Your organization didn't have a data loss event today. Or did it?
A sales rep opened Glean—an AI-powered enterprise search platform that connects to your company's SaaS apps and lets anyone query across all of them in natural language—typed "Who are my top 10 customers?" and got a clean, formatted list pulled from Salesforce, cross-referenced with HubSpot, and confirmed against data sitting in Google Drive. They copy-pasted that list into a personal Gmail draft. No alerts fired. No policies triggered. No one noticed.
This isn't a hypothetical. It's a realistic use case for how enterprise AI tools work today and shows why traditional data loss prevention is no longer sufficient.
Glean is One Query Away From Your Most Sensitive Data
Glean connects to over 100 SaaS applications and makes their content instantly queryable through natural language. Its connector ecosystem spans every corner of a modern enterprise: collaboration platforms like Slack, Teams, and Confluence; file storage in Google Drive, Box, and OneDrive; CRM and sales tools like Salesforce and HubSpot; HR systems like Greenhouse and Workday; engineering infrastructure including GitHub, Jira, and LaunchDarkly; and marketing and analytics platforms like Segment and Looker.
That breadth is what makes Glean powerful and dangerous. It doesn't just index engineering docs or HR files. It crosses organizational boundaries, aggregating data that was never designed to be accessed together. A single well-phrased query can surface customer lists, salary bands, unreleased product roadmaps, or active security vulnerabilities, drawing from multiple systems simultaneously.
The exfiltration vector is almost comically simple: query Glean in a browser, read the answer, copy the output, paste it somewhere external. No suspicious API calls. No file downloads. No DLP alert. The data left the building inside a clipboard.
Claude Cowork and The Agentic AI Risk
Claude Cowork represents a parallel but distinct threat model. Where Glean aggregates and surfaces data, Claude Cowork acts on it. It connects to your local environment and SaaS applications and can execute multi-step workflows autonomously: reading files, writing outputs, triggering actions across connected systems.
This agentic capability introduces a new category of risk. Data doesn't just get queried; it gets processed, synthesized, and potentially written to new locations. An autonomous workflow might pull customer data from Salesforce, cross-reference it with a spreadsheet on your local drive, and generate a summary document. All without a human reviewing each step.
The two tools expose data differently. Glean's risk is breadth: it can pull from dozens of sources simultaneously and return the synthesis in a single readable response. Claude Cowork's risk is depth: it can take autonomous action across connected systems with minimal human checkpoints. Glean has limited autonomous execution but exceptionally broad multi-source access. Claude Cowork is the inverse. It’s narrower in aggregation but capable of executing consequential multi-step workflows. Both lack fine-grained data leak prevention and meaningful audit trails. Both create high potential for inadvertent data exposure. The threat is real in both cases; the attack surface just looks different.
Why Legacy DLP Fails to Protect Agentic and Shadow AI
Legacy DLP was designed to detect data that has a specific signature. It struggles with the data that matters most to most enterprises: unstructured corporate IP, unreleased product designs, M&A strategy in a slide deck, a screenshot of a compensation spreadsheet, or proprietary source code embedded in a document. These don't have signatures. They have context that legacy DLP can't read.
AI-assisted exfiltration breaks this model in three ways.
The output is transformed. Glean doesn't send a raw Salesforce export. It sends a synthesized, AI-generated answer to a natural language question. That answer may contain sensitive data, but it looks like a chat message or a copied paragraph, not a structured data file that DLP knows to inspect.
The channel is invisible. Browser-based AI tools like Glean operate inside a browser session. Unless you're running deep packet inspection or browser-level monitoring, you're not seeing what's being queried or what's being returned.
The scope is unbounded. Traditional DLP policies are written for known data categories in known locations. AI tools can synthesize novel combinations of data from dozens of sources simultaneously. There is no pre-written policy that catches "customer list assembled from Salesforce opportunities + Google Drive contacts + Slack channel history."
This is how data exfiltration becomes functionally invisible to most enterprise security stacks.
Effective Data Protection Requirements for Agentic AI
Blocking AI tools outright is not a viable strategy. The productivity gains of AI are too valuable and employees will find ways around blanket restrictions. The architectural challenge is extending your security posture to cover the new attack surface. That requires rethinking DLP from the ground up, because the AI interaction layer is fundamentally different from the file and email layer.
You need to know what's exposed before it gets queried. The first requirement is continuous data discovery and classification across your SaaS environment for structured sensitive patterns like PII or payment data and contextual data that becomes sensitive in combination. A single document may not be a liability. That same document synthesized with three others and returned as a Glean response is a different matter entirely. Effective protection starts with knowing which assets are at risk before an AI tool surfaces them.
DLP needs to operate at the AI interaction layer, not just the file layer. This means inspecting what AI tools are actually returning—the queries going in and the outputs coming out—in real time. When a Glean response contains a customer list or confidential pricing data, that's the point of intervention, not the downstream clipboard paste. The policy enforcement needs to understand the AI output as content, which requires a detection layer trained on how AI tools synthesize and present data.
Agentic workflows require their own control plane. Tools like Claude Cowork interact with external systems through the Model Context Protocol (MCP), the emerging standard interface between AI models and the SaaS environment. This is a new layer that sits below traditional DLP visibility. Securing it means monitoring and enforcing policy on data flowing through MCP-connected workflows, watching files move across the network, understanding what an AI agent is reading, writing, acting on as it executes a multi-step workflow.
Detection without response is incomplete. The audit trail matters as much as the alert. Security teams need to know not just that a sensitive data event occurred, but what AI tool triggered it, what data was involved, what the user queried, and what the output contained. That investigation surface is what allows you to tune policy, respond to incidents, and demonstrate control to regulators and auditors.
Agentic AI Won’t Wait for Your Security Stack to Catch Up
Shadow AI is not a future risk. It is active in most enterprise environments today. Glean and Claude Cowork are two of the most visible examples of the tools your employees have already found and are already using. Behind them are dozens more, and the pace of adoption is accelerating faster than most security programs can track.
The practical response for enterprise security teams:
Audit AI tool adoption across your organization and assume the list is longer than you know. Map the connector surface, because every SaaS app connected to an AI tool is a potential exfiltration channel. Extend DLP policy to cover the AI interaction layer and agentic workflows, not just files and email. And build the audit infrastructure now, before you need to reconstruct a timeline.
The goal is not to slow down AI adoption. It is to ensure the productivity gains don't come with an invisible security cost.
See how Nightfall can protect your organization from AI-driven data exposure with a personalized demo.
.svg)
.svg)
