A hidden routing behavior between Safari, Apple Intelligence, and ChatGPT created a blind spot that left file uploads out of view.
Ready or Not, Here Comes AI
What happens when the systems we rely on for visibility are built on incomplete assumptions?
What happens when privacy layers, platform abstractions, and ecosystem-specific behavior create gaps that monitoring tools were never designed to handle?
This research began while investigating an issue with ChatGPT. I couldn’t imagine that it would lead me back to Apple Intelligence. Again.
Looking Everywhere but the Right Place
Organizations are trying to keep up with AI adoption using the tools they already have: secure web gateways, CASBs, DLP controls, and network inspection products.
The problem is that these controls were designed for a world in which traffic followed more predictable paths.
If a user connected to a cloud service, there was usually a direct enough relationship between the endpoint, the destination, and the monitoring layer to make inspection meaningful.
That model breaks when a platform vendor inserts its own privacy infrastructure.
A few years ago, Apple introduced iCloud Private Relay for Safari.
Its purpose is to conceal a user’s network identity from both the provider and the remote host.
For consumers, that may sound like a privacy enhancement. For enterprises, it also introduces a blind spot, because relay-based traffic reduces the ability of network monitoring tools to inspect and classify activity in the usual way.
Many organizations choose not to adopt it for exactly that reason.
But the more interesting question is not whether Private Relay itself creates visibility challenges. It is whether Apple reuses similar logic elsewhere in the ecosystem, in places where organizations may not realize they are losing visibility at all.
Apple Intelligence Takes the Hidden Path
One of those places turns out to be Apple Intelligence.
When Apple enabled Apple Intelligence to extend certain capabilities through third parties, many people assumed that accessing ChatGPT through Apple Intelligence meant that the device was communicating directly with OpenAI.
In practice, that was not the behavior that appeared.
Instead, traffic seemed to be routed through Apple-managed relay infrastructure built around the same general privacy model as iCloud Private Relay. In other words, Apple was not simply handing the request off to OpenAI in a standard, directly visible way. It was inserting an intermediary layer.
So, every time you tap into ChatGPT from Apple Intelligence, your traffic goes through the dedicated Relay, which is hosted under apple-relay.apple.com.
Now You See the Upload, Now You Don’t
The most surprising part was not the relay itself. It was what happened with file uploads in ChatGPT.
File uploads in ChatGPT all go through oaiusercontent.com , which are OpenAI’s file hosting servers.
This is the domain you expect to see when inspecting ChatGPT file uploads.
A few months ago, we started seeing more and more inspection failures from different network monitoring tools, such as SASE providers, SWGs and other network proxies.
After some investigation, we isolated the issue to the macOS app and ChatGPT through the Safari browser.
All other browsers and operating systems were still working as expected.
What’s the difference? Apple iCloud Private Relay.
Safari Joined the Game
Safari and Apple Intelligence seem to share the same logic regarding the extension service. So, whenever a user uploads a file to ChatGPT in Safari, it triggers the same proxying behavior.
What initially looked like a contained Apple Intelligence routing decision became a broader ecosystem blind spot.
The user has no control over this behavior. You can turn off your iCloud Private Relay settings, Safari Private Relay setting, or disabling Apple Intelligence at all, but it won’t make the problem disappear. The relay logic seems to be embedded natively in macOS, so native products like Safari and ChatGPT for macOS inherit it with no option to turn it off.
The funny thing in this situation is that if you tries to block Apple Intelligence Private Relay on the network level, you won’t be able to upload files to ChatGPT at all.
If You Can’t See It, You Can’t Secure It
As AI becomes more deeply embedded inside operating systems and browsers, hidden routing behavior will become more common, not less. Similar blind spots will continue to appear, often in places where defenders are not looking.
That means organizations need to rethink what visibility really means in the age of AI.
It is no longer enough to ask whether AI tools are being used. The better question is whether the paths those tools take are actually visible to the controls meant to govern them.
Because if file uploads can disappear behind trusted ecosystem behavior, then the
problem is no longer a lack of monitoring.
It is a lack of understanding.
And in security, the difference between the two matters a lot.
Disclosure Timeline
December 2025: first observed
January 2026: initial disclosure
February 2026: disclosure acknowledged
March 22, 2026: Apple released a fix through a service update
