# OpenAI {% hint style="warning" %} This integration is currently in Alpha. If you would like to get early access to test this integration, please get in touch with your Duo Care team, Duo Support, or open a Cisco TAC Case to have it enabled on your account. {% endhint %} ## Overview Cisco Identity Intelligence can integrate with OpenAI to gather data via their [OpenAI Compliance API](https://chatgpt.com/admin/api-reference#tag/Introduction) to surface users who have access to OpenAI models, how those models are being used, how they are configured and what tools they have access to. Using this data, Identity Intelligence can generate beneficial insights regarding the users and Non-Human Identities (NHIs) within OpenAI, such as improperly configured tools, improper use of tools, privilege escalation, data loss prevention, and more. ### Requirements The following are necessary to configure the OpenAI integration: 1. OpenAI Enterprise subscription 2. OpenAI workspace(s) 3. An OpenAI Enterprise Platform admin account capable of creating API keys ### OpenAI API Permission Structure Identity Intelligence requests the minimal scopes necessary to complete the required operations to support the integration. For this integration, Identity Intelligence requires a \`read-only\` API token. **Note**: The OpenAI Compliance API currently utilizes a coarse-grained permission structure that only supports either `read-only` or `read-write` permissions, and requires you to grant the API token permission to the whole API. It does not support granting a token access to limited portions of the API at this time. ### Managing Conversation Data Collection Preferences for ChatGPT & Codex The OpenAI Compliance API contains both conversation metadata and conversation logs regarding the conversations happening between end-users and your organization's instance of ChatGPT or Codex, which Identity Intelligence can retrieve via this integration. The conversation logs from these tools contain valuable data and information that Identity Intelligence can then analyze to generate and surface interesting insights about potential issues or risks associated with the OpenAI usage within your organization, such as detecting improper tool use or assisting with data loss prevention initiatives. \ \ However, we understand that this data may be sensitive and your org may not want, or allow, Identity Intelligence to retain conversation logs between your end-users and OpenAI models. For that reason, there are three setting options available that enable you to configure what conversation data Identity Intelligence is allowed to process so that you can select the preferred data handling method for your org. These three settings are: 1. **Do not collect ChatGPT or Codex conversation logs** 1. Identity Intelligence will not retain **any** conversation metadata or logs 2. ***\[Default Setting]***** Collect conversation metadata only without conversation message content** 1. Identity Intelligence will retain conversation log **metadata only**, but will not retain **any** fields that contain data regarding user prompts or model responses 3. **Collect conversation metadata and conversation content** 1. Identity Intelligence will collect and retain **full** conversation data, including **all** metadata, user prompts and model responses The following table depicts the different capabilities and functionality that Identity Intelligence can perform based on the available Conversation Log settings. {% hint style="info" %} Note: The insights and capabilities listed below may represent future functionality that will be developed for the General Availability release, or after, and do *not* have guaranteed availability during Alpha {% endhint %}
Option 1: Do not collect ChatGPT or Codex conversation logsOption 2: Collect conversation metadata only without conversation message contentOption 3: Collect conversation metadata & conversation content
Baseline visibility
Account directory-based data and insights
Eg: Account activity, dormant accounts, admin privileges, etc.
GPT definition-based data and insights
Eg: Known risky tools, broadly defined tools, tools available to users who shouldn’t have access, etc.
Basic tool usage insights
Eg: Which tools were executed, what tool replied, etc.
Deeper insights based on detailed conversation logs
Eg: Tool misuse, AI drift, data exfiltration, etc.
## OpenAI Configuration Steps {% hint style="info" %} To configure this integration, OpenAI will first need to grant your organization custom Compliance API Scopes. This process, outlined in the OpenAI docs referenced in Step 1 (below), requires OpenAI support team involvement and may take **several days** depending on their availability and responsiveness.\ We encourage you to start this step as early as possible to avoid delays. {% endhint %} 1. [Reference the **Authentication** section of the OpenAI docs](https://chatgpt.com/admin/api-reference#tag/Introduction) and follow the steps to obtain and save your API key. Copy down this this API key somewhere secure as you will needed it to complete the integration set up process in Identity Intelligence and you ***cannot*** generate the full API key again after it has been generated 1. Make sure that you have created the API key under a **service account** and ***not*** as your own user or the integration will not work correctly 2. Then navigate to the [**Organization Admin keys** setting page](https://platform.openai.com/settings/organization/admin-keys) and select **Create new admin key.** Give the key a name that is easy to recognize as linked to Identity Intelligence (eg: `Cisco Identity Intelligence Admin API Key` 1. Note: OpenAI does **not** provide the option to create an admin API key linked to a service account 3. Select **restricted** permissions and grant **read** **audit log scope** and **read organization administration scope**. The settings should look like this:
4. Once you have applied the correct permissions and scopes, select **Create Admin Key.** After you have successfully created the key, **make sure to save the secret value.** You will need this for later steps and you will **not** be able to see it again 5. Navigate to the [data controls settings](https://platform.openai.com/settings/organization/data-controls/data-retention) section in OpenAI and **enable audit logging** 6. Then, navigate to the [**Workspace Admin Settings**](https://chatgpt.com/admin) section in OpenAI. Review the workspace name to confirm that you have selected the correct workspace 7. On the **Workspace Admin Settings** page, you will find an **Organization ID** and a **Workspace ID** (screenshot example below). Copy both of these down as you will need them to complete the integration set up process in Identity Intelligence
## Identity Intelligence Configuration Steps After you have completed the OpenAI configuration steps outlined above, navigate to the **Integrations** page within your Identity Intelligence tenant and perform the following steps : 1. From the **Integrations** page, select the **Add Integration** button. Locate and select **OpenAI Enterprise** from the list of possible integration sources 2. Enter an easily recognizable display name for this integration (eg: `OpenAI `). This display name will be used throughout Identity Intelligence to identify the integration among your other connected sources 3. Enter the workspace ID and organization ID that you copied during Step 5 of the [OpenAI Configuration Steps](#openai-configuration-steps) section above into their respective fields
4. Select the desired Conversation Log Collection setting 1. More detailed info on the available settings are provided above in the [Managing Conversation Data Collection Preferences](#managing-conversation-data-collection-preferences-for-chatgpt-and-codex) section 5. Enter both the **Compliance** key and **Admin API** key generated previously in OpenAI into their respective fields 6. Select the **Connect** button to test the configuration connection 7. Once the connection test is successful, navigate back to the main **Integrations** landing page, locate the OpenAI integration in your list of integrations. Select the **3-dot menu button** on right-hand side of the relevant row to open the menu, then select **Collect Now** to begin the OpenAI data ingestion process 6. **Note**: Data collection can take some time, depending on the size of your environment. We recommend giving data ingestion a few days to stabilize before closely examining the results