As businesses accelerate the use of generative AI tools, cyber security teams are confronting a growing reality: traditional data loss prevention (DLP) controls were never designed for the way employees now use AI. This is according to Yolande Gething, Principal Cyber Security Specialist at Cyberforensics, part of the Hyperclear Tech group.
For years, DLP strategies focused on monitoring structured data moving through predictable channels such as e-mail, USB devices, printing and file transfers. But browser-based AI platforms, autonomous agents and AI-connected enterprise applications are fundamentally changing how sensitive data moves through systems.
“Traditional DLP tools were built around known loss vectors and structured data,” says Gething. “But employees are now pasting sensitive information directly into AI tools, uploading files into browser-based platforms and connecting AI systems to internal data sources in ways many businesses are not properly monitoring.”
Unlike conventional data transfers, AI-related exposure often occurs through ordinary employee workflows. Staff upload reports into AI assistants to summarise documents, analyse spreadsheets, draft presentations or generate communications. Developers increasingly rely on AI coding assistants to accelerate software delivery, while AI tools are also being connected directly to cloud platforms such as SharePoint and Google Drive.
The problem, cyber security specialists warn, is that many users do not fully understand where that data goes once it leaves the organisation’s environment. Depending on provider policies and configurations, information entered into public AI tools may be temporarily stored, retained for monitoring or even used to improve future AI models.
The challenge is that traditional DLP solutions rely heavily on pattern matching, exact fingerprinting and predefined rules. AI interactions are far less predictable. Sensitive information can now appear in prompts, screenshots, conversational queries, generated outputs or automated workflows that older DLP tools were never designed to inspect effectively.
At the same time, autonomous AI agents introduce additional concerns. Compromised agents could potentially exfiltrate sensitive information rapidly or exploit excessive permissions granted to AI systems. Poorly configured integrations may also expose large volumes of enterprise data unintentionally.
Software development environments present another growing risk area. AI-generated code may contain vulnerabilities or insecure logic if developers fail to apply sufficient human oversight before deploying outputs into production systems.
In response, organisations are beginning to rethink how DLP functions in practice. Security teams are increasingly exploring AI-aware monitoring tools capable of analysing browser interactions, prompt activity and contextual data usage patterns. Technologies such as browser isolation, API-level inspection and real-time redaction are gaining traction as businesses attempt to regain visibility into how sensitive information is being shared with AI platforms.
Governance is also becoming a priority. Many businesses are introducing formal AI acceptable-use policies, employee awareness programmes and vendor risk assessments aimed at understanding how AI providers store, process and protect enterprise data. NLP-enabled DLP tools are also emerging as a key focus because they can analyse the meaning and context of information rather than relying solely on static keywords or file fingerprints.
“The reality is that companies need to evolve their current approach to DLP by incorporating technologies that are proving successful in monitoring AI interactions,” Gething explains.
The growing concern among cyber security professionals is that AI adoption is happening faster than governance and security controls can mature. Many employees are already using AI tools informally, often outside approved enterprise frameworks, creating a rise in so-called “shadow AI” usage.
At the same time, organisations are under pressure not to slow innovation. Businesses want employees to benefit from the productivity gains AI can deliver, but without exposing sensitive customer data, intellectual property, financial information or regulated records in the process.
For many, the question is no longer whether AI introduces new data loss risks. It is whether existing security models can evolve quickly enough to keep pace.
Share
Cyberlogic
Cyberlogic is a leading provider of secure, scalable cloud and IT services, helping businesses transform through world-class managed services, cyber security, and automation.
For more information, please visit: www.cyberlogic.co.za
Editorial contacts