Data-leak protection
Data-leak protection (DLP) is the engine that inspects every request and document for sensitive content, then handles it according to your policy matrix.
What it detects
- Secrets — API keys, passwords, connection strings, tokens.
- PII — personal identifiers such as SSNs, national IDs, and passport numbers.
- PCI — payment-card numbers and related data.
- Identity documents — government-issued identifiers.
- Prompt injection — attempts to manipulate the model through hidden instructions.
How it responds
ThreatLens chooses the lightest action that still protects the data:
- Redact — remove the sensitive values and send the rest. A document with employee SSNs is grounded with the SSNs masked, so the answer is still useful.
- Route — send the content only to a trusted-enough destination; withhold it from less-trusted ones.
- Block — withhold the content entirely.
Raw secrets and prompt injection are always blocked, at every trust tier — there is no destination trusted enough to receive them. When a document is blocked, the model is told why, so it gives an honest answer instead of guessing.
Redact, route, block — by design
The goal is to say "no" as rarely as possible. Most sensitive content can be safely redacted (the sensitive value is removed, so there's nothing left to leak) or routed to your own approved model. Only the genuinely forbidden is blocked. That's how ThreatLens lets you adopt AI broadly while keeping a few hard guardrails.
Every DLP outcome — what was detected, what was done, and where the content went — is recorded in the audit log.