Author: Daniel

I have a confession. When my team proposed hosting an executive boardroom at the Gartner Cybersecurity & Risk Management Summit on data loss protection, I had my doubts about attendance. As a tech category, DLP doesn’t give CISOs the warm fuzzies.

But every seat was taken. We even had to turn people away at the door.

That’s because security leaders came to talk about something bigger. Within just a few years, employees across every department have started feeding sensitive company data into AI, and the so-called “DLP solutions” companies have now are useless. CISOs need better answers for data security. Not tomorrow – now. 

Thanks to everyone who joined us in the executive boardroom. Here are six takeaways from the event.

DLP PTSD Is Real

The feeling was unanimous: the old DLP playbook based on regex-based policies has failed. It catches too many false positives or miss real threats entirely, and someone has to sort through the wreckage. Security teams are spending money and burning hours and still losing data.

My co-host for the session was Matthew Mudry, CISO at Alera Group, and he has lived this. At one point he had a small army focused on sorting real alerts from false ones. Credit card numbers flagged as contract numbers, and PHI flags on everything. A universal experience for CISOs that’s given DLP a bad reputation and maybe even triggered a few anxiety nightmares.

Matthew called it “DLP PTSD.” We’ve all been there. 

AI Has Changed the Risk Math

ChatGPT, Claude, Claude Code, and Gemini are running directly on endpoints, with more employees using these desktop and browser apps every day, often with extremely sensitive data. Tools like Cursor let non-technical employees build unauthorized apps that connect directly to internal data sources, without security ever knowing they exist.The surface area is orders of magnitude larger than it was three years ago. Writing more policies is not a response to that and it doesn’t scale.

The only way to keep up with AI-driven exposure is with AI-driven detection. You can’t fight this with more analysts and policies. The answer for data security in today’s world is agentic technology that understands context, learns what normal looks like, and flags what doesn’t fit.

CISOs Need Data Movement Visibility

Matthew’s approach at Alera inverted the conventional playbook. Instead of starting with data classification, the two-year DSPM scan, the labeling project, the policy architecture, he started with a simpler question: where is data actually going right now?

Not long after deploying ORION Security agents, his team had answers. And the other thing he said that was interesting: once he had clean, accurate data, the conversation with his board changed completely. He could show them exactly what was leaving and where. That is what a DLP reset looks like.

Pre-Classification Delays Protection

Someone in the room asked about Matthew’s choice to not pre-classify data before deploying ORION. His answer was direct: he’s not against classification. He’s against it being the thing that has to happen before you can protect anything.

ORION classifies data in motion, and those detections feed back into compliance and labeling workflows. Protection doesn’t have to wait.

This matters especially now, when AI tools are creating exposure faster than any labeling project can move.

The only way to keep up with AI-driven exposure is with AI-driven detection.

Fragmented DLP Means Fragmented Signal

Most enterprise data loss protection programs aren’t one program. They’re three or four point solutions covering different surfaces: endpoint, email, network, AI, SaaS apps, etc. Each with its own policies and alert queue.

The problem is data doesn’t respect those boundaries. When you look at email, endpoint, AI channels, and SaaS together, you see a completely different story than when you look at each in isolation.

Context is everything. A file download that looks routine on its own looks very different when you can see it was then zipped, renamed, and uploaded somewhere else. That full trace only exists if you are looking at all of it at once. Fragmented signal means more noise, missed incidents, and tuning cycles, which is exactly the failure mode everyone in that room has lived.

Data Security Done Right Gets Everyone in Sync

One of the more interesting moments in the session came when Matthew described how his security team had built a shared workspace with HR. When a relevant HR situation arises, HR flags it in the system. When ORION detects unusual data movement patterns, the security team flags it back. Both sides are working from the same context.

It sounds simple, but almost no one is doing that. Most security teams are either monitoring everyone equally or waiting for an incident before they escalate. The HR partnership lets security focus attention where the risk is actually elevated, not because anyone is assumed to be doing something wrong, but because context-aware protection is more accurate than blanket coverage. 

