Stephen Hearty
Head of Symantec Product Marketing EMEA
Sunil Choudrie
Head of Product Marketing for InfoSec, Broadcom
April 7, 2025
5 Min
As generative AI (GenAI) becomes more embedded in everyday business, organisations need to protect their sensitive data for this new data loss vector, and embed protection with their existing data security practices.. For today’s IT and security leaders, the dilemma is clear – how do you reap AI’s potential for efficiency and innovation while mitigating the risk of damaging data leaks? Against this backdrop, data loss prevention (DLP) is more important than ever. In this blog, we’ll look at how AI is used in the workplace, the risks of data exposure, and how a good DLP solution can help you use AI safely by incorporating AI use cases into your existing setup.
The main challenge AI poses for organisations is that to be productive, it can work on any type of data. As AI proves to be useful, it will be asked to do more, and this increases the risk that sensitive data will be given to it, and in turn could be shared widely. Without the right data governance, the risk of data exposure is high, potentially leading to financial losses (from operational disruption or fines) and reputational damage.
In an ideal world, this is how generative AI would work. An employee poses a question and gets a productivity-boosting answer – without sensitive data ever changing hands. In reality, of course, the picture is more complex. Employees today use numerous AI apps, both public and private. And they’re not immune to using tools their employers haven’t authorised. This makes it tricky to keep track of where your sensitive data is at risk. However, as a basic premise for data loss prevention, “good data in” is an excellent place to start – and by “good” we mean data that hasn’t been classified as private or confidential.
This data classification is something a DLP solution should offer as standard, scanning documents for sensitive information based on pre-defined parameters and automatically labelling content as confidential. The key here is to use a systematic approach that steers away from subjective human classification of what an employee deems sensitive or not. And, taking a step back, a good DLP provider or partner should be able to help you determine which information to classify as sensitive, ensuring the data that matters most to you is continuously protected.
The first step on the road to using AI safely is knowing which tools your employees are using. With solutions like Symantec DLP Cloud, you can conduct a thorough inventory of AI apps across your organisation. This includes who’s using them – and how – helping you determine whether it makes sense to restrict employee access. You can also gain insight into how data flows into and out of AI tools. And, most importantly, you can block data that is labelled as confidential from being fed into AI apps.
Let’s look at an example of how this might work in practice. A doctor at a busy clinic uses an AI-powered tool to help with diagnosis and treatment. The doctor inputs a patient’s name, medical conditions and prescriptions, asking for suggestions for a possible treatment plan. Luckily, the clinic has a DLP system in place that’s set up to scan content in real time. The system flags the use of protected information and automatically blocks the request. It alerts the doctor and logs the incident, continuing to monitor use of the tool to ensure future compliance. The doctor enters the query again, this time anonymising the details, and receives valuable information without risking data privacy.
There are numerous other examples of how employees use AI and potentially risk data exposure. The majority of data loss events involve copying and pasting sensitive information and uploading confidential files. Source code is the most frequently exposed type of data, as developers increasingly use AI to review and refine coding, only to find this proprietary data reemerges in the public domain.
DLP solutions can be set up to monitor these kinds of actions, so you can spot data leaks and prevent them in real time. A good DLP system also needs a plan in place for the vast volumes of content AI creates. The same controls and categorization that applies to your other data should also work for new AI-generated documents. AI systems can operate at high scale, and your DLP system needs to match that performance in order to keep up with the endless flow of new content.
Whatever policies an enterprise decides to enforce, the end goal is always the same – to prevent AI apps consuming sensitive data. Because once that data is gone, it’s near impossible to recover and could reemerge at any time in response to a random query. Private AI systems are also far from risk-free. If HR enters a list of employee salaries into an internal AI system, for example, there’s a good chance it could end up being seen by unauthorised employees.
Ultimately, data loss prevention should always be the focus, because a cure is rarely, if ever, an option. However, there are things a good DLP system can do to soften the blow. When sensitive data is detected being uploaded to an AI app, Symantec DLP kicks into action. It can notify the user, block the upload and alert administrators or security teams in real time, enabling rapid response and intervention to stop potential data leaks. The solution also provides detailed audit trails that can help trace where and how data was exposed, whether in AI apps or other parts of the network.
All of this can seem daunting, but from a DLP perspective, AI is simply a data loss use case – a complex and evolving one at that, but nothing that can’t be managed with a good DLP solution. For companies that have already worked hard to establish effective data governance and controls, there’s no reason why AI should throw a spanner in the works. The same checks and balances that protect your other data also apply when using AI. With the right solution and support, existing policies and protocols can be reviewed and adapted to manage AI risks.
Symantec DLP Cloud is already set up to protect all of your data, everywhere, whether that involves AI or not. Using the same scanning, detection and monitoring capabilities, and stringent policy enforcement, the solution can be easily adapted for AI traffic.
If you’re concerned about new risks posed by AI, or looking again at how you protect your data, talk to our experts today. We can help you take advantage of AI’s potential without risking your data security.
In theory, Microsoft Copilot is a dream come true for businesses, but getting the best from the solution requires strong controls. Integrated across the entire 365 family, Copilot can potentially access all of your business data. From SharePoint to OneDrive to an overflowing inbox, it’s not hard to imagine how confidential data could make its way into (and out of) this powerful AI tool. Symantec DLP helps keep Copilot in line, providing comprehensive controls that protect your sensitive data without restricting the benefits for your business.