI governance for most companies was a policy document and a blocklist. Today, every meaningful workflow has an AI assistant in it. Claude is summarizing contracts. ChatGPT is rewriting marketing copy. Gemini is parsing PDFs. Copilot is drafting code. Your DLP categories from 2022 do not cover any of those motions, and your DNS resolver cannot see what they are uploading.

If your renewal is up on Cisco Umbrella and the AI committee is asking sharper questions, the architecture you replace it with matters. A DNS resolver swap solves yesterday's problem. An endpoint SWG with Cloud Application Control and on-device DLP solves the one you have now.

What replacing Umbrella with dope.security actually looks like

dope.security deploys as a lightweight agent via Intune, Jamf, or any MDM. Under 100 MB RAM, 4x performance versus legacy cloud-proxy SWGs, no data center backhaul. One console for SWG, CASB Neural, Dopamine DLP, and Cloud Application Control. Migrations are measured in days, not quarters: another Cisco Umbrella customer hit 2,000 machines in two days, and the Greylock cutover took 27 days from first proposal to signed contract.

If you are evaluating what comes after Umbrella, the right comparison is not DNSFilter or another DNS resolver. It is the layer your DNS resolver cannot reach.

See it in action. Book a 20-minute demo and we will show you exactly which personal AI accounts are active on your fleet today, then how to allow only your enterprise tenant. Or start a free trial of dope.security.

AI Security
AI Security
Shadow IT
Shadow IT
DNS Filtering
DNS Filtering
Cloud App Control
Cloud App Control
back to blog Home

Related Posts

May 29, 2026
7
 MIN READ

Cisco Umbrella Alternative for SMB: Why a Lean IT Team Needs Endpoint SWG, Not DNS

May 28, 2026
7
 MIN READ

Cisco Umbrella DLP: What DNS Filtering Misses and the Endpoint SWG That Replaces It

May 28, 2026
9
 MIN READ

Best DLP for AI: A 2026 Buyer's Guide for ChatGPT, Claude, Gemini, and Copilot

Check
Dope Security logo - links to the home page.
It’s not that we’re mad at yesterday’s cybersecurity.  Just disappointed.  So we made it better.  We made it easier.

We made it dope.
sales@dope.security
Call Us
about
Our Story
Our Crew
Newsroom
Events
Partners
compare
Forcepoint
Zscaler
Cisco Umbrella
Netskope
Testimonials
documentation
Support
User Manual
[ DOPE.FOOTER ]
© 2025 dope.security Inc.
Made with
in California
EULAPRIVACYLEGALmanage cookies