Why Email DLP Fails on ChatGPT (and what works instead)
Legacy proxy and gateway DLP cannot read encrypted browser traffic to ChatGPT, Claude or Gemini. Here is why, and the only architecture that does.
The blind spot your DLP vendor will not advertise
Open your SIEM and search for DLP incidents tied to chatgpt.com, claude.ai or gemini.google.com over the last 30 days. For most organisations the count is zero. Not because nobody pasted anything sensitive — usage telemetry says the median knowledge worker hits ChatGPT 22 times a week — but because the DLP stack physically cannot see inside the session. The TLS handshake completes, the streaming response arrives, and the proxy is left counting bytes it cannot parse.
This is not a tuning problem. It is an architectural one. Every category of pre-2023 DLP — Symantec, Forcepoint, Microsoft Purview when used at the network layer, Netskope CASB, Zscaler — was designed for a web that does not exist anymore. Let us walk through why, and what the alternatives actually deliver in production.
TLS 1.3, certificate pinning, and the death of MITM
The classic gateway DLP works by terminating TLS in the middle. The corporate CA is pushed to every managed device, the proxy presents a fake certificate for chatgpt.com, the user's browser trusts it because the root is installed, and the proxy reads the plaintext. This worked for a decade. It is now structurally broken for three reasons.
First, TLS 1.3 with 0-RTT resumption hides large parts of the handshake — including the SNI in many configurations — behind early data. Second, modern browsers ship with a hardcoded list of certificate pins for high-value domains, and Chromium increasingly enforces Certificate Transparency with SCT validation. A proxy that injects its own certificate triggers a hard fail on those domains, not a warning the user can click through. Third, Encrypted Client Hello (ECH) is rolling out across Cloudflare-fronted services right now. Once ECH is mandatory, the proxy cannot even see which hostname is being contacted, let alone what is in the body.
The OpenAI desktop app and the Anthropic Console explicitly pin their first-party API calls. A MITM attempt does not silently inspect — it breaks the connection. Security teams that try to brute-force this end up with a flood of helpdesk tickets and no inspection.
WebSocket framing kills payload inspection even when MITM works
Suppose for a moment that you do manage to terminate TLS on your own proxy. You still cannot read the conversation. ChatGPT and Claude do not send a request and receive a JSON response. They open a persistent WebSocket (or Server-Sent Events stream) on the same TLS channel and exchange framed binary chunks that carry both the user prompt and the streaming completion, token by token.
Most proxy DLP engines do not parse WebSocket frames at all. The ones that do are pattern-matching on opaque framing without an understanding of the conversational protocol — they see a blob of bytes, miss the prompt boundary, and either pass everything or block everything. The same applies to Gemini's gRPC-Web transport. Streaming is the default UX of modern AI, and streaming is exactly what gateway DLP was never built to read.
The "just block the domain" trap
The first reaction of a stretched security team is the firewall rule: block chat.openai.com at the egress. This is the cybersecurity equivalent of locking the front door while leaving every window open. Three things happen within a week.
- Employees switch to mobile. The 22 prompts a week become 22 prompts a week on a personal phone, off-network, with zero logging.
- Shadow AI explodes. People register personal accounts with personal emails and use AI tools the security team has never heard of — DeepSeek, Poe, You.com, Mistral's Le Chat, a dozen ChatGPT wrappers.
- The business demands an exception. Marketing, legal, engineering all argue — correctly — that they need the tool. IT grants per-user exceptions and the policy collapses.
Blocking the domain creates the illusion of control while making the actual leakage harder to see. The CNIL, the BfDI and the ICO have all published guidance pointing out that non-monitored use is a worse compliance posture than monitored use, even when the monitored use technically crosses a border.
CASB: better, but with a hole shaped like "every new AI tool"
CASB platforms (Netskope, Zscaler, Microsoft Defender for Cloud Apps) improved the situation by getting cloud-native. They have API integrations with sanctioned SaaS, they can apply policy to OpenAI Enterprise tenants, and they understand more of the modern handshake than legacy boxes do. For ChatGPT Enterprise and Microsoft Copilot for M365, a CASB does real work.
