Notifications
Clear all
Topic starter
07/06/2026 8:52 pm
TL;DR: AI agents create new data-loss pathways, but DLP alone does not solve the identity, authorization, and audit gaps that govern how those agents reach enterprise data, according to WorkOS. The security problem is not just exposure prevention, it is controlling who or what can act before sensitive data ever becomes accessible.
NHIMG editorial — based on content published by WorkOS: Jazz Security for AI Agent Security: Features, Pricing, and Alternatives
Questions worth separating out
Q: How should security teams govern AI agent access to sensitive data?
A: Security teams should govern AI agent access by establishing identity, authorization, and audit controls before relying on DLP.
Q: Why do AI agents expose weaknesses in traditional DLP programmes?
A: AI agents expose weaknesses in traditional DLP programmes because they do not behave like human users.
Q: What breaks when AI agent data access is not tied to identity governance?
A: What breaks is accountability.
Practitioner guidance
- Map agent access before deploying DLP Inventory every system, API, and data store an AI agent can reach, then document the identity path and entitlement behind each connection.
- Require fine-grained authorization for each agent interaction Use task-scoped permissions so the agent is not carrying broad access across unrelated workflows.
- Correlate identity, entitlement, and data access logs Join authentication events, permission decisions, and data movement records into one audit trail that can answer who acted, what they touched, and whether access was appropriate.
What's in the full article
WorkOS's full article covers the operational detail this post intentionally leaves for the source:
- Side-by-side feature comparison of Jazz Security's DLP approach versus WorkOS identity infrastructure.
- Pricing and deployment context for Jazz Security's stealth-stage evaluation model.
- Enterprise authentication and authorization capabilities included in WorkOS for production AI systems.
- Implementation-oriented discussion of how teams think about AI agent security stacks beyond DLP.
👉 Read WorkOS's comparison of Jazz Security and enterprise AI security infrastructure →
AI agent DLP is not enough: what IAM teams need to cover?
Explore further
08/06/2026 8:35 am
AI agent data protection fails when teams treat DLP as the primary control. DLP can inspect content, but it cannot define whether an agent should have been able to reach the data in the first place. That makes it a downstream detection layer, not the governance boundary. The implication is straightforward: identity and authorization remain the prerequisite, and anything else is partial coverage.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- 33% of organisations report their AI agents have accessed inappropriate or sensitive data beyond their intended scope.
A question worth separating out:
Q: Should organisations use DLP or authorization first for AI agents?
A: Organisations should put authorization first and DLP second. Authorization determines whether the agent should reach the data at all, while DLP inspects what happens after access begins. If authorization is weak, DLP becomes a noisy backstop instead of a meaningful control.
👉 Read our full editorial: AI agent data protection is still incomplete without identity controls
