Prevent Data Leaks to ChatGPT: The Inspection Point Your Endpoint Stack Lacks
Cloud Radix found 77% of employees using unauthorized AI tools paste sensitive business data into ChatGPT and similar models. The endpoint, network, and email stacks most enterprises run today were tuned for files and email and miss the JSON request body where the prompt actually lives. I walk through the inspection point that closes the gap, the four operations it performs on every prompt, and the audit record it produces for the compliance regimes the deployment is operating under in 2026.
Cloud Radix found that 77% of employees using unauthorized AI tools paste sensitive business data into unsanctioned models, including ChatGPT, Claude, and Gemini. The same study found that 86% of IT leaders are completely blind to those interactions. The IBM Cost of Data Breach Report 2026 reported that shadow AI breaches cost $670,000 more on average than standard breaches and take 247 days to detect. The gap is not awareness. The gap is the inspection point the endpoint, network, and email stacks were built around, which sees files and email but not the prompt content inside a JSON POST to api.openai.com.
I want to walk through how the prompt actually leaves the boundary, where the existing controls go blind, and what the inspection point that closes the gap looks like on the wire.
How the data actually leaves
When an employee opens chat.openai.com, the browser establishes an HTTPS session to the front end. The chat input the employee types is sent as a JSON POST to the backend API. The prompt content travels inside the messages array of that JSON body, encrypted by TLS, addressed to api.openai.com or chatgpt.com depending on the surface.
When the same employee uses Microsoft Copilot inside Word, the editor calls the Microsoft Graph and Microsoft 365 Copilot endpoints. The document content sent into the model travels as structured request bodies the application composes on the user's behalf. When the employee uses Claude via the desktop client, the request goes to api.anthropic.com. The shape of the request body differs by provider, but the architectural property is consistent: the prompt content is a JSON field inside an HTTPS POST.
That shape is not what endpoint DLP, network DLP, or email DLP were tuned for. The endpoint sees a clipboard paste into a browser tab. The network sees an encrypted HTTPS body addressed to a known SaaS endpoint. The email gateway is not in the path. The prompt content is invisible at every layer of the existing stack.
Where the existing controls go blind
The endpoint agent watches file system events, USB writes, clipboard copies into authorized destinations. A copy of 800 lines of source code into a browser tab logs as a clipboard event without context, and the policy decision the endpoint can make at that point is coarse: block clipboard paste to all browser tabs, or allow.
The network appliance inspects HTTPS bodies through TLS interception. The prompt content sits inside a JSON messages array at a depth the appliance's rule engine reads imperfectly. Pattern rules that find an SSN inside a PDF do not generalize to the long context windows AI models accept. False negatives are routine, and the rule maintenance cost to keep up with each new model API shape grows quadratically.
The email gateway scans outbound message bodies and attachments. The AI traffic does not go through email. The gateway is not in the path.
The CASB sees the SaaS application category. It sees that the user accessed chat.openai.com. It cannot read the prompt content because the CASB operates at the application-traffic catalog layer, not at the request body layer.
The result is the 86% blindness figure. The interaction happens. The data leaves. The control stack does not see it.
The inspection point that closes the gap
The inspection point that sees the prompt content is the AI request boundary: the layer where the HTTPS session to the LLM provider terminates, the JSON request body decrypts, and the prompt becomes a first-class field. An identity-aware proxy at that layer reads the prompt, runs classifiers that label segments by data classification (PHI, PII, source code, MNPI, PCI, organization-defined classes), evaluates the classification against the identity of the caller and the policy in effect, and decides pass, redact, or deny.
The four operations the proxy performs are identity verification, classification, policy decision, and audit. Each is deterministic. The same prompt under the same policy under the same identity returns the same outcome on every replay.
The proxy operates above the TLS terminator, which means the JSON body is plaintext by the time the classification runs. It also operates above the application, which means the audit record is independent of the application that made the call.
Identity binding at the request layer
The proxy reads identity context from a token the caller supplies. Inside the corporate browser, that token is the SSO assertion from the corporate IdP. Outside the corporate network, the token is the OIDC bearer the corporate identity provider issued to the user's session. For service workflows, the token is a workload identity certificate. For autonomous agents, the token is the agent identity claim NIST Pillar 1 describes.
The verified identity attaches to the decision and the audit record. A support-tier-1 caller and a medical-records auditor see different outcomes for the same prompt against the same model, because their roles authorize different data classifications.
This is the architectural property that traditional DLP was not designed for. The corporate identity provider has the role mapping. The AI request boundary is where the role meets the prompt. The proxy is the only point where the two meet at the moment of the request.
The classification step
The classifier reads the prompt and labels segments. The pipeline combines pattern matching (SSN, NPI, MRN, account number formats), named-entity recognition (person names, addresses), domain-specific classifiers (medical codes, financial instruments, ticker symbols, legal case citations), and policy-defined regular expressions for organization-specific classes.
The output is a labeled segmentation of the prompt: each span carries one or more data classifications and a confidence score. The decision uses the labels and the identity context to decide. A PHI segment in a prompt from a caller without PHI authorization is redacted or blocked. A source code block from a caller in a role that allows code review traffic to the model is permitted.