The hole is the long tail. CASB requires the vendor to have written a connector for that specific tool. There is no Netskope connector for Mistral Le Chat in the free tier, no Zscaler policy for a self-hosted Ollama instance on a developer laptop, no Defender visibility into the seventeen ChatGPT browser extensions an employee installed. CASB vendors call this "Universal mode" or "any-app coverage" and it almost always means traffic-pattern heuristics, not content inspection. You see something went to somewhere AI-ish; you do not see what was in the prompt.
Add latency. CASB inline mode routes every browser session through a vendor PoP. For a Berlin user hitting Claude on us-east-1, that is a measurable hit on a streaming token response that is already latency-sensitive. Users notice. Users find workarounds.
Browser isolation: it works, and almost nobody uses it twice
Cloudflare Browser Isolation, Forcepoint RBI and Menlo all solve the inspection problem by moving the browser itself into the cloud. The local screen receives only pixels; copy/paste and file upload are intercepted at the isolation layer. From a pure DLP standpoint this is the strongest gateway option.
The cost is felt by users immediately. Copy/paste latency, broken Markdown rendering, occasional WebSocket disconnects on long Claude completions, Google SSO loops, image generation that downloads as a flat screenshot rather than a real file. Adoption surveys consistently show isolation deployments collapse within six months unless the security team accepts that 30–50% of users will route around them. The economics are also brutal: per-seat pricing for RBI typically lands 4–8× higher than a client-side approach.
Browser isolation is the technically correct answer to a question nobody outside the security team wants to ask. It works in the lab and dies in the org chart.
The client-side approach: sit inside the browser, not in front of it
The only architecture that survives TLS 1.3, ECH, WebSocket framing, mobile fallback and shadow AI is one that runs between the user and the encryption layer: in the browser itself, as an extension, and on the desktop as a native agent for apps that bypass the browser. That is the Zeuslock approach.
By hooking into the DOM and the browser's WebSocket API, the prompt is inspected before TLS wraps it. The three-layer detection pipeline — local regex for fast obvious matches, a fine-tuned NER model, then context heuristics — runs client-side in milliseconds, with optional confirmation from an EU-hosted ML API. No certificate to install. No traffic to reroute. No latency added to the response stream. The user sees an inline warning, an automatic anonymisation (a real AWS AKIA key replaced by a structurally valid fake), or a hard block, depending on the policy mode.
The same engine extends to Claude Code, Cursor, Copilot CLI and Aider through the Zeuslock CLI and desktop agent. MCP traffic between agents and tools is inspected at the protocol boundary. Universal mode covers tools the team has never heard of, because the detection runs on the prompt content, not a vendor allowlist.
Honest comparison
| Approach | Sees prompt content | Covers shadow AI | UX impact | Cost shape |
|---|---|---|---|---|
| Legacy proxy / gateway DLP | No (TLS 1.3, pinning, ECH) | No | Low until it breaks pinning, then high | Already paid for, no incremental value |
| Domain blocking | No | No — pushes to mobile | High; users route around | Free; negative ROI |
| CASB inline | Partial, named apps only | No (long tail) | Medium (latency) | Per-seat, mid |
| Browser isolation | Yes | Partial | High (copy/paste, latency) | Per-seat, high |
| Client-side DLP (Zeuslock) | Yes, pre-encryption | Yes, including Universal mode | Invisible until a finding | Per-seat, low–mid |
What to do this quarter
- Pull a 30-day report from your existing DLP filtered on chatgpt.com, claude.ai, gemini.google.com and copilot.microsoft.com. If the incident count is suspiciously low, you have the blind spot.
- Survey actual usage with a 2-week browser-side telemetry pilot. Expect 5–10× more AI traffic than your gateway sees.
- Roll a client-side extension in Monitor mode for weeks 1–2, Anonymize for weeks 3–5, Block for the highest-severity finding types from week 6. The progression is in the policy configuration guide.
- Decommission the proxy rules that target AI domains. They are giving you false comfort.
If your DLP didn't see your team's 22 ChatGPT prompts yesterday, it won't see the AWS key they pasted tomorrow.
Protect your data from AI leaks
Try Zeuslock free — DLP for ChatGPT, Claude, Gemini and more.
Book a demo →