For many years, data loss prevention was treated as a control that could be applied to known systems, users and routes. Sensitive information could be identified through patterns, rules, classifications or fingerprints, and policies could be applied to prevent it from leaving the organisation through e-mail, file shares, removable storage or other familiar channels.
That model still has value, but it is being stretched by the way organisations now work. Data no longer moves neatly from one internal system to one external destination. It moves across cloud platforms, software as a service applications, analytics tools, collaboration environments, APIs, remote devices and third-party ecosystems. In African enterprise environments, that movement often crosses regions, providers and regulatory boundaries as businesses modernise infrastructure and serve customers across multiple markets.
This is why data loss prevention (DLP) needs to be reconsidered in the age of AI.
“Traditional DLP was built for a more predictable environment,” says Phila May, Executive GTM at inq. Digital. “The challenge today is that data is moving through far more dynamic systems. If organisations are still relying only on static rules and perimeter controls, they are going to miss important parts of the risk.”
AI challenge
AI has made the problem more urgent by introducing new ways for sensitive information to leave controlled environments. Employees may paste customer data, source code, financial information, contracts, credentials or internal technical details into generative AI tools to speed up their work. Copilots and assistants may summarise documents, scan inboxes, interpret spreadsheets or retrieve information from enterprise platforms. Automated agents may be granted access to applications, databases, ticketing systems and collaboration tools to complete tasks with minimal human involvement.
The risk is not simply that people may use AI tools carelessly. The deeper issue is that AI changes the nature of data movement. A prompt can become a data transfer. A summary can expose confidential information. An agent with excessive permissions can move data faster than a human user ever could. A malicious instruction embedded in a document or third-party interaction can manipulate an AI system into revealing information or performing an action outside the organisation’s intended policy.
“A modern DLP approach has to understand context. It is not enough to know that data matches a certain pattern. Organisations need to understand whether the behaviour makes sense, whether the user is authorised and whether the data is being used in a legitimate business process,” says May.
Hybrid environments
This is particularly important as more organisations adopt hybrid and multicloud architectures. Data may reside in a local environment, move to an Azure or AWS workload, be analysed via a SaaS platform, and then be shared with a supplier, partner or customer-facing application. Traditional inspection points do not always see these flows, especially when data moves through APIs, encrypted sessions or application-to-application integrations.
Effective DLP, therefore, has to become layered. It starts with data discovery and classification, because organisations cannot protect sensitive information they have not identified. It also requires identity-aware policies that connect access decisions to users, devices, roles, applications and data sensitivity. In AI-enabled environments, prompts and responses should be inspected for confidential information, and high-risk data should be redacted before it is sent to external models or services.
Dealing with agents
Agent governance is another important layer. AI agents should not be given broad access simply because they are useful. Permissions must be limited to what the task requires, and higher-risk actions such as exporting records, attaching customer data or sending information outside the organisation should require approval, logging and review.
Behaviour analytics also becomes central. If a user account, API key or automated process suddenly accesses unusually large volumes of sensitive information, connects from an unfamiliar location or deviates from its normal behaviour, that activity should trigger an alert. In this environment, the ability to detect abnormal data movement in real-time matters as much as the ability to block known violations.
For African organisations, the pressure is practical. Cloud adoption, AI experimentation, data modernisation and cross-border digital services are already changing how information flows through businesses. Security teams need to support that progress without making sensitive data invisible.
“The answer is not to stop innovation, but to build the right controls around it. AI can create enormous value, but organisations need to govern how data is accessed, shared, processed and retained.”
More static rules will not define the future of DLP. It will depend on visibility, context, identity, behaviour and real-time control. In the age of AI, organisations need to move beyond asking whether data has crossed a boundary. They need to understand whether the movement is appropriate, authorised and safe.
Share
inq.
inq. is a Convergence Partners company, a global leading-edge computing technology company founded to provide innovative, customised, and business-relevant digital services on the edge. inq. connects over 1,200 of Africa’s leading corporations in 9 countries, serves clients in Europe and UAE, and has a footprint in India. The company is prominent for its innovative IP and business-rendering solutions and services such as Edge AI & IoT, Fabric, SDN/NFV, Edge Orchestration and Elastic Edge. The company continues to invest and expand its footprint as a global leading-edge solutions provider.
For more information, please visit: www.inq.inc.
Editorial contacts