Blog

Data Loss Prevention (DLP) based on policies was built for a world that no longer exists.

For decades, security teams have relied on policies that looked sound on paper. In practice, translating them into DLP rule sets has meant a constant struggle between false positives that disrupt business and missed incidents that expose sensitive data.

As the use of generative AI tools rapidly increases, so does the threat of data loss. Employees paste proprietary code into chatbots, upload customer data into AI-powered marketing tools, and rely on copilots embedded into everyday SaaS platforms – often without security review.

This new reality, often called Shadow AI, refers to the unsanctioned or unmanaged use of AI tools by employees – without formal security review, governance, or contractual safeguards. It is not necessarily malicious – in fact, it is often driven by productivity. But when sensitive enterprise data is introduced into AI systems that the organization does not control, visibility is lost, and traditional DLP controls become ineffective.

Shadow AI exposes a critical weakness: policy-reliant DLP cannot keep pace with AI-driven workflows.

This article is a shortened version based on a white paper we recently published in collaboration with CISO Tradecraft. The full version is available here.

Past: How We Got Here

Traditional DLP began with simple keyword filtering – static “dirty word lists” designed to catch sensitive terms moving across network chokepoints. In an era of mostly unencrypted traffic and predictable data flows, basic string matching and file hashes were often enough.

As regulatory pressure increased in the early 2000s, DLP evolved into content-aware inspection. Regex-based detection enabled teams to identify structured data such as credit card and Social Security numbers. While more sophisticated, these systems still relied on predefined patterns – generating high false positives and struggling with context.

Then came widespread encryption after the Snowden disclosures. HTTPS became the norm, forcing organizations to deploy proxy-based inspection tools just to regain visibility. Meanwhile, insider risks and endpoint data movement remained largely unaddressed.

With the migration to the cloud, CASB solutions emerged to enforce policy across SaaS platforms. But agent gaps, BYOD environments, and expanding cloud ecosystems made enforcement inconsistent and incomplete.

At every stage, DLP adapted incrementally, but always remained policy-driven, perimeter-focused, and dependent on predicting how data might leave the organization.

That model was already strained, and then AI arrived.

Present: The State of DLP, and the Age of AI

Traditional DLP was already showing cracks before AI came into the picture. Modern enterprises generate vast amounts of structured and unstructured data across endpoints, SaaS platforms, cloud storage, and collaboration tools. Manually translating all possible data flows, users, and destinations into static policies is no longer scalable. The result is familiar to every security team: overwhelming false positives, missed incidents, and rising operational costs.

AI made the problem ever more complex.

Tools like Microsoft Copilot, ChatGPT, Claude, and Gemini are being embedded into everyday workflows – sometimes enabled by default. These systems don’t just move data; they interpret, synthesize, and recombine it. They operate through dynamic prompts, contextual conversations, and encrypted channels that bypass traditional inspection methods.

Sensitive data is no longer exfiltrated only through file attachments or obvious pattern matches. It is pasted into conversational prompts, indexed by AI copilots, and transmitted to systems outside the enterprise boundary. Once submitted to an external AI platform, often without contractual safeguards, organizations lose visibility and control over how that data is retained, processed, or reused.

Blocking AI outright is rarely effective. Employees find workarounds, productivity suffers, and security teams lose what little visibility they had. Yet allowing unrestricted use exposes organizations to regulatory violations, intellectual property loss, and reputational damage. Compliance frameworks do not distinguish between malicious exfiltration and accidental disclosure.

Monitoring traffic alone is no longer enough. By the time a violation is detected, the data may already be gone.

This is the core problem: policy-based DLP was designed to match patterns and enforce rules. AI-driven workflows require understanding context, intent, and behavior – in real time.

Future: Using AI to Contain AI

AI-driven workflows are here to stay, and our security models must evolve accordingly.

