Definition
AI DLP
AI DLP (AI Data Loss Prevention) is software that detects, blocks or anonymises sensitive data before it leaves an organisation to a generative-AI service like ChatGPT, Claude, Gemini or Copilot.
Unlike legacy DLP — which inspects email attachments, SaaS uploads and SMB shares — AI DLP intercepts the prompt itself, at the browser, desktop, CLI or MCP-agent layer. The categories that matter are credit cards, API keys, passwords, source code, customer PII and any data subject to GDPR / EU AI Act / NIS2 / DORA. A modern AI DLP runs in two modes: Alert (warn the user, optionally anonymise) and Block (silently redact the sensitive substring before the prompt is sent).
Why it matters
- ✓60 %+ of knowledge workers paste production data into ChatGPT at least monthly — and most security teams have no visibility into what.
- ✓Once data is in a model provider's logs, it is outside your GDPR subject-access scope.
- ✓Legacy DLP cannot see prompt traffic — it inspects file boundaries, not text streams.
- ✓EU AI Act + NIS2 + DORA explicitly require organisations to demonstrate control over AI-bound data flows.
Common questions
Is AI DLP the same as a content filter?
No. A content filter blocks categories of websites or keywords. AI DLP inspects the structure of what a user is about to send to an AI model — credit card patterns, API key signatures, source code shape — and either anonymises or blocks the specific substring while letting the rest of the prompt through.
Where does AI DLP run?
At every layer the prompt passes through: a browser extension on Chrome / Edge / Firefox, a desktop agent on Windows / macOS / Linux, a CLI shim for developers using Cursor / Claude Code / Copilot CLI, and an MCP guard for agentic AI systems.