Data Protection & Privacy

Shadow AI Discovery: Identifying every GenAI tool employees use (not just ChatGPT). Data Loss Prevention (DLP) for AI: Preventing "copy-paste" of sensitive code or PII into LLMs in real-time. Browser-Agnostic Protection: Ensuring security follows the user across Chrome, Edge, and Safari without needing a proprietary "Enterprise Browser" that disrupts UX.

Establish and operationalize an enterprise-wide capability to govern, monitor, and prevent the unauthorized disclosure of sensitive organizational data during the use of generative AI and AI-enabled services (e.g., Microsoft Copilot, ChatGPT), in alignment with Zero Trust principles and NIST SP 800-53 Rev. 5 control requirements. The program will enforce data-centric security controls that assume no implicit trust in users, devices, applications, or external AI platforms, and will continuously validate access, data handling, and policy compliance. This capability will provide real-time visibility into AI interactions, apply contextual access and data loss prevention (DLP) controls, and prevent sensitive data from traversing defined system and authorization boundaries without explicit approval, thereby reducing the risk of data exfiltration, regulatory non-compliance, and loss of confidentiality. NIST SP 800-53 Rev. 5 Control Alignment This program objective directly supports the following control families and controls: AC – Access Control AC-3 (Access Enforcement): Enforce policy-based restrictions on AI tool usage and data access AC-4 (Information Flow Enforcement): Prevent unauthorized data flows to external AI services AC-16 (Security and Privacy Attributes): Apply data sensitivity labels during AI interactions IA – Identification and Authentication IA-2 (Identification and Authentication): Ensure strong identity validation prior to AI access SI – System and Information Integrity SI-4 (System Monitoring): Monitor AI usage and detect anomalous or unauthorized data disclosures SI-7 (Integrity Checks): Protect the integrity of data exchanged with AI-enabled services PL – Planning PL-8 (Security and Privacy Architectures): Integrate AI governance into the enterprise Zero Trust architecture SR – Supply Chain Risk Management SR-3 / SR-5: Address third-party AI service risk and data handling practices RA – Risk Assessment RA-3 (Risk Assessment): Continuously assess risks associated with AI-driven data exposure RA-5 (Vulnerability Monitoring and Scanning): Identify exposure paths introduced by AI integrations Zero Trust Strategy Alignment This objective reinforces Zero Trust tenets by: Treating AI platforms as untrusted external services by default Enforcing least privilege and continuous authorization for AI access Applying data-centric controls independent of network location Continuously monitoring and adapting controls based on risk signals

We are looking for a solution for DOP or data leak and detection of sensitive information being shared maliciously and accidentally in AI tools. We need something that can look at both native desktop applications as well as browsers as well as extensions in browsers.

Our objective is to secure our entire ecosystem—from embedded edge devices to cloud infrastructure—by protecting sensitive bio-physiological user data and defending against potential attacks. We need to strengthen our encryptions, enforce strict access controls, implement continuous monitoring across all services, and set up automated systems that proactively prevent malicious access. On the device side, we need to harden firmware, enable encrypted storage on the smart case, and secure all wireless interfaces to prevent data leakage or tampering. At the infrastructure level, we need to deploy advanced intrusion detection, anomaly monitoring, and rate-limiting to reduce our attack surface and ensure resilient, end-to-end protection for both user data and system integrity.