The answer is not more policies (no matter how polished or automated), but rather a shift from static enforcement to context-aware protection. Modern approaches leverage AI to understand data flows across endpoints, SaaS platforms, email, storage, and web interactions – automatically classifying both structured and unstructured data by sensitivity, not just format.

Instead of trying to predict every possible exfiltration scenario in advance, these systems learn what normal business behavior looks like. They evaluate who is sharing data, what is being shared, where it’s going, and whether that action aligns with legitimate business intent – in real time.

This allows organizations to enable AI adoption safely rather than attempting to block it outright. The goal is not to slow innovation, but to ensure that sensitive data moves responsibly within AI-powered environments.

For leadership, the imperative is clear: legacy DLP and passive monitoring cannot protect a modern enterprise. Compliance requirements are tightening, financial penalties are rising, and AI usage is accelerating. The only sustainable path forward is to deploy intelligent, adaptive controls capable of operating at the speed and scale of AI.

Shadow AI is not a theoretical risk – it is already embedded in everyday business operations. The organizations that adapt their security models now will be the ones that innovate confidently, without sacrificing control.

The question is no longer whether AI will be used inside your organization, but whether your security architecture is prepared for it.

If you’re evaluating how to modernize DLP for the AI era, we encourage you to read the full white paper and explore what context-aware, AI-driven data protection looks like in practice.

Read the original post in Sentra’s blog

AI assistants, SaaS, and hybrid work have made data easier than ever to discover, share, and reuse. Tools like Gemini for Google Workspace and Microsoft 365 Copilot can search across drives, mailboxes, chats, and documents in seconds – surfacing information that used to be buried in obscure folders and old snapshots.

That’s great for productivity – but dangerous for data security.

Traditional, policy‑based DLP wasn’t designed to handle this level of complexity. At the same time, many organizations now use DSPM tools to understand where their sensitive data lives – but still lack real‑time control over how that data moves on endpoints, in browsers, and across SaaS.

Together, Sentra and ORION close this gap: Sentra brings next‑gen, context-driven DSPM; ORION brings next‑gen, behavior‑driven DLP. The result is end‑to‑end, AI‑ready data protection from data store to last‑mile usage, creating a learning, self‑improving posture rather than a static set of controls.

Why DSPM or DLP Alone Isn’t Enough

Modern data environments require two distinct capabilities: deep data intelligence and real-time enforcement based on contextual business context.

DSPM solutions provide a data-centric view of risk. They continuously discover and classify sensitive data across cloud, SaaS, and on-prem environments. They map exposure, detect shadow data, and surface over-permissioned access. This gives security teams a clear understanding of what sensitive data exists, where it resides, who can access it, and how exposed it is.

DLP solutions operate where data moves – on endpoints, in browsers, across SaaS, and in email. They enforce policies and prevent exfiltration as it happens. 

Without rich data context like accurate sensitivity classification, exposure mapping, and identity-to-data relationships, DLP solutions often rely on predefined rules or limited signals to decide what to block, allow, or escalate.

DLP can be enforced, but its precision depends on the quality of the data intelligence behind it.

In AI-enabled, multi-cloud environments, visibility without enforcement is insufficient – and enforcement without deep data understanding lacks precision. To protect sensitive data from discovery by AI assistants, misuse across SaaS, or exfiltration from endpoints, organizations need accurate, continuously updated data intelligence, real-time, context-aware enforcement, and feedback between the two layers. 

That is where Sentra and ORION complement each other.

Sentra: Data‑Centric Intelligence for AI and SaaS

Sentra provides the data foundation: a continuous, accurate understanding of what you’re protecting and how exposed it is.

Deep Discovery and Classification

Sentra continuously discovers and classifies sensitive data across cloud‑native platforms, SaaS, and on‑prem data stores, including Google Workspace, Microsoft 365, databases, and object storage. Under the hood, Sentra uses AI/ML, OCR, and transcription to analyze both structured and unstructured data, and leverages rich data class libraries to identify PII, PHI, PCI, IP, credentials, HR data, legal content, and more, with configurable sensitivity levels.

