Context is King: How AI is Finally Making DLP Work

TOGETHER WITH

TL;DR:

• Data Loss Prevention (DLP) historically frustrated users with false positives and poor usability.

• Generative AI (GenAI), especially Large Language Models (LLMs), brings contextual understanding, reducing false positives dramatically.

• AI-driven DLP shifts security from an obstacle to an enabler, boosting employee productivity and compliance simultaneously.

• The DLP market is becoming revitalized by AI but is also ripe for disruption.

AI's Role in Transformation

If you've been paying attention to the business world, you've probably noticed how AI technologies have rapidly become a staple of operations. The most interesting part of that shift? It’s been largely employee-driven. It's not often that a technology is adopted because employees are pushing for it. Usually, it’s the other way around. We didn’t see that force with the Internet, mobile phones, or the cloud, but with AI, individuals were the driving force.

The question then becomes, why AI? What makes AI different from other technological waves? Why did it take off so quickly?

It may be because AI feels like a genuine extension of human capabilities. It can help you automate the mundane and enhance the complex. It allows people to speed up their work and improve their focus (if not, it’s a “skill issue,” as the kids say). And employees, being on the front lines, see this potential more clearly than anyone else. They know where the bottlenecks are and where a little help could go a long way. 

It’s rare to see a bottom-up adoption of technology at this scale. Employees are shaping the future of work with Generative AI (GenAI), finding new ways to work smarter, and highlighting exactly how companies are struggling to keep up with the governance of AI tools.

But what happens when an unstoppable force meets an immovable object? What happens when the wave of AI meets a longstanding cybersecurity headache?

That Dirty D-Word

Nope, it’s not the title of an AC/DC song. 🤘🏽

We’re talking about Data Loss Prevention (DLP). For nearly two decades, DLP has been cybersecurity’s dirty little secret. Despite its noble purpose of protecting the loss of sensitive company information from financial, regulatory, and reputational risks, DLP has struggled to win any love from either employees or security teams.

DLP technologies were designed to intercept, scan, and control the transmission of sensitive data across endpoints, networks, emails, cloud services, and storage systems. But despite this broad coverage, DLP was historically problematic for one major reason: user experience (something I have always held near and dear to my heart).

Anyone who’s managed traditional DLP knows the frustration. Breaking the Microsoft Office suite, disrupting the browser experience every time Google Chrome made an update, and wrecking homegrown business applications that were never designed to be inspected in that manner.

Systems relied heavily on regex rules and static patterns to spot sensitive data. While conceptually simple, regex has no ability to discern context, resulting in a flood of false positives and a lot of angry calls/emails from the business. Analysts drowned in irrelevant alerts, forced into manual triage to determine what was genuinely risky versus benign employee behavior. Entire security teams existed just to sift through noisy DLP alerts. (Ask me how I know. 👀)

DLP implementations often failed because companies didn’t even fully understand what sensitive data they had, where it lived, or how it was used, all of which were prerequisites that DLP products themselves couldn’t solve. It became common practice to deploy DLP as a checkbox for regulatory compliance, not because it effectively prevented data loss.

In Understanding Data Loss Prevention (DLP), I called out this challenge directly:

Cloud adoption, remote work, and data encryption further challenged traditional DLP’s effectiveness. In short, DLP had become a blunt instrument, like using a sledgehammer for eating sushi. It was awkward and ineffective, but maybe every now and again, you’d catch a little something.

Traditional DLP easily handled structured data like credit cards and Social Security numbers. This makes sense because this is what early regulations and compliance frameworks focused on. However, it completely missed the nuanced, highly impactful data leaks, such as detailed competitive analyses or confidential strategy documents. These types of data aren't always obvious, structured, or pattern-based. They're subtle, contextual, and highly impactful. Yet, in the hands of a competitor, this leak could devastate your market position. Legacy DLP's limitations made these leaks effectively invisible, leaving companies dangerously exposed.

