DLP and DSPM were built for static data inspection, not for conversational systems that reveal or transform data over multiple turns. They miss prompt injection, incremental exfiltration, and model-side execution because the risk is in context and behaviour, not only in a single outbound record or stored dataset.
Why DLP and DSPM Miss LLM Risk Patterns
DLP and dspm are strongest when the security question is “what left the system” or “what is stored where.” LLM risk is often different: the model can reveal sensitive content gradually, reshape it into new outputs, or be steered into unsafe actions across multiple turns. That means the critical event is not always a single file transfer or database record, but a conversational path that changes the model’s behaviour. NHI Management Group has documented how AI systems are increasingly attacked through compromised identities and exposed secrets in LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
Current guidance suggests DLP and DSPM should still be used, but only as part of a broader LLM control stack that includes prompt safety, tool-use governance, and identity controls. The security gap is not just visibility, it is interpretation: security tools that do not understand context cannot reliably distinguish harmless text from an attacker shaping model behaviour. In practice, many teams discover the limitation only after the model has already been used to expose data in ways that never appeared as a conventional exfiltration event.
How the Control Gap Shows Up in Real Deployments
LLM applications create multiple paths that bypass traditional inspection. A user can paste sensitive material into a prompt, the model can summarize or transform it, and the output can be safe-looking even while the underlying conversation leaked data. Attackers can also use prompt injection to manipulate system instructions, chain tool calls, or coerce the model into retrieving data from connected systems. That is why the risk lens has shifted from static content to behaviour, which is reflected in both the OWASP Agentic AI Top 10 and the NIST AI Risk Management Framework.
Operationally, organisations need controls that sit closer to the interaction layer:
- Inspect prompts, tool calls, and retrieved context, not just final outputs.
- Apply policy at request time, because risky behaviour can emerge only after prior turns.
- Limit what the model can see through retrieval, connector scoping, and least-privilege access.
- Record conversation and tool-use telemetry so investigators can reconstruct the sequence of events.
This is where NHI governance becomes relevant. If an LLM can call tools or reach APIs, the credential and identity model matters as much as the content model. NHI Management Group’s analysis of the McKinsey AI platform breach and the DeepSeek breach both underscore how AI systems can expose sensitive data at scale when access paths are not tightly governed. These controls tend to break down when legacy DLP is bolted onto chat interfaces without visibility into prompts, retrieval, and downstream tool execution.
Where the Standard Answer Breaks Down
Tighter inspection often increases latency, false positives, and user friction, requiring organisations to balance stronger detection against adoption and performance. There is no universal standard for this yet, so best practice is evolving toward layered controls rather than a single “LLM DLP” product. In highly interactive systems, even aggressive content filters can miss incremental exfiltration because the model may reveal one small fragment at a time, each fragment individually looking benign.
Another edge case is retrieval-augmented generation. If the model is permitted to pull from internal knowledge bases, DSPM can tell security teams where data resides, but it cannot decide whether a specific prompt is an authorised request for that data. That decision belongs to runtime policy, identity, and context. For agentic workflows, the issue becomes sharper because the model may act autonomously, use tools, and chain actions in ways that no static rule set predicted. Current practice therefore leans on combining DLP, DSPM, and AI-specific governance from sources such as CSA MAESTRO agentic AI threat modeling framework and NIST AI 600-1 GenAI Profile. For teams building or reviewing agentic systems, the practical lesson is simple: content controls alone do not govern behaviour, and behaviour is where the higher-impact risk now lives.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A2 | Prompt injection and tool abuse are central to why DLP misses LLM risk. |
| CSA MAESTRO | TRUST | MAESTRO focuses on agent trust and dynamic governance across model interactions. |
| NIST AI RMF | GOVERN | AI RMF governance is needed when content scanning cannot explain model behaviour risk. |
Add runtime controls for prompts, tools, and outputs where LLM behaviour can be manipulated.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 9, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