This creates a live, contextual map of sensitive data: what it is, where it resides, and how important it is.

Reducing Shadow Data and Exposure

Sentra helps teams clean up the environment before AI and users can misuse it. 

It uncovers shadow data and obsolete assets that still carry sensitive content, highlights redundant or orphaned data that increases exposure (without adding business value), and supports collaborative workflows for remediation for security, data, and app owners.

Access Governance and Labeling for AI and DLP

Sentra turns visibility into governance signals. It maps which identities have access to which sensitive data classes and data stores, exposing overpermissioning and risky external access, and driving least‑privilege by aligning access rights with sensitivity and business needs.

To achieve this, Sentra automatically applies and enforces:

Google Labels across Google Drive, powering Gemini controls and DLP for Drive, and Microsoft Purview Information Protection (MPIP) labels across Microsoft 365, powering Copilot and DLP policies.

These labels become the policy fabric downstream AI and DLP engines use to decide what can be searched, summarized, or shared.

ORION: Behavior‑Driven DLP That Thinks Beyond Policies

ORION replaces policy reliance with a set of intelligent, context-aware proprietary AI agents

AI Agents That Understand Context

ORION‘s agents collect rich context about data, identity, environment, and business relationships. 

This includes mapping data lineage and movement patterns from source to destination, a contextual understanding of identities (role, department, tenure, and more), environmental context (geography, network zone, working hours), external business relationships (vendor/customer status), Sentra’s data classification, and more. 

Based on this rich, business-aware context, ORION‘s agents detect indicators of data loss and stop potential exfiltrations before they become incidents. That means a full alignment between DLP and how your business actually operates, rather than how it was imagined in static policies.

Unified Coverage Where Data Moves

ORION is designed as a unified DLP solution, covering: 

• Endpoints
• SaaS applications
• Web and cloud
• Email
• On‑prem and storage, including channels like print

From initial deployment, ORION quickly provides meaningful detections grounded in real behavior, not just pattern hits. Security teams then get trusted, high‑quality alerts.

Better Together: End‑to‑End, AI‑Ready Protection

Individually, Sentra and ORION address critical yet distinct challenges. Together, they create a closed loop:

Sentra → ORION: Smarter Detections

Sentra gives ORION high‑quality context:

• Which assets are truly sensitive, and at what level.
• Where they live, how widely they’re exposed, and which identities can reach them.
• Which documents and stores carry labels or policies that demand stricter treatment.

ORION uses this information to prioritize and enrich detections, focusing on events involving genuinely high‑risk data. It can then adapt behavior models to each user and data class, improving precision over time.

ORION → Sentra: Real‑World Feedback

ORION‘s view into actual data movement feeds back into Sentra, exposing data stores that repeatedly appear in risky behaviors and serve as prime candidates for cleanup or stricter access governance. It also highlights identities whose actions don’t align with their expected access profile, feeding Sentra’s least‑privilege workflows. This turns data protection into a self‑improving system instead of a set of static controls.

What this means for Security and Risk Teams

With Sentra and ORION together, organizations can:

• Securely adopt AI assistants like Gemini and Copilot, with Sentra controlling what they can see and ORION controlling how data is actually used on endpoints and SaaS.
• Eliminate shadow data as an exfil path by first mapping and reducing it with Sentra, then guarding remaining high‑risk assets with ORION until they’re remediated.
• Make least‑privilege real, with Sentra defining who should have access to what and ORION enforcing that principle in everyday behavior.
• Provide auditors and boards with evidence that sensitive data is discovered, governed, and protected from exfiltration across both data platforms and endpoints.

Instead of choosing between “see everything but act slowly” (DSPM‑only) and “act without deep context” (DLP‑only), Sentra and ORION let you do both well – with one data‑centric brain and one behavior‑aware nervous system.

Ready to See Sentra + ORION in Action?

