The One Question Cisco Umbrella Couldn't Answer for a Mid-Market Energy Company's AI Committee

"Are people signing in to our licensed AI tenants, or their personal ones?"

That was the question the AI policy committee at a mid-market oil and gas operator kept circling. The committee had spent a quarter standing up a policy that allowed the company's licensed ChatGPT and Claude tenants for specific business units while keeping personal accounts off the corporate fleet. The policy read cleanly. The enforcement did not. With Cisco Umbrella in place, the team could resolve chat.openai.com and claude.ai. They could allow or block those domains wholesale. What they couldn't do, and what their committee kept asking for, was distinguish between an engineer logged into the company tenant and the same engineer logged into a personal account on the same domain. That's where they started shopping for a Cisco Umbrella competitor.

Quick read

• Industry: Energy (oil and gas)
• Replaced: Cisco Umbrella
• Deployed: dope.SWG and Cloud Application Control (CAC)

What they evaluated

The Principal Architect leading the eval set three criteria the team wouldn't compromise on. The new tool had to read the tenant identifier inside the AI app session, not just the domain. It had to be deployable across engineering and back-office laptops without standing up another console. And it had to ship a working proof of value in days, not a quarter. The team had read the case for replacing Cisco Umbrella in 2026 before the first call and arrived at vendor demos with sharp questions.

They looked at the incumbent's roadmap. They looked at two SSE platforms with AI controls on slideware. And they looked at dope.security after a peer in the region had mentioned the tenant-aware enforcement.

The architecture story mattered. The team had been working around Umbrella's hairpin for years. Site engineers on the road would lose policy when off-network, and the DNS resolver only saw half of what crossed their endpoints anyway. Moving to an on-device proxy meant policy lived where the traffic happened, on the laptop, instead of three hops away in a regional cloud.

"We didn't need a slide about AI controls. We needed a tool that knew which tenant an engineer was logged into. dope was the only vendor that demoed that on a real laptop in our first call."

- Principal Architect, a mid-market energy organization

What they picked

CAC (Cloud Application Control) reads the tenant identifier inside the AI app session and applies policy at that layer. The committee's specific ask, allow the licensed ChatGPT tenant and block personal logins on the same domain, was a default capability, not a roadmap item. The same logic extended to Claude tenant controls and to the company's Google Workspace personal-vs-enterprise sign-in patterns.

The proof of value ran in an afternoon. The team enrolled a small set of engineering laptops, pushed the policy, and watched the console log a personal ChatGPT sign-in blocked while the same user's licensed tenant sign-in passed through. The committee chair watched the demo in real time and signed off the next morning.

The team expanded to the rest of the workforce inside weeks. They paired the CAC rollout with dope.SWG, which gave them HTTPS inspection on the same agent. Umbrella's DNS-only layer had been blind to a lot of what flowed through the encrypted half of the internet, and the AI use case was only the most recent reminder. The replacement gave them the same coverage on phishing, malware, and category-based filtering without the regional backhaul.

The 24/7 white glove support team showed up in a way the architect noticed. There was no Tier 1 ticket queue. The named engineer who ran the proof of value was the same one who answered the team's first policy edge case at 3am during the broader rollout. The Slack channel had real responses, not auto-replies, and the response times were measured in minutes. When the architect later asked about tightening policy on a second AI tool the committee added to the approved list, the conversation happened the same morning.

The team built their broader rollout on the principles in the three-layer AI governance stack and folded in the company's own AI usage policy enforcement language so the technical controls matched the written policy.

What changed

• Tenant-aware enforcement on AI domains became the default state, not a perpetual exception.
• HTTPS inspection coverage moved from a partial layer at the DNS level to the full traffic path on the endpoint.
• Site engineers off-network kept policy through every connectivity change, not just when they reached the regional resolver.
• Console count dropped by one. The AI committee got their answer inside one console instead of stitching two together.
• The renewal conversation simplified. One contract, one product family, one set of capabilities that lined up with the policy on paper.

FAQ

Q: How does dope.security tell which AI tenant a user is signed into?

CAC reads the tenant identifier that the AI app itself emits inside the session. The product applies policy at that layer, allowing the company's licensed ChatGPT or Claude tenant while blocking personal sign-ins on the same domain, all on a single agent.

Q: Did the team have to keep Umbrella around for DNS while testing dope.security?

No. The proof of value ran on a small set of laptops with dope.SWG and CAC in parallel to the incumbent. Once the policy passed the committee's tests, the team migrated the rest of the fleet without a parallel-run period.

Q: Does the on-device proxy add overhead on engineering laptops?

The team didn't see a measurable change in engineering workflow performance, which mattered because the architect tested it before signing off. Policy and inspection happen on the device, which removed the round-trip latency Umbrella's SWG component had been adding.

About dope.security

dope.security, the Distributed On-device Proxy Endpoint, is the preferred security vendor for security leaders across SMBs, midsize enterprises, Fortune 500 companies, and the world's top VC and PE firms. Deployed in 83 countries, dope.security protects web, data, and AI traffic globally through its patented fly-direct architecture.