File-centric DLP loses coverage when users move data through prompts, copy/paste, and browser-based AI tools instead of attachments or uploads. The organisation may still believe it is controlling sensitive data, but the real leak path has shifted to interaction data. Controls need to inspect the browser action itself, not only the file object.
Why This Matters for Security Teams
When GenAI prompts become the primary exfiltration path, the control problem shifts from file protection to interaction governance. Traditional DLP is built to classify documents, scan attachments, and watch for uploads or email transfers. That model misses the more common reality of modern work: users paste sensitive text into browser-based assistants, inline copilots, and chat interfaces that never create a managed file event. NIST’s NIST AI 600-1 GenAI Profile treats these behaviors as a governance issue, not just a content-scanning issue.
The risk is not only accidental disclosure. Once data enters a prompt, it may be retained in logs, reused for model improvement, surfaced in responses, or copied into downstream tool calls. NHIMG’s reporting on the DeepSeek breach and the broader State of Secrets in AppSec shows how quickly secrets and sensitive context can spread once they leave controlled repositories. In practice, many security teams discover prompt exfiltration only after a sensitive workflow has already been absorbed into daily AI usage, rather than through intentional policy design.
How It Works in Practice
The failure mode is straightforward: the browser becomes the exfiltration surface, and the prompt becomes the transport. Users may copy customer records, source code, incident notes, API keys, or internal plans into AI tools to get summaries, transformations, or debugging help. Because there is no attachment to inspect, file-centric controls see only normal clipboard activity or a web request. Current guidance suggests controls need to evaluate the action, the destination, and the data context at runtime, not just the object being sent.
Practically, that means pairing browser controls with policy enforcement and data classification signals. Security teams increasingly look at:
- Clipboard and paste monitoring in managed browsers
- Prompt redaction or inline warning before submission
- Tenant and application allowlisting for approved AI tools
- Session-aware inspection for sensitive fields such as secrets, customer identifiers, and regulated data
- Central logging of prompt events for audit and investigation
This aligns with the direction described in the NIST AI 600-1 GenAI Profile, where AI use is managed through risk controls across the lifecycle rather than only at the storage layer. It also reflects the kind of exposure seen in NHIMG’s DeepSeek breach coverage, where sensitive content was not constrained by traditional file boundaries. These controls tend to break down when employees use unmanaged browsers or personal AI accounts because the security stack cannot reliably see the prompt, the destination, and the copy action together.
Common Variations and Edge Cases
Tighter prompt controls often increase friction, requiring organisations to balance data loss reduction against user productivity and privacy concerns. That tradeoff is real, especially in engineering, legal, and support teams where pasted context is often necessary for work to proceed. Best practice is evolving, and there is no universal standard for how aggressively prompts should be inspected versus minimized.
One common edge case is sanctioned AI use inside enterprise tenants. Even then, prompts may still contain regulated data, so approval of the platform does not equal approval of the content. Another is shadow AI in unmanaged browsers, where even strong policy language is ineffective because the organization cannot observe the session. A third is code-related leakage: teams may not be sharing “documents,” but they are still exposing secrets, configuration details, and incident data in prompts. The State of Secrets in AppSec is a useful reminder that sensitive data often leaks through ordinary developer behavior, not extraordinary attacks. For technical governance, the NIST AI 600-1 GenAI Profile supports treating AI prompt handling as an operational risk domain, while DeepSeek breach illustrates how quickly prompt-adjacent data can become a broader exposure event.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Prompt exfiltration is a core agentic data leakage pattern. | |
| CSA MAESTRO | MAESTRO addresses AI workflow abuse and data leakage paths. | |
| NIST AI RMF | AI RMF covers governance of AI-related disclosure and misuse risk. |
Apply runtime controls to AI interactions, especially prompt handling and downstream tool execution.
Related resources from NHI Mgmt Group
- What is the main risk when automation systems store ServiceNow credentials?
- When do incident management tools become part of identity security operations?
- What breaks when browser extensions can fetch remote configuration and rewrite webpages?
- What breaks when unauthenticated database memory disclosure is possible?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