If you’re looking to secure AI adoption, reduce data loss risk, and retire legacy DLP noise, the combination of Sentra DSPM and ORION’s DLP offers a practical, modern path forward.

See how a unified, AI‑ready data protection architecture can look in your environment by mapping your most critical data and exposures with Sentra, and letting ORION protect that data as it moves across endpoints, SaaS, and web in real time.

Request a joint demo to explore how Sentra and ORION together can help you think beyond policies and build a data protection program designed for the AI era.

We are thrilled to announce that ORION has just closed $32 million in funding led by Norwest and joined by IBM and existing investors PICO Venture Partners, Lama Partners, Underscore VC, and others.

As demand for ORION’s AI-powered alternative to traditional DLP grows, this round comes less than a year after our seed funding, bringing total capital raised to $38 million.

Already protecting customers with tens of thousands of employees across finance, healthcare, and technology sectors, we are proud to be pioneering a new approach to data security that eliminates reliance on DLP policies and minimizes manual intervention.

The funding will enable us to accelerate development of our proprietary LLMs and specialized AI agents while expanding go-to-market operations to meet growing enterprise demand for our autonomous DLP.

“This funding is a powerful validation of what we’ve believed from day one: better policies are not the solution for DLP” said Nitay Milner, CEO and co-founder of ORION.

“Traditional DLP solutions often add more policies, invest hours in improving them, or perhaps refine them with AI, but data loss incidents are more widespread than ever. By moving beyond policy-based DLP and using AI to gain true contextual understanding, we’re giving enterprises a way to accurately distinguish between legitimate workflows and malicious activity”.

Thinking Beyond Policies: A New Path for Preventing Data Loss

For more than a decade, enterprises have relied on traditional, notoriously inefficient DLP tools. These tools, based on thousands of human-authored policies, require constant tuning, generate a constant stream of false positives, yet still fail to stop data exfiltration.

Built on the assumption that more policies equal stronger protection, these tools cannot keep pace with modern risks posed by AI-driven workflows, uncontrolled SaaS adoption, and distributed workforces.

Because policies only protect against known threats, legacy DLP leaves enterprises exposed to unpredictable, rapidly emerging patterns of data loss that are becoming increasingly common.

ORION replaces traditional policy-centric models with automated, context-driven detection based on data-loss indicator analysis.

Powered by specialized AI agents and ORION’s proprietary LLM, the platform continuously detects and analyzes data loss indicators in real time, capturing the full context behind every movement, including content sensitivity, data lineage, user identity, behavioral intent, and environmental purpose.

By enabling customers to understand why data is moving, ORION prevents exfiltration before it occurs, dramatically reducing false positives while capturing incidents that existing DLP tools routinely miss. This approach significantly reduces maintenance costs and empowers enterprises to protect sensitive information without the inefficiencies of legacy systems.

Organizations using ORION have reported a massive reduction in DLP maintenance and tuning, accurate prevention of data movement beyond anticipated scenarios, and a near-zero false-positive rate.

Policies still play a role in ORION, but only where they are most effective: deterministic, predictable scenarios. Everything else is handled autonomously by ORION’s analysis agent.

“ORION is rewriting the rules of data security, eliminating the rigid policy structures that have held DLP back for decades,” said Dave Zilberman, General Partner at Norwest. “With a fully autonomous, context-driven approach, ORION isn’t just building a better product; it’s redefining how enterprises safeguard their most critical asset: data.”

We’re Just Getting Started

This raise is an exciting milestone for us, but it’s only the beginning.

Data security is undergoing one of the fastest transformations in decades. Organizations are shifting to AI-driven workflows, distributed teams are the new standard, and sensitive information moves faster and through more systems than ever before. Traditional DLP wasn’t built for this reality.

Over the coming year, you’ll see ORION broaden coverage across even more environments, provide security teams with deeper insights into data movement, and unlock levels of accuracy and autonomy that weren’t possible until now.