The industry needed a fresh approach, but it wasn’t an interesting enough problem to reimagine. It was a “good enough” option for the businesses that needed it and one that many other companies just opted out of.

But then AI entered the chat.

With the rise of GenAI and large language models (LLMs), we now have the tools to transform DLP from a compliance checkbox into a business enabler. AI can understand context in a way that regex never could. It can detect sensitive data with more precision and fewer false positives. This isn't just an incremental improvement. It's a complete overhaul and a rewiring of what’s possible.

As Frank Wang calls out in a recent post:

GenAI and LLMs now offer the promise to transform DLP by contextually understanding data, something regex rules could never dream of. AI-driven DLP solutions automatically identify and classify data based on its true context, dramatically reducing false positives. These tools are shifting the perception and user experience of DLP before our very eyes.

When security enhances user experience, it stops being a burden and becomes an asset.

Where the Market’s Moving Now

It's interesting to watch a market evolve.

Looking back at search data from Google Trends, you can see that interest in “data loss prevention” has steadily increased over the last 20 years.

The waxing and waning of investments in DLP have had an interesting pattern over the years as well. Looking at the data from Return on Security, a few key themes have emerged that show DLP has been outperforming:

• DLP companies are 2.5x more likely to be acquired than the average security startup. This will only increase with AI being injected into every possible part of a business.

• DLP has delivered one of the least capital-intensive (or how much capital is required on average to achieve an acquisition) paths to exit in cybersecurity. While newer categories like DSPM have commanded high funding rounds, DLP companies are exiting faster and with better returns on capital.

• Recent DLP exits skew to older and more mature companies, often with established product-market fit and clearer acquisition signals, compared to emerging categories.

• Net-new DLP startup creation has slowed in recent years, giving the impression of a stagnant category. In reality, many of the top acquisitions (Code42, Forcepoint, CoSoSys) are from second or third-wave DLP vendors, and the cycle is about to start over again.

Sometimes, when a market changes, it's subtle. Sometimes, it's as if the ground has shifted beneath your feet (⭐ you are here).

The DLP and AI for security markets are in the latter category right now. AI is reinvigorating founder and investor interest and redefining the need for data protection across all fronts.

If there's anything that we have learned that AI is good with, it's pulling out context from text and data. Using AI to understand the context of data can make it possible to detect sensitive information without the flood of false positives. Now, companies are realizing that AI and data security issues are deeply interconnected.

Looking back at the data on the State of the Cybersecurity Market in 2024, you can see that investments into “AI for Security” and “Security for AI” companies increased 96% year-over-year:

But that doesn't mean we've got it all figured out. The DLP and AI for security markets are clearly in a state of flux.

Just as with cloud security, understanding and managing risks in AI deployments, using SaaS AI platforms like ChatGPT and Claude, or even using AI-enabled SaaS products now requires clear lines of accountability. This is especially true when sensitive data is involved, and spoiler alert, sensitive data is almost always involved now.

According to Enterprise Strategy Group (ESG) research, 96% of companies are developing governance structures around GenAI, and 82% still don’t fully understand what GenAI tools their teams use or what data is shared. That governance blind spot is exactly why frameworks like the AI Security Shared Responsibility Model are gaining traction to close the loop on AI-driven data leakage.

As a result, established players and new entrants alike want to grab their share. Legacy DLP vendors face significant disruption from agile startups that are more attuned to the nuances of GenAI and LLMs. 

The market understands the stakes and what’s up for grabs. You don’t win this next wave of AI by locking the front door and pretending nothing’s happening. You win by knowing what’s coming in, what’s going out, and what matters most in the middle.

Organizations want control, clarity, and fewer blind spots, opening the door for new, AI-native approaches to rapidly reshape the DLP landscape. The real tension is that companies are stuck between two losing outcomes:

1. Block GenAI too aggressively, and innovation slows to a crawl

2. Open the floodgates and risk your sensitive data walking out the door (many times over)

The answer to the tension lies in smarter guardrails when using GenAI. Better discoverability, real-time visibility, usage-level insights, and context-aware controls that don’t just say “no” but say “do this instead, and here’s how.”

