Free Speech Absolutist Cloudflare Now Gives Employers Access to Employees’ ChatGPT Prompts

Employers might love generative AI—until an employee pastes internal financials or proprietary code into ChatGPT, Claude, or Gemini, and the company’s secrets float into the cloud.

Cloudflare, whose technology powers nearly 20% of the web, today rolled out AI oversight into its enterprise security platform, Cloudflare One. The feature gives IT teams instant visibility into who’s chatting with AI—and what they’re secretly feeding it. The company is positioning it as a kind of X‑ray eyes for employees’ generative AI usage, tucked into the dashboard the IT guys already use.

“Admins can now answer questions like: What are our employees doing in ChatGPT? What data is being uploaded and used in Claude? Is Gemini configured correctly in Google Workspace?” the company said in its blog post. 

Shadow AI no more

Cloudflare says that three out of four employees use ChatGPT, Claude, or Gemini at work for everything from text edits and data crunching to debugging and design. The problem is that sensitive data usually disappears into AI tools without leaving a trace. Cloudflare’s product integrates at the API level and scans for questionable uploads. 

According to the company, a rogue prompt can instantly train an external model with your confidential data, which is then gone forever. 

Larger competitors in the enterprise security space—such as Zscaler and Palo Alto Networks—also offer AI oversight. Cloudflare claims that what sets Cloudflare One apart is its hybrid, agentless model. It combines out-of-band API scanning (for posture, configuration, and data leaks) with inline, edge-enforced prompt controls across ChatGPT, Claude, and Gemini—all without requiring software installation on endpoints. 

A free speech absolutist

Cloudflare has long branded itself as a content-neutral infrastructure provider—not a moderator—meaning it generally refrains from policing what its clients publish, unless ordered to do so by law. This stance traces back over a decade: CEO Matthew Prince has emphasized that Cloudflare is not a hosting platform and doesn’t determine what content is permissible; instead, it simply ensures that websites—regardless of their ideology—stay online and protected.

This “free-speech absolutist” approach has drawn scrutiny. Critics note that Cloudflare has enabled hate-filled, extremist, or otherwise harmful sites to remain accessible—often solely because no authoritative request to drop them was made. A 2022 Stanford study found that Cloudflare disproportionately serves misinformation websites relative to its overall share of internet traffic.

Still, there have been rare reversals. In 2017, Cloudflare terminated services for white supremacist site The Daily Stormer—a controversial move, made only after the site falsely claimed Cloudflare secretly shared its pro-Nazi beliefs. Prince later described the decision as a reluctant exception, made under pressure that forced a break from their policy of neutrality.

Similarly, in 2019, Cloudflare dropped 8chan following its link to mass shootings, acknowledging that the community had become dangerously lawless.

More recently, in 2022, Cloudflare finally pulled support from Kiwi Farms amid mounting harassment, doxxing, and threats to human life. That shutdown came after activist-led pressure and reports of escalating violence.