For many years, data loss prevention was treated as a control that could be applied to known systems, users, and routes. Sensitive information could be identified through patterns, rules, classifications, or fingerprints, and policies could be applied to prevent it from leaving the organisation through email, file shares, removable storage, or other familiar channels.
That model still has value, but it is being stretched by the way organisations now work. Data no longer moves neatly from one internal system to one external destination. It moves across cloud platforms, software-as-a-service applications, analytics tools, collaboration environments, APIs, remote devices, and third-party ecosystems. In African enterprise environments, that movement often crosses regions, providers, and regulatory boundaries as businesses modernise infrastructure and serve customers across multiple markets.
This is why data loss prevention (DLP) needs to be reconsidered in the age of AI.
“Traditional DLP was built for a more predictable environment,” says Phila May, Executive GTM at inq. Digital. “The challenge today is that data is moving through far more dynamic systems. If organisations are still relying only on static rules and perimeter controls, they are going to miss important parts of the risk.”
AI challenge
AI has made the problem more urgent by introducing new ways for sensitive information to leave controlled environments. Employees may paste customer data, source code, financial information, contracts, credentials, or internal technical details into generative AI tools to speed up their work. Copilots and assistants may summarise documents, scan inboxes, interpret spreadsheets, or retrieve information from enterprise platforms. Automated agents may be granted access to applications, databases, ticketing systems, and collaboration tools to complete tasks with minimal human involvement.
The risk is not simply that people may use AI tools carelessly. The deeper issue is that AI changes the nature of data movement. A prompt can become a data transfer. A summary can expose confidential information. An agent with excessive permissions can move data faster than a human user ever could. A malicious instruction embedded in a document or third-party interaction can manipulate an AI system into revealing information or performing an action outside the organisation’s intended policy.
“A modern DLP approach has to understand context. It is not enough to know that data matches a certain pattern. Organisations need to understand whether the behaviour makes sense, whether the user is authorised, and whether the data is being used in a legitimate business process,” says May.
Hybrid environments
This is particularly important as more organisations adopt hybrid and multi-cloud architectures. Data may reside in a local environment, move to an Azure or AWS workload, be analysed via a SaaS platform, and then be shared with a supplier, partner, or customer-facing application. Traditional inspection points do not always see these flows, especially when data moves through APIs, encrypted sessions, or application-to-application integrations.
Effective DLP, therefore, has to become layered. It starts with data discovery and classification, because organisations cannot protect sensitive information they have not identified. It also requires identity-aware policies that connect access decisions to users, devices, roles, applications, and data sensitivity. In AI-enabled environments, prompts and responses should be inspected for confidential information, and high-risk data should be redacted before it is sent to external models or services.
Dealing with agents
Agent governance is another important layer. AI agents should not be given broad access simply because they are useful. Permissions must be limited to what the task requires, and higher-risk actions such as exporting records, attaching customer data, or sending information outside the organisation should require approval, logging, and review.
Behaviour analytics also becomes central. If a user account, API key, or automated process suddenly accesses unusually large volumes of sensitive information, connects from an unfamiliar location, or deviates from its normal behaviour, that activity should trigger an alert. In this environment, the ability to detect abnormal data movement in real time matters as much as the ability to block known violations.
For African organisations, the pressure is practical. Cloud adoption, AI experimentation, data modernisation, and cross-border digital services are already changing how information flows through businesses. Security teams need to support that progress without making sensitive data invisible.
“The answer is not to stop innovation, but to build the right controls around it. AI can create enormous value, but organisations need to govern how data is accessed, shared, processed, and retained.”
More static rules will not define the future of DLP. It will depend on visibility, context, identity, behaviour, and real-time control. In the age of AI, organisations need to move beyond asking whether data has crossed a boundary. They need to understand whether the movement is appropriate, authorised, and safe.