An old, failed promise of preventing data loss can now become a lot closer to becoming true with the support of AI. Finely tuned LLMs, combined with human-readable prompts, are achieving more effective coverage and dramatically reducing false positives, something traditional regex-based systems never could. While AI dramatically improves how effectively we can protect sensitive data, it also magnifies existing risks. Employees feeding company IP and sensitive strategic data into external GenAI tools create new leakage paths.

ESG research also found that 52% of companies said they had at least one sensitive data leak in the past 12 months, highlighting traditional DLP’s failure to prevent strategic data loss. ESG also noted that 9 out of 10 companies estimate unstructured data makes up more than half of their data.

The solution isn’t more policies. It’s visibility. Real-time signals. Understanding what tools are in use, what data is being shared, and who needs what level of access.

If you’re flying blind, you’ve already lost.

AI Gave Security a Reason to Lean In

There has also been a fascinating shift here in the business drivers.

Every company is feeling tension right now when it comes to using GenAI. If you share too much or allow access too broadly, you risk leaking sensitive data. If you hamstring employees and hold too much back, you risk falling behind as a business. It’s a tricky tightrope to walk, and security is who is supposed to be holding that line taught.

Traditionally, security measures are pushed onto employees and are often seen as barriers to getting work done. Ironically, the demand for DLP is now driven by employees, not security teams or compliance. Teams want to leverage AI tools safely and confidently, demanding effective guardrails that enable their productivity, not restrict it. Security teams aren’t just trying to stop data from getting out, they’re also trying to make sure the business can move forward safely.

DLP is shifting from cumbersome roadblocks to empowering tools that help employees do their jobs faster and better. This shift is part of a broader trend in security. We're moving from a mindset of blocking and restricting to one of enabling and empowering. The best security tools today help employees do their jobs better, faster, and more securely. They don't just protect the business, they improve the user experience. The framing is no longer just about preventing data loss, it’s about safely enabling AI usage and AI governance.

Good DLP blocks what’s dangerous (or stupid), but Great DLP understands what’s valuable.

It’s not just about blocking SSNs or credit cards anymore. It’s about recognizing when a prompt includes proprietary strategy or when a doc contains IP you can't afford to walk out the door.

The challenge now is one of education. Many in the security community are still used to The Old Ways™️. They need to understand that AI isn't just a threat; it's an opportunity. It's a chance to finally make data protection (and many more things!) what it should have been all along: a tool that enables businesses to use technology safely and effectively to create value.

Conclusion

The pace of innovation is causing security teams to wake up, and it looks like we’re better equipped as an industry to rise to the challenge this time. That’s a huge win for security and not something we can generally say as an industry.

Businesses are realizing that to thrive in the AI era, they need to embrace these technologies, not block them. The industry can no longer afford to treat AI as a binary “block/allow” decision, as that model simply doesn’t work anymore. Risk has to be analyzed at the data layer where it’s being used, where sensitivity lives and breathes. This means giving intelligent guidance and clear guardrails for employees to use AI tools safely, not just blunt restrictions. We want to keep sensitive data protected while using the latest and greatest AI tech to let the business get ahead (or catch up). It's about being proactive rather than reactive.

Being proactive now means protecting the business-critical, unstructured data legacy DLP couldn’t see. It means using AI to understand the context and protect your competitive analyses, intellectual property, and strategic plans. Companies now recognize that embracing AI-driven security is no longer just a strategic advantage, it’s quickly becoming table stakes for competitive survival.

That’s where security moves beyond compliance and becomes a business enabler. In the end, it's about solving real business problems. It's about helping companies thrive in an AI-driven world. And it's about doing so in a way that makes security an enabler, not an obstacle.

Thank you for reading! If you liked this analysis, please share it with your friends, colleagues, and anyone interested in the cybersecurity market.