Most importantly, we’re committed to giving every organization the ability to protect both humans and AI systems without slowing them down.

We want to extend our deepest thanks to our customers, investors, and partners who believe in our mission and push us to build better every day. Your trust, feedback, and collaboration have been instrumental in shaping ORION into what it is – and what it’s becoming.

To our team – none of this happens without your focus, hard work, creativity, and commitment. This would not be possible without you. We’re grateful for everything you’ve built and everything still ahead.

About Orion

ORION Security prevents data exfiltration by replacing policy-based enforcement with real-time contextual intelligence that leverages proprietary LLMs and specialized AI agents to autonomously detect and prevent data loss. Based in New York City, with offices in Tel Aviv, Israel, the company was founded in 2024 by CEO Nitay Milner, a former product leader at Cisco-acquired Epsagon, and CTO Jonathan Kreiner, a former application security leader at WalkMe. The company is backed by Norwest, PICO Venture Partners, Lama Partners, IBM, and others.

Deepfake remote workers from North Korea have been making cybersecurity headlines for a while now. Using fabricated identities, AI-generated résumés, and even deepfaked video calls, these malicious agents secure jobs at Western companies. Once inside, they operate like trusted employees while carrying out their true mission: stealing sensitive intellectual property and exfiltrating customer data.

What makes this new threat so dangerous is that it blurs the line between insider risk and external attack. On the surface, these individuals appear to be legitimate staff members with proper access, yet behind this facade are highly skilled agents with malicious intentions.

Preventing data exfiltration across these data loss venues is hard enough as it is, making the hybrid nature of this threat even harder to stop before the damage is done – especially with traditional security tools.

In this blog, we’ll explore the rise of this new threat, why it represents a unique challenge to security teams, and outline how context-aware Data Loss Prevention (DLP) tools can help you stay ahead of this threat.

The Rise of Deepfake Remote Workers

Over the past several years, U.S. and European authorities have issued repeated warnings about North Korean operatives posing as remote tech workers. Their goal is twofold: earn foreign currency for the regime despite sanctions, and gain access to sensitive corporate systems that can be exploited for espionage or sold on criminal markets.

The scale and impact of this threat are no longer theoretical. CrowdStrike found over 320 incidents in the past 12 months where North Korean operatives obtained remote jobs at Western companies using deceptive identities and AI tools. That’s a 220% increase from the previous year.

In May 2025, U.S. officials revealed that North Korean operatives had compromised dozens of Fortune 500 companies, using fraudulent remote hires to siphon sensitive corporate data and intellectual property back to Pyongyang. This was not a one-off tactic, but a systematic infiltration campaign targeting some of the world’s largest enterprises.

In one notable example, KnowBe4’s HR team hired a software engineer back in 2024 who turned out to be a North Korean fake IT worker who immediately manipulated session history files, transferred potentially harmful files, and executed unauthorized software as soon as he got his Mac workstation, but was caught before too much damage was done.

In another case from June 2025, a group posing as blockchain developers infiltrated a crypto platform (Favrr) through 31 fake identities, advanced identity deception techniques, and stealthy remote access tools, pulling off a $680K crypto heist.

It’s clear that North Korea is actively using remote employment as a vector for data exfiltration. Unlike conventional phishing or malware campaigns, this strategy weaponizes corporate trust, embedding adversaries directly into the workforce. For security teams, the challenge is no longer just about keeping attackers out of the perimeter; it’s about recognizing when the attacker is already “inside,” disguised as a colleague.

Why This Threat is Unique

In our previous article on the three data loss hazards, we described the classic categories security teams face: human error, insider risk, and external attackers. Deepfake remote workers are a unique case in this regard – they begin as external adversaries but, once hired, become indistinguishable from insiders.

This hybrid nature is precisely what makes the problem so difficult:

Unlike a careless employee or even a disgruntled insider, these operatives are mission-driven from day one – every credential, system, and dataset they obtain is used for exploitation.