The classification step is deterministic given the same input, the same classifier version, and the same policy. The 247-day detection window IBM reported reflects the alternative: a deployment with no inspection point and no per-prompt decision sees the breach only when the data shows up outside the boundary, months later.
The audit record the inspection point produces
Every decision produces a per-decision audit record. The record contains the verified identity, the role and authorization context, the data classifications detected, the policy version in effect, the decision outcome (permit, redact, deny), the timestamp with sufficient precision for cross-system correlation, and a tamper-evident signature.
The record commits to a write path the application has no access to. The application that made the call cannot suppress the record by crashing after the model response. The application cannot rewrite the record because it has no write access. The application cannot selectively log because the proxy logs every decision regardless of the application's behavior.
That property satisfies the EU AI Act Article 12 obligation for automatic logging over the system lifetime. Article 19 specifies the content (timestamps, input data, identity of natural persons) and the retention floor (six months). The audit record the proxy produces meets the content requirement structurally.
Coverage on and off the corporate network
The deployment pattern routes AI traffic through the proxy on and off the corporate network. On-network, the egress policy directs traffic to known LLM endpoints through the proxy. Off-network, the corporate identity provider issues credentials that route through the proxy by configuration. Endpoints that bypass the corporate IdP and use a personal credential against a personal device fall under the shadow AI discovery layer, which the proxy detects through browser extension, CASB integration, and network telemetry on AI endpoints.
The result is coverage on the channels the enterprise can route and a discovery signal on the channels it cannot. The 86% blindness drops to a measurable percentage that the enterprise can address through policy iteration and education.
DeepInspect
This is exactly what DeepInspect does. DeepInspect is an identity-aware proxy at the AI request boundary that inspects the prompt body on the request path and the model response body on the return path. The proxy reads the JSON request, classifies the prompt content against PHI, PII, source code, MNPI, PCI, and organization-defined classifications, applies identity-aware policy at the request layer, and writes a per-decision audit record the application has no write path to.
Enforcement overhead runs under 50 milliseconds in internal DeepInspect testing. The model inference latency runs 500 milliseconds to 5 seconds. The user-perceived latency cost of the inspection point is invisible relative to the model.
The proxy covers ChatGPT, Claude, Gemini, Bedrock, Azure OpenAI, Vertex, and any HTTP-accessible LLM endpoint the enterprise routes through it. The same audit record format applies to every endpoint, which means the enterprise risk register sees the AI activity as a unified evidence stream regardless of which provider the user picked.
If you have endpoint DLP and network DLP in place and no inspection point at the AI request boundary, book a technical deep dive at deepinspect.ai.
Frequently asked questions
- Does the proxy block all use of ChatGPT?
The proxy enforces the policy the enterprise defines. A policy that bans all use of ChatGPT blocks every call. A policy that allows ChatGPT use for specific roles against specific data classifications permits the calls that match the policy and blocks the ones that do not. The architectural property the proxy provides is the per-prompt decision point. The policy decides what the outcome looks like. Most enterprise deployments allow ChatGPT for general-purpose use and block prompts that contain customer PII, PHI, source code from production repositories, or pre-announcement financial information.
- How does the proxy handle the file upload feature in ChatGPT?
When a user uploads a file to ChatGPT, the file content travels inside the API request as a separate field. The proxy reads the file content, applies the same classifiers it applies to the text prompt, and decides pass, redact, or deny against the file content. The decision uses the same identity context and the same policy version. The audit record covers the file content alongside the text prompt.
- What about employees using personal ChatGPT accounts on personal devices?
The proxy covers traffic the enterprise can route. A personal device on a personal network using a personal account does not route through the corporate proxy. That traffic falls under shadow AI discovery: the browser extension, the CASB integration, and the network telemetry that surface AI endpoints feed a discovery signal the enterprise acts on through policy, training, and access control changes. The combination of an inspection point on the corporate channels and a discovery signal on the uncovered channels reduces the 86% blindness to a measurable and actionable number.
- How does the proxy interact with our existing endpoint DLP?
The proxy and the endpoint DLP coexist. The endpoint DLP continues to watch file system, USB, and clipboard events at the laptop layer. The proxy inspects the prompt content at the AI request boundary. The two controls share the same identity directory, the same data classification taxonomy, and the same audit store. The endpoint catches the user who downloads a sensitive document and tries to copy it out through a file or USB path. The proxy catches the same user who pastes the contents of that document into ChatGPT. The exfiltration channel differs. The control that sees each channel differs.
- Does the proxy produce evidence we can show to a regulator?
Every decision produces a per-decision audit record with identity, role, classification, policy version, outcome, timestamp, and a tamper-evident signature. The record commits before the model response returns to the application, which means the record exists for every interaction regardless of what the application does afterward. The record satisfies the EU AI Act Article 12 automatic logging obligation, the Article 19 content and retention requirements, and the disclosure-on-demand obligations Fannie Mae LL-2026-04 and the US state laws (Texas TRAIGA, California AI Transparency Act, Colorado AI Act) carry.