Bsides Exeter 2026

Being responsible for designing and implementing DLP policies in my organisation, I have seen first hand how companies suffer data loss without even realising it. The individuals exfiltrating the data are unaware what they are doing is even exfiltration of data through legitimate workflows.

Traditional Data Loss Prevention programs were built to monitor email gateways, USB devices, and cloud storage. But generative AI has introduced a new and largely unmonitored exfiltration channel.

In many organisations, AI adoption is outpacing governance. Employees restricted from using approved AI tools often turn to personal accounts or unsanctioned platforms pasting sensitive board packs, proprietary source code, and client data into public models in order to work more efficiently.

Existing DLP controls frequently fail to detect this behaviour because the activity appears legitimate and encrypted within normal web traffic.

In this talk, I explore:

How generative AI creates blind spots in traditional DLP architectures
Real-world scenarios where sensitive data leaves the organisation without triggering alerts
How red teams and malicious insiders can weaponize legitimate AI usage
Why most DLP programs measure activity instead of risk
Practical approaches to regaining visibility without shutting down innovation

This session bridges red, blue, and governance perspectives to challenge what data loss prevention really means.