Unlike smash-and-grab attackers, North Korean operatives are willing to play the long game -working quietly for months, building trust, and extracting value without tripping obvious alarms.

From the defender’s side, traditional tools are designed to detect either insiders or outsiders, not both at once. A fake employee who is actually a foreign adversary doesn’t fit neatly into existing categories, creating a blind spot that static rules, basic anomaly detection, and perimeter defenses cannot cover.

Let’s look into that a little deeper, specifically in the context of DLP tools –

The DLP Challenge

Data Loss Prevention (DLP) tools were never built for adversaries who look like employees. Most solutions are tuned for one of three scenarios: stopping accidental leaks from well-meaning staff, preventing data exfiltration by ‘amateur’ insiders (e.g., stealing leads before leaving the company), or blocking clear signs of an external exfiltration attack. Usually, most tools aren’t even equipped to handle these scenarios effectively, let alone this new threat.

Static DLP policies like “block uploads over 50MB” or “alert on large downloads” don’t help when the operative’s role legitimately involves handling large volumes of sensitive data. Similarly, keyword- or pattern-based detection fails because the data movement appears to be business-related. By the time a spike in activity is noticed, the data may already be gone.

Trying to prevent something like this from happening usually results in either a flood of false positives or missed detections. What’s missing, is a true understanding of context.

Automated, Contextual DLP

Traditional DLP relies on static rules and policies that treat all data movement the same. In reality, not every file transfer or database query carries the same risk. The difference between a legitimate business action and malicious exfiltration often lies in the why, not the what.

A different, more suitable approach to solving this issue is through automated, contextual DLP.

At ORION, we use a set of AI agents that learn the natural flow of data across your organization – which teams normally access which systems, how files are typically shared, and where data is expected to go. Understanding both the source of the data and the context of the action can make sense of behavior in ways that manually defining policies never could.

This allows us to detect when:

• A developer suddenly starts pulling data from repositories outside their usual scope.
• An employee transfers sensitive files to an unfamiliar domain or to themselves.
• A team member’s data usage sharply diverges from peers in the same role.
• A seemingly normal upload becomes suspicious when combined with time, location, or unusual access patterns.

These data loss indicators collected by ORION’s agents are context-based signals that suggest data may be leaving the organization inappropriately. By focusing on intent rather than policies and thresholds, ORION flags and prevents dangerous actions in real time, while minimizing false positives that frustrate employees and overload analysts.

This contextual, adaptive approach enables countermeasures against threats like deepfake remote workers. When the attacker is an employee, only tools that understand the bigger picture of behavior and intent can distinguish between normal business operations and malicious exfiltration.

Context Is the Core of Modern Data Defense

Deepfake remote workers are just one of an ever-growing list of new challenges facing security teams. They blur the line between insider risk and external attack, embedding adversaries directly into the workforce under the guise of legitimate employees. Traditional DLP tools designed for a simpler world of accidental leaks or ‘amateur’ insiders are not equipped to address this hybrid threat.

The only way forward is to embrace intent-aware, contextual defenses. By understanding how data normally flows through an organization and detecting the subtle deviations that signal something’s wrong, security teams can finally close the blind spot exploited by North Korea’s deepfake operatives and others like them.

This was exactly what led us to build ORION in a way that reduces noise, prevent real-time exfiltration, and gives security teams the advantage they need against attackers who now look just like employees.

The question you might want to ask yourself is this: If tomorrow a fake remote worker slipped through your hiring process, would I be able to spot them before sensitive data walked out the door?

Company data is scattered across countless databases, storage buckets, and applications, spanning multiple clouds and on-premises systems. That’s the reality of every modern organization, whether we like it or not.

In such a complex system, having visibility into where your data resides is more important than ever – but it’s just one part of the challenge. Once you have it mapped out, how do you actually protect it?