It also shifts the security-HR relationship from reactive to collaborative. And when the two teams are in sync, response time improves.

The Conversation Is Just Starting

We’re at a moment where the traditional DLP approach has failed, and a new playbook is being written.

I co-hosted the executive boardroom not knowing if we’d have good attendance. DLP doesn’t exactly have a fan club. But the room was full because the data protection problem is real and getting harder, and security leaders know it. 

What stood out was how much everyone agreed on: AI has made this urgent, and they needed answers to this problem yesterday.

If you were in that room, or find this conversation interesting, I’d genuinely like to hear how you are thinking about this. What’s working? What’s still broken? Is that checkbox we all knew as a “DLP tool” even relevant in today’s world? That discussion was the best 45 minutes of the conference for me, and I don’t think we got close to finishing it.

I recently co-hosted a webinar with Lawrence Pingree on what he calls The Great DLP Reset. Lawrence leads data security and AI research at Software Analyst Cyber Research (SACR), is a former Gartner analyst, and one of the most experienced independent voices in the category.

His research also validates everything that drove Nitay Milner and me to launch ORION Security. Data moves faster and further than it ever has, and ORION is built for that reality.

Lawrence calls traditional DLP a “faded, broken padlock,” and we couldn’t agree more. I once had the challenge of implementing DLP at a fast-growing software company, and I know what it feels like to constantly tune policies and still not reach prevention mode, while watching the false positives pile up. 

As he said, this creates a “ticket factory.” I talk to CISOs all the time who are frustrated with their own ticket factories, with their DLP getting so stuck in the tune phase that they never reach prevention. 

The Impact of AI on DLP

AI use has exploded across organizations in the past few years. Something Lawrence and I kept coming back to in the webinar is that most companies have a shadow AI problem: they don’t know what AI tools their employees use or how they use them. So they don’t know what policies to create, because you can’t write a policy for tools you can’t see.

Modern DLP manages this challenge. A good analogy is the breakthrough the security industry made with endpoint detection and response (EDR) about 10 years ago. Signature-based antivirus couldn’t catch what it didn’t already know about, and EDR changed that by evaluating behavior and context instead. Policy-based DLP has the same limitation: if there’s no policy for it, it gets through. 

ORION is leading that same kind of shift, just applied to DLP.

ORION at the Forefront of the DLP Reset

Nitay and I didn’t set out to build a better version of what already existed. We wanted to rebuild the foundation. That meant moving away from the policy approach and embracing real-time, agentic DLP.

The core problem with policy-based DLP is it depends on someone having seen and defined the threat before it can be caught. A skilled security analyst doesn’t work that way. They catch incidents by understanding context: who is moving this data, what it is, where it’s going, and whether that behavior is normal for the person in that role.

Here’s what’s interesting: security analysts mark false positives all the time. The industry average is over 90%. And if a security analyst can differentiate between legitimate activity and suspicious activity using their judgment, an AI agent can be trained to do it as well, at machine speed, across every interaction simultaneously.

ORION’s proprietary AI agents analyze data in motion, evaluating every action across identity, behavior, content, lineage, and environmental context. Our system understands intent and delivers a verdict on whether an action reflects normal business activity or actual exfiltration, in real time, without requiring a policy to be written first. That includes endpoints, browsers, SaaS, email, and AI tools, including the unmanaged sessions and agentic workflows that legacy tools weren’t built to handle. There are no policies to write, tune, or maintain, because ORION learns continuously and adapts as the environment changes.

This is what the reset actually looks like.

Learning to Love DLP

One of the things Lawrence and I agreed on completely is that the future is autonomous prevention, not detection and response. The way we think about it at ORION: once we have enough confidence in an AI agent’s performance on a specific use case, and once the false positive rate is low enough, we turn it on in fully autonomous mode. It can block, redact, or quarantine without waiting for a human to approve each decision. This allows your team to focus on the cases that actually need their expertise.

