The Great DLP Reset: Why DLP Fails, and How to Fix It

At ORION Security, we spend a lot of time talking with security teams struggling with the same problem: traditional data loss prevention (DLP)  approaches can’t keep up with how data moves today.

Lawrence Pingree agrees. In fact, it’s central to his research on what he calls “The Great DLP Reset,” which he shared in a recent webinar co-hosted with ORION Security.

Here’s the full webinar, “The Great DLP Reset: Security Data in the Age of SaaS, Cloud, and AI”:

Lawrence, who leads research at Software Analyst Cyber Research (SACR), is one of cybersecurity’s most experienced voices. He’s a former Gartner analyst who has published more than 300 research notes, advised many of the top security vendors in the market, and helped define categories like EDR, SASE, and SD-WAN.

I highly encourage CISOs and their teams to dig into this research to fully understand how to manage and deploy DLP in today’s world. Below are key insights from his presentation during the webinar, edited for clarity. 

Q: Why does traditional DLP fail to prevent data loss?

Lawrence: Classic DLP primarily existed in firewalls, secure web gateways, and endpoints; proxies built to enforce control over data at fixed points. It was heavily reliant on regular expressions and exact data matching. Back then, the perimeter was different. There was this notion of an ”inside” and an “outside” of every environment. It wasn’t porous like it is today.

Q: Why do so many DLP programs end up spread across disconnected tools?

Lawrence: We call it the fragmented DLP approach, and it’s central to the problem. You have a little bit of capability around email, some in the endpoints, maybe one feature across SaaS with some CASB (cloud access security broker). You need to configure different platforms to get to one use case across the board. And you have misalignment between the capabilities you have in the different tools.

Q: Is DLP still relevant in 2026?

Lawrence: It’s more relevant than ever, but the category needed a reset. While DLP has ebbed and flowed over the years, it’s back now because SaaS sprawl and cloud data gravity have come into play, and business apps and tools have evolved to include generative AI and agentic workflows.

Q: What is shadow AI, and why is it a data loss risk?

Lawrence: Quite simply, more people are uploading their organization’s data in things like spreadsheets into AI tools because it’s useful. But that data may not be approved for sharing; it might even be regulated. And there have been a lot of use cases where prompt injection and agentics have demonstrated the ability to exfiltrate data, even in apps like Microsoft Copilot. All of these are potential risks.

Q: On the flip side, how does the use of AI in DLP detection reduce false positives?

Lawrence: AI enables something that deterministic policies never could: contextual judgment at machine speed. That cognitive function brings beauty to context because you can storyline various contextual elements together: the identity role, the data involved, the application, location, history and behavior, and business context. AI can look at every interaction and make an assessment: is this actual data leakage or just benign activity? It paints the picture of the actual scenario versus an individual event.

Q: What does real-time DLP enforcement look like compared to the old way?

Lawrence: Legacy DLP is kind of a faded, broken padlock. The classic perimeter approach just doesn’t work. We’ve reached a DLP rearchitecture point where we’re moving to more runtimes. We’ve got to move to a more real-time environment focused on prevention versus detection and response. The future state is AI-enabled autonomous policies, both in creation and fine-tuning.

Q: How should security leaders evaluate and modernize their DLP program?

Lawrence: Start by scoring your current program honestly. Look at your time to discover and classify meaningful sensitive data. Look at your policy model and your tuning burden. Are you running a ticket factory? You shouldn’t be. Add context to every decision: fuse identity, entitlements, posture, and user behavior to cut down on false positives and focus on real material risks. Strive for one set of policy intents across the various surfaces. The overall goal should be this: credible AI-era controls.

Q: Where do AI-native DLP vendors fit in the modern security landscape?

Lawrence: A new category of vendors is emerging that was built for this era from the ground up. You have vendors like ORION Security, which I consider more of the context-rich version, integrating AI to build better controls, better understanding, and cognitive function around the way interactions are happening within the enterprise.

Final Thoughts

I really enjoyed the hour I spent with Lawrence Pingree discussing this massive reset. The shift from traditional DLP to AI-native, context-aware data protection is accelerating as organizations adopt SaaS, cloud platforms, copilots, and autonomous AI agents. 

As Lawrence puts it, the data control plane isn’t a box. It requires unifying discovery, context, enforcement, and AI-driven decision-making into a prevention outcome that actually works.

At ORION Security, we built our platform around exactly what Lawrence describes: AI that evaluates the full context of every interaction, not just whether it matches a rule. If your team is stuck in tuning mode and ready to see what prevention actually looks like, we’d love to show you what we’ve built.( Request a demo.)

Keep an eye out for my next post, where I’ll discuss ORION Security’s role in the great DLP reset.