How AI Broke the Data Protection Threat Model

Key Takeaways: 

• Traditional DLP assumes file transfers through known channels, but AI tools like ChatGPT, Cursor, and autonomous agents move data without uploads, downloads, or any event a traditional control would flag.
• Most security teams lack a threat model for AI-specific data flows, meaning they react case by case (blocking tools, writing one-off policies) instead of mapping which risks existing controls cover and which they don’t.
• A modern threat model has to start from how data actually flows through prompts, agents, and integrations rather than from boundaries like managed versus unmanaged devices, since those boundaries no longer capture where data loss happens.

For most of the history of enterprise security, data loss had a recognizable shape.

An employee downloaded a file to a USB drive, or a sales rep forwarded a spreadsheet to a personal email. Data traveled from a known source to a known destination through a channel someone had thought to watch.

Traditional DLP was built for exactly this. Define your boundaries (managed devices, approved applications, trusted identities) and monitor what crosses them. The model was imperfect, but the underlying logic was sound.

That model no longer describes how data moves.

Along Comes AI

Generative AI changed the underlying mechanics of how data flows through an organization.

When an employee pastes a customer contract into ChatGPT, that’s not a file transfer. When a developer gives Claude Code access to a local code repository, there’s no upload event. When an enterprise AI agent summarizes internal Jira tickets and emails a summary to a customer, the data never left through a channel anyone thought to watch.

The boundaries that organized traditional threat modeling (managed versus unmanaged, trusted versus untrusted, inside versus outside) still matter. But they are no longer sufficient. AI introduces a middle layer that sits between the user and the destination: a layer where data is interpreted, transformed, and routed by systems that operate faster than any policy team can write rules for.

Where’s the Map?

When we talk to security teams about data loss through AI, the real problem isn’t control itself. It’s that without a map, they can’t get the control they need.

What are the actual risk scenarios, and how do they differ from traditional data loss? Which ones do existing controls cover, and which ones don’t?

Without a framework for answering those questions, security teams are left reacting: patching individual tools, writing one-off policies, or blocking AI entirely.

Generative AI changed the underlying mechanics of how data flows through an organization.

Governing AI data loss requires a model built around flows, agents, and integrations; one that can account for data moving through a prompt, an autonomous workflow, or an unapproved MCP server.

It’s Time for a Modern Threat Model

A threat model built for AI data movement has to start in a different place than traditional DLP. Rather than asking what boundaries exist and what crosses them, it has to consider how data actually flows through the systems we use, and where controls break down.

It’s time to treat data flow through AI systems as a first-class threat category, not an edge case of traditional data movement.

Stay tuned. We’ll have more to share soon on a framework built specifically for this problem. It covers both the traditional DLP scenarios that still apply and the AI-specific use cases that traditional models miss entirely, mapped to the actual flows, surfaces, and enforcement points that define how data moves today.

The volume and speed of AI-driven data movement will only increase. The hard question every CISO needs to be asking now: is the framework you’re using to govern it built for the world you’re actually operating in?

If the answer isn’t yes, the gap is already open.