AI also lets security teams do more with less. As AI agents take on the work of monitoring data movement and flagging real incidents, your team stops rewriting rules and starts working actual threats.

What Lawrence laid out in the webinar tracks with what we see every day. The future of DLP is a data control plane, unified discovery, context, real-time enforcement, and AI-driven decision-making working together toward a prevention outcome that actually works. It’s a system that runs continuously, learns the environment, and catches real incidents without someone having to babysit it.

Based on what we’re seeing from customers, including some of the largest global enterprises, we know this is possible because it’s already working.

The CISO at a large financial institution, and a valued customer, gave us the best compliment in a recent conversation: “I hated DLP before ORION.”

Do you think you could learn to love your DLP? We think so. If your team is stuck in tuning mode and ready to see what prevention actually looks like, let us show you a demo.

More DLP Resources

Read part one of this series, “The Great DLP Reset: Why DLP Fails, and How to Fix It.”

Read the full SACR Report on the DLP Reset.

Watch the full webinar, “The Great DLP Reset: Security Data in the Age of SaaS, Cloud, and AI”

At ORION Security, we talk a lot about the Great DLP Reset, caused by complex legacy tools, brittle policies, and piles of false positives. The industry needs to start over, and ORION Security is committed to leading this long-overdue change for data loss protection.

In this article, we address an important aspect of this transformation. It challenges the belief that has shaped how organizations approach data security: that data security posture management (DSPM) needs to come before DLP. Here is why that thinking no longer holds.

What Reduces Security Risk the Fastest?

In our conversations with security leaders, one question tends to reframe the entire conversation: What will reduce my risk the most, and the fastest?

Our response differs from what many cybersecurity vendors have pitched for years, which is to adopt DSPM first. This follows the model to first classify your data at rest to identify shadow data and protect the crown jewels, get your labels in order, then build your DLP on top of that foundation. 

There are a few problems with that approach. First, it means waiting 6-12 months before you have any meaningful path to enforcement and protection against data leaving your organization as it is moves through email, endpoints, SaaS applications, and personal cloud accounts. Data exfiltration remains the highest and most common form of data risk most organizations face. Every week spent cataloging data at rest to build a DSPM foundation is a week where data in motion is moving without any real oversight, and that is where breaches actually happen.

Why the DSPM-First Model Falls Short

DSPM itself isn’t a bad tool. The problem is it prioritizes the wrong thing.

DSPM was designed to answer inventory and governance questions: Where sensitive data lives, who can access it, and is it properly secured at rest. All legitimate questions. The traditional thinking is that you need those answers before you can build DLP on top. So organizations stand up DSPM, build out their data catalog, generate classification labels, and then use those labels to configure DLP rules.

But even when this sequence works as intended, the best you end up with is a DLP program built on static rules derived from a static classification. The rules reflect what the data looked like when the scan ran, and they fire based on pattern matching against content rather than any understanding of context or behavior. A label that says PII tells you what’s in the file, but nothing about whether sending it right now to this recipient through this channel represents a real threat or a routine business activity. 

After months of foundation building, you still can’t tell the difference between a file shared legitimately or being exfiltrated. The employee downloading a customer list to upload to their personal Google Drive; the engineer pasting source code into an AI tool; the salesperson forwarding a contract to their personal email before leaving the company; none of these are stopped by a classification label. They are stopped by understanding context at the moment of movement, and that is something the DSPM-first model wasn’t built to provide.

Data Intelligence in Motion: The Agentic DLP Model

The security industry has spent decades building tools that answer the wrong question. DSPM asks, where is my sensitive data? Legacy DLP software asks, does this content match a known pattern? Both questions are static. They treat data as something you catalog and monitor, rather than something you understand.

Data intelligence in motion is a different proposition entirely. It asks, what is this data? Why is it moving? Who is moving it? Does that movement represent a risk right now? That shift from cataloging to comprehending is what makes the new model fundamentally different, not just incrementally better. 

The assumption behind the DSPM-first approach was that legacy DLP tools needed classification labels to function. Without pre-tagged data, the rules could not fire, so you had to build the catalog before you could build the enforcement. That dependency made DSPM feel mandatory, and for a long time it was.

