AgentFence Feature

Data-Loss Prevention Built for AI

Traditional DLP watches email and file shares. AgentFence inspects the AI paths - prompts, tool-calls, and agent data flows - and gates sensitive data before it reaches a model or crosses a boundary.

Talk to usFree to start - no card required.
AgentFence · DLP Inspect
INSPECTED
12,940
prompts + calls
SENSITIVE HITS
318
classified
GATED
77
held or stepped up
Prompt with customer PIIgated
Tool-call exporting secretsblocked
Benign prompt, no sensitive dataallow
PHI across data boundarystep-up
POST /guardrails/inspectper-event

Illustrative product view

Why AI needs its own DLP

The riskiest data path in most companies is now a prompt box. Sensitive data flows into models and out through tool-calls in ways legacy DLP - tuned for email and file shares - never sees. AgentFence inspects the AI paths directly: POST /guardrails/inspect evaluates a prompt or tool-call, deterministic data classification identifies what is sensitive, and data-boundary policy decides whether it may proceed.

How AI DLP works

Inspect, classify, gate

  1. 1

    Inspect

    A prompt or tool-call is submitted to /guardrails/inspect for evaluation.

  2. 2

    Classify

    The deterministic data classification engine identifies sensitive data classes - PII, secrets, PHI.

  3. 3

    Apply boundary policy

    Data-boundary rules decide whether that data may cross to the model or target.

  4. 4

    Gate

    Sensitive flows are stepped up, held, or blocked rather than passed automatically.

  5. 5

    Record

    The decision and the data classes involved are recorded as evidence.

PathRiskControl
Prompt into a modelSensitive data leaving governanceClassify + gate
Tool-call moving dataExfiltration via a toolData-boundary policy
Agent-to-agent handoffCross-context leakageBoundary + memory limits
What AI DLP inspects

Deterministic classification

The classification behind AI DLP is deterministic (data_classification.py), not a probabilistic guess. The same content is always labeled the same way, so gating decisions are consistent and defensible. That determinism is what lets you set a policy once and trust it applies the same way every time.

How it connects

  • Shares the classification engine with data classification
  • Enforces the same data boundaries as the MCP gateway on tool-calls
  • Pairs with the prompt injection firewall on the inbound prompt path
  • Records gated events to the tamper-evident ledger as evidence

Frequently asked questions

What is DLP for AI?

DLP for AI is data-loss prevention focused on AI paths - prompts, tool-calls, and agent data flows - rather than email and file shares. AgentFence inspects those paths, classifies sensitive data deterministically, and applies data-boundary policy to gate sensitive data before it reaches a model or crosses a boundary.

How is AI DLP different from traditional DLP?

Traditional DLP is tuned for channels like email, endpoints, and file shares. AI DLP watches the channels AI actually uses - the prompt box and tool-calls - which legacy DLP typically does not inspect. The prompt box is a real data egress, and AI DLP treats it as one.

Does it block prompts with sensitive data?

It gates them according to policy: a prompt or tool-call carrying sensitive data can be stepped up, held for approval, or blocked based on data-boundary rules, rather than passed automatically. The response depends on the data class and the boundary being crossed.

How does it decide what is sensitive?

It uses a deterministic data classification engine, so the same content is always labeled the same way - PII, secrets, PHI, and so on. Because classification is deterministic rather than a probabilistic guess, the gating decisions are consistent and defensible in an audit.

Stay in the loop

One practical finance briefing a week - new guides, checklists, and benchmarks.

 

Stop sensitive data at the prompt

Inspect, classify, and gate data before it reaches a model or crosses a boundary.

Talk to us