ChatGPT DLP: Detecting and Preventing Sensitive Data in Prompts
ChatGPT DLP is the practice of detecting and preventing sensitive data from entering ChatGPT prompts. Traditional DLP operating at the email gateway, the storage layer, and the endpoint misses prompt-layer data movement. The architectural fix moves DLP into the AI request path with prompt-level classification, identity-aware policy, and per-decision audit records. This piece walks through where ChatGPT DLP needs to operate, what classifiers matter, and how it differs from network DLP that watches egress packets without prompt context.
ChatGPT DLP is the practice of detecting and preventing sensitive data from entering ChatGPT prompts. The category emerged because traditional DLP operating at the email gateway, the storage layer, and the endpoint misses prompt-layer data movement. An employee who pastes a customer record into a chat window does not generate an outgoing email. The record does not leave a sanctioned file share. The endpoint DLP sees a copy-paste event without the destination context that would make it actionable.
The architectural fix moves DLP into the AI request path. Prompt-level classification recognizes sensitive data inside the prompt buffer. Identity-aware policy decides whether the prompt may proceed. The audit record captures the decision with detail sufficient for regulatory review.
I want to walk through where ChatGPT DLP needs to operate, what classifiers matter, and how it differs from network DLP that watches egress packets without prompt context.
Where ChatGPT DLP operates
ChatGPT DLP can operate at four points in the request path. Each point has different visibility and different enforcement capability.
The browser
Browser extensions intercept ChatGPT usage at the chat-interface layer. The extension reads the typed prompt before it leaves the browser, applies classifiers, and can warn the user, redact content, or block submission. The browser layer sees the human-typed prompt directly.
Strengths: real-time user feedback, granular control over the chat interface. Limitations: requires per-browser deployment, only covers the browser path, misses application-initiated AI calls and personal-device usage.
The endpoint
Endpoint DLP captures keyboard events, clipboard activity, and process-level network calls. The endpoint sees copy-paste events and the destination process. The classification runs on the clipboard content.
Strengths: covers any browser or application. Limitations: heavy on the endpoint, blind spots on managed-but-unprotected devices and BYOD.
The network egress
Egress DLP inspects outbound HTTPS traffic. With TLS interception, the egress layer can read the prompt before it leaves the network and apply classifiers. Without TLS interception, the layer sees only the destination and request metadata.
Strengths: covers all browser and application paths from corporate networks. Limitations: requires TLS interception infrastructure, misses off-network usage.
The HTTP enforcement proxy
An AI gateway sits in the HTTP path between the application or browser and the ChatGPT API. The proxy reads the prompt content, applies classifiers, evaluates policy with identity context, and writes a per-decision audit record. The proxy is the specific enforcement point that satisfies regulatory audit requirements.
Strengths: identity-aware, audit-record producing, applies the same policy across every AI endpoint. Limitations: requires applications to route through the proxy or the proxy to sit in the egress path.
What classifiers matter
The classifiers that catch sensitive data in ChatGPT prompts cover several categories.
PII detectors
Names, addresses, phone numbers, email addresses, government IDs (SSN, NIN, passport numbers), and other personally identifiable information. The classifier coverage varies by jurisdiction (US vs EU vs UK formats).
PHI detectors
Patient names combined with diagnosis codes, MRN patterns, date-of-birth with medical context, prescription drug names with patient identifiers. The PHI classification often overlaps with PII but adds the medical-context recognition.
Payment card data
PAN patterns, CVV adjacency, magnetic-stripe-format data, BIN patterns. PCI DSS does not allow PAN data to enter a system that is not in the PCI scope. ChatGPT is not in scope for any merchant or service provider.
Source code and secrets
API keys, private keys, OAuth tokens, password patterns, and source code with embedded credentials. Source code in prompts is common for engineering use cases and rarely problematic, but secrets embedded in source code are.
Industry-specific data
Defense contractors detect CUI markers and DoD program codes. Financial services detect MNPI markers and information barrier identifiers. Legal teams detect matter codes and client confidentiality markers.
Prompt injection signatures
Prompt injection attempts that try to override the system prompt or extract instructions. The OWASP LLM01 category covers this.
How prompt-layer DLP differs from network DLP
Network DLP and prompt-layer DLP look similar at first. Both inspect egress traffic. Both apply classifiers. The differences matter for production deployment.
Visibility into prompt content
Network DLP with TLS interception sees the prompt content inside the HTTPS payload. Without interception, the layer sees only metadata. Prompt-layer DLP at the application or proxy layer sees the prompt content natively without depending on TLS interception infrastructure.
Identity context
Network DLP correlates the egress packet to a source IP. The source IP rarely maps cleanly to a natural person in a multi-user network environment. Prompt-layer DLP at the proxy layer reads identity from the request header, which carries the user identity the application authenticated.
Policy expressiveness
Network DLP policies usually express as "block egress matching this signature." Prompt-layer DLP at the proxy can express as "permit, redact, or escalate based on user role, data classification, prompt route, and policy version." The richer policy expression matches the operational reality of mixed AI usage.
Audit record structure
Network DLP logs capture packet-level events. Prompt-layer DLP logs capture per-decision records with the prompt content, classification result, policy decision, and identity context. The richer record satisfies EU AI Act Article 12 and similar regulatory expectations.
DeepInspect
DeepInspect operates as the prompt-layer DLP point. The HTTP proxy sits inline between applications and ChatGPT (and any other LLM provider). For every request, the proxy reads identity from the application's header, classifies the prompt content for PII, PHI, payment data, source-code secrets, and policy-defined data classes, evaluates per-route and per-role policy, and writes a tamper-evident audit record before the prompt reaches ChatGPT.
The DLP fit is structural. The classification runs at the prompt layer rather than the document or packet layer. The identity context comes from the application's authentication. The audit record is independent of the application and survives regulatory review.
If you are running ChatGPT in a regulated environment and your current DLP stack does not see prompt content, Book a demo today.
Frequently asked questions
- How does this work for ChatGPT consumer accounts on personal devices?
Personal devices using consumer ChatGPT accounts sit outside the corporate enforcement perimeter. The architectural fix is to block consumer ChatGPT at the corporate egress layer (network DLP, CASB, or HTTP enforcement proxy in the egress path) and route sanctioned usage through ChatGPT Enterprise or another corporate-licensed tier with the DLP proxy in the application path.
- What about ChatGPT Enterprise's built-in DLP?
ChatGPT Enterprise offers some data-handling commitments: no training on customer data, encryption, retention controls. The platform does not include prompt-level DLP that satisfies regulatory audit requirements. The architectural fix layers an external prompt-layer DLP on top of the ChatGPT Enterprise deployment.
- Does this apply to Microsoft Copilot?
Yes. Copilot operates on the same HTTP path between client and model API. The same prompt-layer classification and identity-aware policy applies. The audit record captures Copilot prompts alongside ChatGPT prompts under a single enforcement layer.
- How does prompt-layer DLP fit alongside traditional DLP?
The two layers cover different surfaces. Traditional DLP handles email, storage, and endpoint surfaces. Prompt-layer DLP handles the AI request layer. Most enterprises run both, with the prompt-layer DLP focused on AI traffic and the traditional DLP focused on its historical surfaces.
- What about agentic AI workflows that chain multiple prompts?
Agentic workflows issue chains of prompts on behalf of a user. The prompt-layer DLP must classify each prompt in the chain and trace the chain back to the originating user identity. The HTTP enforcement proxy that sees every call in the chain produces the connected audit record NIST Pillar 3 action lineage requires.