ORION Security breaks that dependency. Our agentic DLP solution classifies data at the moment it moves, understanding what it is and whether it’s sensitive from context alone, not from metadata. The work DSPM does at rest is already complete by the time data reaches the point where it could cause harm. 

ORION Security AI reads and comprehends unstructured documents, emails, chat attachments, code, and screenshots, and reaches a verdict on whether that data is sensitive based on what it is, who is sending it, where it’s going, and what the surrounding context looks like.

At a healthcare organization, a patient record forwarded to an outside clinician is clearly distinguishable from that same record leaving the organization through a personal email account. ORION knows the difference without being told and without needing a prior classification scan.

When ORION Security deploys, it starts building a picture of your data landscape from the ground up, based on what is actually moving. Every file that transits an endpoint, every document sent through email, every upload to a SaaS application gets classified in real time, in context, at the moment of movement. Within days of deployment you have a live, accurate map of where your sensitive data is going and who is moving it, built from actual behavior rather than a periodic scan of storage that was already stale the moment it finished running. 

Our classification intelligence accumulates continuously and gets more accurate over time without anyone maintaining a rule library or running another scan. Because our proprietary AI is evaluating full context rather than matching patterns against static labels, organizations can move from monitoring to active blocking in weeks, something that would have taken months or even years following the traditional DSPM-first path.

For the security leader asking what reduces risk the most and the quickest, the answer is addressing data in motion first. ORION makes it possible to do that without any prerequisites.

Where DSPM Still Fits

None of this means DSPM has no value. For organizations that need to understand their full data inventory, enforce access controls around data at rest, or address specific compliance requirements around data discovery, DSPM is a meaningful investment. ORION integrates natively with leading DSPM platforms, such as Microsoft Purview and Sentra, and can absorb their classifications to make detections even more precise.

But the sequencing question deserves a more honest answer than the industry has been giving. The assumption that DSPM has to come before DLP was built for a world where DLP tools could not function without pre-classified data. That world has changed.

For organizations that have not started a DSPM deployment yet, starting with ORION means real protection is in place immediately. For organizations already mid-way through a DSPM program, ORION doesn’t displace that work. It runs alongside it.

The DLP Reset Starts Here

The sequencing debate is happening in CISO offices and budget reviews across the industry, and the framing is usually some version of, “We need to know what we have before we can protect it.” That framing was reasonable for a long time. What is worth pressure-testing is whether it’s still correct given what’s available today, because the more useful question is which approach reduces risk the fastest with the most efficient use of budget and headcount.

While the DSPM first model was always in service to the goal of stopping sensitive data from leaving the organization, it did not treat it as a priority. Data leaving is always data in motion, and ORION was built to prioritize exactly that, looking at data the moment it moves, classifying it in context, and acting on it automatically before it crosses a boundary. The inventory of what you have follows naturally and is built from real movement rather than periodic scans.

If the question on your team’s mind is what reduces risk the most and the quickest, the answer is that protection starts at the point of departure, and with ORION that starts on day one.

Additional Resources on DSPM and DLP

Learn how ORION Security and Sentra deliver context-aware data protection.

Discover how ORION Security and Microsoft Purview are stronger together.

At ORION Security, we spend a lot of time talking with security teams struggling with the same problem: traditional data loss prevention (DLP)  approaches can’t keep up with how data moves today.

Lawrence Pingree agrees. In fact, it’s central to his research on what he calls “The Great DLP Reset,” which he shared in a recent webinar co-hosted with ORION Security.

Here’s the full webinar, “The Great DLP Reset: Security Data in the Age of SaaS, Cloud, and AI”:

Lawrence, who leads research at Software Analyst Cyber Research (SACR), is one of cybersecurity’s most experienced voices. He’s a former Gartner analyst who has published more than 300 research notes, advised many of the top security vendors in the market, and helped define categories like EDR, SASE, and SD-WAN.