Today, we are thrilled to announce a new integration between ORION, a fully automated Data Loss Prevention (DLP) and data security platform, and Wiz, the DSPM market-leading giant.

While Wiz gives organizations deep visibility into where sensitive information resides in the cloud, identifying PII, PCI, and other regulated data at rest, ORION builds on that foundation by tracking and protecting that data in motion across the entire enterprise.

To put it simply, while Wiz can tell you, “Your sensitive data lives in this S3 bucket.” ORION can then tell you, “A developer just downloaded that data, encrypted it, and uploaded it to a personal Dropbox – and we blocked it.”

With this integration, you no longer just have visibility into where your data is, but also the ability to ensure it stays safe.

DSPM vs DLP

To understand why this integration matters, let’s break down the two sides of the equation:

DSPM (Data Security Posture Management) tools like Wiz focus on data at rest. They scan your cloud environments, map out every database, storage bucket, and service, giving you a static snapshot of your data landscape.

ORION focuses on data in motion. It monitors the movement of that data across your organization – whether in the cloud, on endpoints, via email, on a USB drive, in a SaaS app, or in a ChatGPT conversation. Then, after analyzing context via AI, when something looks risky, ORION can step in and stop it from happening.

Wiz shows you where your data is, ORION ensures it stays where it’s supposed to be. Together, these tools give you both the complete picture and the operational tools to act on it.

Why You Need Both

Full Data Lineage Across Your Enterprise

Wiz provides cloud data lineage, showing how your data flows between cloud services. ORION extends that visibility to the rest of your environment.

Now, you can see not just that an S3 bucket writes to another cloud database, but also that, from there, a developer pulled the data to their laptop, encrypted it, and tried to upload it to a personal Dropbox account. With this integration, the entire chain is visible and controllable.

From Visibility to Active Protection

While Wiz is the expert at mapping your sensitive data, ORION stops it from leaking out of the organization. Together, they close the gap between knowing and doing.

ORION prevents actions in real time – using Wiz’s classification as the trigger.

Flexible, AI-Powered Classification

Already using Wiz for classification? Perfect — ORION can work directly with Wiz’s findings.

If you don’t, you can choose to use our own AI-driven classification engine. What matters to us is that you have a way to protect your data exactly the way you want, whether you’re starting fresh with ORION or already invested in Wiz.

WIZ <> ORION: How It Works

Here’s the high-level flow of how these two platforms work together:

1. Wiz scans your cloud, discovers and classifies sensitive data at rest across your cloud environments, and maps out exactly where regulated information like PII or PCI is stored.
2. Wiz sends classification insights to ORION. We ingest this context from Wiz, instantly expanding our knowledge of what data needs the highest level of protection.
3. ORION monitors data in motion, from endpoints to SaaS tools, email to removable media, tracking every movement across the entire enterprise.
4. ORION enforces protection policies. If unusual or unsafe activity is detected, ORION automatically blocks the action and alerts security teams.
5. You see the full lineage, from discovery to movement to prevention, giving you a complete, end-to-end story of your data’s lifecycle, with both visibility and control in a single view.

Getting Started

Enabling the ORION–Wiz integration is a very straightforward process.

If you’re already a Wiz customer, simply connect your Wiz account to ORION using our built-in integration settings. ORION will immediately begin ingesting Wiz’s classification results, enabling you to detect indicators of data loss in real time for your most sensitive assets.

For new ORION customers, our team can walk you through setup in minutes – from connecting to your existing DSPM tools to deploying active data protection across your endpoints, SaaS apps, and cloud services.

With ORION and Wiz working together, you don’t have to choose between visibility and protection. You get both in one connected workflow.

See where your sensitive data lives. Track how it moves. And stop it from leaving your control.

Contact us to schedule a demo and see the ORION–Wiz integration in action.

Most DLP tools fail for a simple reason: they’re built to look at a single aspect of data loss. Sensitive data leaks out of organizations for three main reasons: human error, insider risk, and external attackers. Each behaves differently, requires a different approach to recognize and solve, and has a different frequency vs. impact curve.

