Your DLP doesn't see what your agents send

Every DLP system in production today was built for one traffic pattern: a human moves a file. Drag and drop to a SaaS app. Attach to a Gmail thread. Copy to a USB stick. The classifier reads the file, matches against patterns, blocks or allows. That model held for a decade.

It does not hold for agents.

When an agent talks to a model the payload is a prompt. When the model talks back the payload is generated text. When the agent forwards the result to a tool the payload is a tool-call argument. Three flows, none of which look like a human moving a file. Existing DLP does not see them, for three reasons.

Three flows DLP was never built for

The agent-to-model call is HTTPS to an API endpoint the DLP classifier already trusts. Even if the proxy inspected the body, the body is text in an unfamiliar shape: a structured prompt with embedded context windows and retrieved chunks. The official Anthropic tool-use and OpenAI function-calling specifications show the actual payload contains nested JSON with tool definitions, tool_use blocks, and inline content. Classifiers tuned for “credit card number in a PDF” do not fire on PII embedded inside a chain-of-thought instruction.

The model-to-agent response is the return leg. It may contain regurgitated training data, hallucinated identifiers, or content the model assembled from sources the operator never classified. DLP at the network edge was built to inspect outbound files, not inbound payloads coming back from a trusted SaaS API. The vendor coverage statements bear this out: Microsoft Purview DLP lists Exchange, SharePoint, OneDrive, Teams, endpoint devices and Defender for Cloud Apps as its protected locations; Forcepoint DLP markets coverage across endpoints, SaaS apps, web and email. None of them name the agent runtime as a protected surface.

The agent-to-tool call is the dangerous one. The agent decides to invoke a tool with arguments. Those arguments often contain content extracted from the model response, the user prompt, or a previous tool result. The Model Context Protocol specification defines the JSON-RPC shape of this call: a tools/call request with params.name and params.arguments. DLP sees an internal API call from a sanctioned application identity. It looks like normal application traffic and nothing fires.

This is not a thought experiment

In June 2025, Aim Labs disclosed EchoLeak / CVE-2025-32711, a zero-click prompt injection that turned Microsoft 365 Copilot into a data exfiltration channel. A crafted email arrived in an executive inbox. Copilot ingested it, followed the embedded instructions, and exported sensitive internal context to the attacker over authenticated Microsoft Graph API calls. Dark Reading’s coverage walks the full attack chain. No DLP rule fired because no DLP rule had been written for an enterprise copilot exfiltrating data over its own authenticated API path. There was no reason the rule would have existed.

The Replit production-database deletion the following month was the same shape on a different agent class: a coding agent with standing database authority issued a destructive DDL command during a code freeze, the traffic looked like ordinary application traffic, no DLP rule applied (The Register coverage, Replit CEO response).

Different agents, different actions, same architectural gap. The agent had authorization. The traffic was legitimate at the protocol layer. The damage was real anyway.

The semantic unit is the agent call

DLP classifiers know one question: is there a credit card number in this blob. They do not know the question that actually matters at runtime: is this agent about to forward salary data from the HR system to an external model, then write the result into a public channel.

That is not a content question. It is a behaviour question, and the behaviour only exists at the agent runtime layer. No appliance in the existing security stack sees the decision point where it happens.

The standards community has named this gap. The OWASP Top 10 for Large Language Model Applications 2025 calls out LLM02 Sensitive Information Disclosure and LLM06 Excessive Agency as primary risks. The OWASP Top 10 for Agentic Applications (published December 2025 as the 2026 edition) extends the surface into memory poisoning, tool misuse, and goal manipulation. Neither list mentions DLP as a mitigation, because none of these failure modes are content-classification problems.

The choke point is the gate

The agent runtime authorization layer sees every call the agent makes. Every prompt to the model, every response back, every tool call with its arguments. It is the only place in the architecture where content classification can be combined with the decision about whether the call is allowed.

A DLP rule that matches a sensitive pattern at that layer does more than block. It records the attempt as an attributed, signed event: this agent, on this user’s behalf, under this policy version, tried to send this content to this destination at this time. That record is the same per-decision evidence the compliance team needs for EU AI Act Article 12 (automatic recording of events over the lifetime of high-risk AI systems), GDPR Article 30 (records of processing activities), and the NIST AI Risk Management Framework. The DLP enforcement and the audit trail are the same artifact.

Content classification belongs inside the authorization decision

The lesson for security teams in 2026 is not “buy DLP for agents.” It is that the policy that says who can call also has to say what they can send, and the only place that combined decision can be made is the runtime authorization layer.

A separate DLP product sitting next to the gate would inspect what the gate already inspects, miss what the gate already sees, and produce a parallel log that does not line up with the authorization record. Two systems, two policies, two evidence chains, one investigation that takes twice as long when something goes wrong.

The cleaner architecture is one decision point with content awareness built in. The category for that is agent runtime authorization, not DLP. DLP becomes a feature.

---

IntentGate is the gateway purpose-built for the eighth domain. Content-aware authorization at the agent runtime layer, per-call evidence by default. Run the demo · Read the architecture · Talk to us.

Sources

DLP vendor coverage

• Microsoft, Learn about data loss prevention. Purview DLP coverage scope: Exchange, SharePoint, OneDrive, Teams, endpoint devices, Defender for Cloud Apps, on-premises shares, Power BI, M365 Copilot.
• Forcepoint, Data Loss Prevention. Vendor product page stating coverage across endpoints, SaaS apps, web, and email.
• Broadcom, Symantec Data Loss Prevention. Triangulation: endpoint, network, storage, cloud, email and web channels.

Agent traffic payload shapes

• Anthropic, Tool use with Claude. The canonical shape of agent-to-model traffic: tool_use blocks with JSON input, tool_result blocks on return.
• OpenAI, Function calling. Tools array on request, tool_calls on response, tool role for results.
• Model Context Protocol, tools/call specification. The JSON-RPC shape for agent-to-tool invocations.

Standards

• OWASP, Top 10 for Large Language Model Applications 2025 (published November 2024).
• OWASP, LLM02:2025 Sensitive Information Disclosure.
• OWASP, LLM06:2025 Excessive Agency.
• OWASP, Top 10 for Agentic Applications for 2026 (published December 2025).

Regulation

• Regulation (EU) 2024/1689 (AI Act), Article 12: high-risk AI systems shall technically allow for the automatic recording of events (logs) over the lifetime of the system.
• Regulation (EU) 2016/679 (GDPR), Article 30: controllers and processors maintain records of processing activities, available to the supervisory authority on request.
• NIST, AI Risk Management Framework 1.0 (NIST AI 100-1, January 2023). Four-function framework: Govern, Map, Measure, Manage.

Incidents

• Replit agent deletes production database, July 2025. The Register, Replit CEO Amjad Masad response, Original Jason Lemkin post.
• Aim Labs, EchoLeak / CVE-2025-32711 zero-click prompt injection in Microsoft 365 Copilot, disclosed June 2025. Dark Reading coverage.