I highly encourage CISOs and their teams to dig into this research to fully understand how to manage and deploy DLP in today’s world. Below are key insights from his presentation during the webinar, edited for clarity. 

Q: Why does traditional DLP fail to prevent data loss?

Lawrence: Classic DLP primarily existed in firewalls, secure web gateways, and endpoints; proxies built to enforce control over data at fixed points. It was heavily reliant on regular expressions and exact data matching. Back then, the perimeter was different. There was this notion of an ”inside” and an “outside” of every environment. It wasn’t porous like it is today.

Q: Why do so many DLP programs end up spread across disconnected tools?

Lawrence: We call it the fragmented DLP approach, and it’s central to the problem. You have a little bit of capability around email, some in the endpoints, maybe one feature across SaaS with some CASB (cloud access security broker). You need to configure different platforms to get to one use case across the board. And you have misalignment between the capabilities you have in the different tools.

Q: Is DLP still relevant in 2026?

Lawrence: It’s more relevant than ever, but the category needed a reset. While DLP has ebbed and flowed over the years, it’s back now because SaaS sprawl and cloud data gravity have come into play, and business apps and tools have evolved to include generative AI and agentic workflows.

Q: What is shadow AI, and why is it a data loss risk?

Lawrence: Quite simply, more people are uploading their organization’s data in things like spreadsheets into AI tools because it’s useful. But that data may not be approved for sharing; it might even be regulated. And there have been a lot of use cases where prompt injection and agentics have demonstrated the ability to exfiltrate data, even in apps like Microsoft Copilot. All of these are potential risks.

Q: On the flip side, how does the use of AI in DLP detection reduce false positives?

Lawrence: AI enables something that deterministic policies never could: contextual judgment at machine speed. That cognitive function brings beauty to context because you can storyline various contextual elements together: the identity role, the data involved, the application, location, history and behavior, and business context. AI can look at every interaction and make an assessment: is this actual data leakage or just benign activity? It paints the picture of the actual scenario versus an individual event.

Q: What does real-time DLP enforcement look like compared to the old way?

Lawrence: Legacy DLP is kind of a faded, broken padlock. The classic perimeter approach just doesn’t work. We’ve reached a DLP rearchitecture point where we’re moving to more runtimes. We’ve got to move to a more real-time environment focused on prevention versus detection and response. The future state is AI-enabled autonomous policies, both in creation and fine-tuning.

Q: How should security leaders evaluate and modernize their DLP program?

Lawrence: Start by scoring your current program honestly. Look at your time to discover and classify meaningful sensitive data. Look at your policy model and your tuning burden. Are you running a ticket factory? You shouldn’t be. Add context to every decision: fuse identity, entitlements, posture, and user behavior to cut down on false positives and focus on real material risks. Strive for one set of policy intents across the various surfaces. The overall goal should be this: credible AI-era controls.

Q: Where do AI-native DLP vendors fit in the modern security landscape?

Lawrence: A new category of vendors is emerging that was built for this era from the ground up. You have vendors like ORION Security, which I consider more of the context-rich version, integrating AI to build better controls, better understanding, and cognitive function around the way interactions are happening within the enterprise.

Final Thoughts

I really enjoyed the hour I spent with Lawrence Pingree discussing this massive reset. The shift from traditional DLP to AI-native, context-aware data protection is accelerating as organizations adopt SaaS, cloud platforms, copilots, and autonomous AI agents. 

As Lawrence puts it, the data control plane isn’t a box. It requires unifying discovery, context, enforcement, and AI-driven decision-making into a prevention outcome that actually works.

At ORION Security, we built our platform around exactly what Lawrence describes: AI that evaluates the full context of every interaction, not just whether it matches a rule. If your team is stuck in tuning mode and ready to see what prevention actually looks like, we’d love to show you what we’ve built.( Request a demo.)

Additional Resources on the DLP Reset

Read part two in Jonathan’s blog series on the DLP Reset.

Read the full report from Software Analyst Cyber Research.

Watch the webinar on the DLP reset.