Notifications
Clear all
Topic starter
22/06/2026 10:15 am
TL;DR: Workers are uploading personal and payment data into ChatGPT, Copilot, Gemini and similar tools, with roughly 40% of file uploads containing sensitive data and often bypassing classic DLP because the action happens through personal accounts, according to Netwrix. The governance gap is now at the endpoint and prompt boundary, where prevention matters more than after-the-fact discovery.
NHIMG editorial — here’s why we think this discussion matters
By the numbers:
- Roughly 40% of file uploads in AI tools contain personal or payment card data, usually unintentionally and often through personal accounts.
Questions worth separating out
Q: How should security teams stop sensitive data from being uploaded into public AI tools?
A: Security teams should enforce endpoint controls that block sensitive files and clipboard content before they reach public AI tools.
Q: Why do classic DLP controls miss AI cloud data leakage?
A: Classic DLP often misses AI cloud leakage because the transfer can happen through browser uploads, prompt paste, or personal accounts outside the paths the control was designed to inspect.
Practitioner guidance
- Block sensitive uploads at the endpoint Enforce policy before files or clipboard content can be sent to public AI tools, using data classification rules tied to the application destination and user context.
- Extend DLP coverage to prompt and paste actions Treat copy-paste into prompts as a governed exfiltration path, not only file upload, so users cannot bypass inspection by changing the transfer method.
- Separate approved AI use from personal accounts Require sanctioned accounts and managed endpoints for AI usage involving sensitive material, and deny access from unmanaged browsers or personal logins.
What to expect at the briefing
Netwrix's live webinar covers the operational detail this post intentionally leaves for the source:
- Which data channels put sensitive information at risk, including AI tools and USB devices
- How Netwrix Endpoint Protector applies a single policy across Windows, Linux, and macOS endpoints
- How organisations can block uploads and prompt insertion before data leaves the device
- What the EU AI Act 2026 and GDPR imply for endpoint control and data handling
👉 Register for Netwrix's live webinar on preventing sensitive data from reaching AI tools →
AI cloud data loss prevention: are your endpoint controls enough?
Explore further
22/06/2026 11:04 am
AI data loss is now an endpoint governance problem, not just a DLP problem. Once users can move sensitive information into ChatGPT-style services from personal accounts or unmanaged browsers, the decisive control point is the device itself. Classic perimeter thinking loses relevance because the data path no longer depends on sanctioned network routes. Practitioners should treat endpoint policy as the first line of identity-adjacent data governance.
A few things that frame the scale:
- 35.6% of organisations cite managing consistent access across hybrid and multi-cloud environments as their top NHI security challenge, according to The 2024 Non-Human Identity Security Report.
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, which shows how limited control confidence remains in practice.
A question worth separating out:
Q: Who is accountable when employees send regulated data to external AI services?
A: Accountability usually sits with both security governance and the business owner of the workflow, because the control failure spans policy design, endpoint enforcement, and acceptable use. Privacy, legal, and security teams should share ownership for defining what can be sent, from which device, and under what account conditions.
👉 Read our full editorial: Preventing sensitive data from reaching AI clouds with endpoint controls
