Notifications
Clear all
Topic starter
08/06/2026 4:17 pm
TL;DR: Legacy DLP tools generated too many low-fidelity alerts because they lacked user intent and data-flow context across cloud and SaaS, while modern AI and orchestration can reduce false positives, automate triage, and improve policy accuracy, according to Cyera and cited analyst research. The deeper issue is that DLP fails when governance is static, fragmented, and disconnected from how data actually moves.
NHIMG editorial — based on content published by Cyera: How AI and Orchestration Unlock DLP's True Potential
By the numbers:
- 76% of enterprises still rely on DLP as a core capability.
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.
Questions worth separating out
Q: How should security teams reduce false positives in DLP without weakening protection?
A: Start by separating content matches from business context.
Q: Why does DLP struggle when organisations move more data into cloud and SaaS?
A: Cloud and SaaS increase the number of places where data can move, copy, and be shared, while reducing the value of perimeter-style inspection.
Q: How do you know if DLP is actually working?
A: Look beyond alert volume.
Practitioner guidance
- Map DLP decisions to identity context Identify where current DLP policies rely on content alone and where role, business function, or session context would change the outcome.
- Consolidate alert triage across enforcement points Create a single operating view for DLP signals from endpoints, cloud services, web gateways, and SaaS tools so the team can compare incidents consistently.
- Link DSPM discovery to policy tuning Use discovered sensitive-data locations, access paths, and exposure relationships to refine DLP rules instead of waiting for manual tuning after alert storms.
What's in the full article
Cyera's full article covers the operational detail this post intentionally leaves for the source:
- How Omni DLP centralises alerts and policy management across email, endpoints, cloud, and web channels
- The reported 95% fewer inaccurate alerts and 90% less manual effort outcomes from deployments
- Specific examples of policy tuning where overblocking and under-enforcement were identified
- How agentless onboarding connects directly through APIs for faster deployment
👉 Read Cyera's analysis of how AI and orchestration reshape data loss prevention →
DLP orchestration and data context: what IAM teams should know?
Explore further
08/06/2026 5:50 pm
DLP fails when governance is static and identity-aware context is missing. The article shows that legacy content inspection cannot keep pace with cloud, SaaS, and AI-era data movement because it assumes policy can be expressed without runtime context. That assumption breaks when the same data is legitimate for one identity and suspicious for another. Practitioners should treat DLP as a context problem, not a signature problem.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how quickly one exposure can become an operational pattern.
A question worth separating out:
Q: What is the difference between DLP orchestration and DLP tools working in isolation?
A: Isolated DLP tools enforce their own policies and produce their own alerts, often with little shared context. Orchestration creates a control layer that centralises policy logic and prioritises incidents across tools. The practical difference is consistency: teams can compare outcomes across channels instead of managing separate alert silos.
👉 Read our full editorial: AI-driven DLP orchestration exposes why legacy controls stall
