As AI agents become a standard part of enterprise workflows, the ability to preview a file is enough to read, comprehend, and reproduce what's inside. Classification-Based Access Policy gives admins a new control in Box Shield to govern exactly what AI agents and application integrations can access, not just what they can download.
This closes a growing gap: AI agents don't need to download a file to exfiltrate it. If they can preview a document, they can read, comprehend, and reproduce what's inside.
With this release, admins can now govern integrations’ access to content based on classification, applying separate rules for Download and Read actions across any integration or Shield list.
What's new
Admins can configure the Integration Restriction security control with two independent action toggles:
- [Existing] Download restriction, which continues to work as it does today and stays on by default for existing policies.
- [New] Read restriction, a new control that blocks integrations from previewing, viewing, searching, or reading the text representation of restricted files.
The Read restriction action supports two scopes:
- Block all integrations except selected integrations
- Allow all integrations except selected integrations
Download and Read scopes are configured independently. You can block all integrations from downloading content while restricting reading access to a select list of approved integrations, or any other combination that fits your risk tolerance.
Admin action required :The Read restriction toggle is off by default. To apply this control, admins must enable it within the Integration Restriction security control in Box Shield. No changes are made to existing policies automatically.