Enterprise AI Data Uploads Nearly Doubled in 2026: Reading the Zscaler ThreatLabz Numbers as an Inline-Enforcement Problem

On June 17, 2026, Zscaler ThreatLabz published the 2026 AI Threat Report. Across the customer base they instrument, employees moved 18,033 terabytes of enterprise data into AI tools over the measurement window, a 93% jump year over year. ChatGPT alone produced 410 million DLP policy violations, up 99%. The Codium coding assistant added 242 million more. Inside the same report, ThreatLabz recommends "applying zero trust to all model interactions" and "enforcing AI guardrails with inline inspection across all AI/ML traffic." Those two recommendations describe a gateway, not a feature toggle on the SaaS tool.

I want to read the numbers as a control-architecture problem, walk through why app-blocking and one-off DLP rules collapse at this volume, and show what identity-aware inline policy at the gateway actually changes.

The 2026 numbers in one place

The headline figures from the ThreatLabz report frame the rest of the analysis.

• 18,033 TB of enterprise data uploaded to AI tools, a 93% year-over-year increase.
• 410,000,000 ChatGPT DLP policy violations, a 99% year-over-year increase.
• 242,000,000 additional violations driven by the Codium coding assistant alone.
• ThreatLabz's own architectural recommendation: zero trust on every model interaction, inline guardrail inspection on all AI/ML traffic.

The volume is the part that matters for control design. A control that depends on per-incident review, manual classification, or app-by-app exception lists cannot survive ten million violations per business day. Whatever runs in front of the model has to be deterministic, machine-fast, and identity-aware by default.

Why the volume breaks app blocking

Most enterprises started their AI control story by blocking the consumer ChatGPT URL at the proxy and writing a separate exception for the sanctioned Copilot tenant. That approach worked for the first six months of 2024. It fails on the 2026 numbers for three structural reasons.

First, the list of domains hosting model traffic grew past what URL filtering can keep current. New models surface on new domains every month, and a sanctioned IDE plugin like Codium pushes 242 million events through the same egress paths a security team already approved. Second, employees move to the unblocked tool when their first choice is blocked. The Cloud Radix surveys cited in our shadow AI work put that substitution behavior at 78% of employees using unauthorized AI tools at work and 77% admitting to pasting sensitive business data into the unsanctioned tool. Third, app blocking has no view into the request body. The proxy sees only that a TLS connection went to a hostname; it cannot tell whether the payload was a chat about a weekend trip or a paste of 14,000 customer records.

Why one-off DLP rules collapse at 410 million events

DLP teams responded to the 2024 wave by writing classification rules per tool. The 2026 numbers show that approach saturating. 410 million ChatGPT violations alone is roughly 1.1 million events per day, every day, before counting Codium, Copilot, Gemini, or Claude. The headcount needed to triage those events at the per-incident level does not exist inside an enterprise security team.

The deeper failure is that classical DLP runs at the network layer and inside SaaS API hooks. Neither layer carries the prompt content with the identity of the human or agent that submitted it, and neither layer carries the policy version that was in force at the moment of the request. When an auditor asks who pasted the customer list into the AI tool last Tuesday at 14:32, an event count from the DLP console rarely produces the natural-person identity required by Article 19 of the EU AI Act or by Fannie Mae Lender Letter LL-2026-04.

What inline enforcement actually is

Inline enforcement is a stateless policy proxy that sits between authenticated callers and any LLM endpoint. Every request passes through. The proxy resolves the caller's identity from the token, classifies the prompt content against the policy in force, makes a policy decision, attaches the decision to a signed audit record, and either forwards the request to the model or returns a deterministic refusal. The same proxy treats the OpenAI API, the Anthropic API, the Bedrock endpoint, and an internal Codium proxy as four routes under one policy plane.

Three properties matter at the volume the ThreatLabz numbers describe. The decisions are deterministic, which is what allows the same policy to apply to 1.1 million ChatGPT requests and 660,000 Codium requests on the same day without per-event review. The decisions are identity-bound, which is what produces the natural-person record an auditor will ask for. The decisions are independent of the model and of the SaaS tool, which is what keeps the policy stable as the list of allowed and disallowed AI tools changes month over month.

Regulations

The control architecture the ThreatLabz report recommends matches what existing regulation already requires of high-risk AI deployments.

EU AI Act Article 12 requires automatic recording of events across the lifetime of a high-risk system. Article 19 requires retention for at least six months and identification of the natural persons involved. Article 99 sets the penalty tier at 15 million euros or 3% of global annual turnover. The August 2, 2026 deadline lands six weeks after the ThreatLabz report.

Fannie Mae LL-2026-04, effective August 8, 2026, extends comparable governance requirements to AI and ML used in mortgage origination and servicing. The Colorado AI Act revision signed on May 14, 2026 (Ropes & Gray analysis) closed the HIPAA covered-entity exemption for consequential decisions and takes effect January 1, 2027.

The shared requirement across all three is a per-decision record with identity context. The volume the ThreatLabz report captures shows that the record has to be machine-produced at the gateway layer to exist at all.

DeepInspect

This is the problem DeepInspect was built to solve. DeepInspect is a stateless policy gateway between authenticated users or agents and any LLM. It runs the policy decision inline on each request, attaches the caller's identity from the verified token, classifies the prompt against the data policy in force, and writes a signed audit record that survives application-layer tampering.

The same policy plane covers the consumer ChatGPT route, the sanctioned Copilot tenant, the Bedrock and Anthropic endpoints, and the IDE-resident Codium plugin. A new AI tool joins the policy plane by being routed through the gateway, not by adding a new DLP rule in a new console. The audit record carries the natural-person identity required by EU AI Act Article 19 and the policy version required by Fannie Mae LL-2026-04. The 410 million event volume the ThreatLabz report describes becomes 410 million signed audit records, each with the identity, the classification, the policy state, and the model decision, instead of 410 million console alerts.

If you are reading the 2026 numbers and asking what changes at the control layer, the answer is that the control moves from the SaaS console to the request layer in front of the model. Take the AI readiness self-assessment to see where your current architecture sits against the gateway requirement.