A DLP policy tuned for accidental sharing might miss slow insider exfiltration, while a strict policy for handling external attackers might frustrate and limit employees. The only durable path is to detect intent – why the action is happening, then respond accordingly.

This article will break down the three hazards of data loss, map them on the frequency/impact axis, share real-world examples, and highlight the contextual intent signals (who’s acting, what’s the data, where it’s going, and how behavior deviates from normal) that separate harmless mistakes from real threats.

Human Error: Common but Manageable

Human error sits at the “frequent but lower impact” end of our frequency vs. impact curve.

It’s by far the most common cause of data loss – employees accidentally emailing the wrong file, sharing the wrong Google Drive folder with the wrong people, or consulting GPT about a sensitive matter. Most of these incidents can be detected quickly and cause less damage than insider abuse or targeted attacks.

That said, these incidents are extremely common, and the potential damage they cause can vary widely.

All it takes is a sales manager accidentally sharing a Google Drive folder with “Anyone with the link” instead of restricting it to the client team for sensitive pricing data to be exposed. This will rarely result in malicious exploitation, but when it does, the consequences can range from mild to disastrous.

In July 2025, TalentHook, a recruitment software firm, inadvertently left an Azure Blob storage container misconfigured, exposing nearly 26 million resumes. The breach revealed sensitive personal information, including names, email addresses, phone numbers, and educational and employment histories.

Traditional DLP policies are often meant to block or flag such mistakes, but they do so bluntly by either flooding security teams with false positives or interrupting legitimate workflows.

A modern approach should therefore infer user intent: analyze context (Was this file ever shared externally before? Does this domain look like a partner or not?) and nudge the user in real time, resulting in fewer breaches and fewer frustrated employees.

AI Agents are Changing the Picture

Another thing to consider here is AI agents – just like human employees (if not more so), they can make mistakes, but at a much larger speed and scale. An AI assistant given broad access to corporate systems might accidentally share the wrong files, misroute sensitive information, or expose data in the process of answering a seemingly benign request. What makes this especially dangerous is volume: where a human might misconfigure a single folder, an AI could replicate the same mistake across thousands of records in seconds.

Insider Risk: Less Frequent, More Damaging

Insider risk sits in the middle of the frequency vs. impact curve – less common than human error, but far more damaging when it happens. Unlike accidents, these incidents often involve intent: an employee misusing legitimate access to steal, leak, or sabotage sensitive data.

In late 2024, a new staffer at Toronto-Dominion Bank hired to detect money laundering used her access to leak sensitive customer data to criminals via Telegram. Prosecutors reported that her phone contained images of 255 customer checks and personal information for 70 additional clients, and what began as trusted data access inside a bank turned into a direct pipeline for fraud.

This case shows how difficult it is to contain insider risk. On the surface, the employee’s activity of accessing customer records was within her role. Traditional DLP rules like “large downloads = suspicious” or “sensitive files sent externally = block” wouldn’t have caught this, because the behavior didn’t break those patterns until it was too late.

A real solution to the problem can only be found by analyzing indicators of data loss and learning what “normal” looks like for each role and user. Context matters:

• Is this employee suddenly accessing 10× more customer data than usual?
• Is data being copied at odd hours or just before the employee leaves the company?
• Are peers in the same department performing the same operations?

Malicious Actors: Rare, Catastrophic

At the far end of the frequency vs. impact curve sit external attackers – the least common hazard, but by far the most destructive. These are the ransomware groups, cybercriminals, and state-sponsored attackers whose goal is to extract maximum value from your most sensitive data. Unlike human error or insider misuse, their tactics are deliberate, well-resourced, and often devastating.

One such case was the attack on Change Healthcare in January 2025, when ransomware operators disrupted services across U.S. hospitals for weeks, demanding a $22 million ransom. The breach not only exposed data but also crippled operations, disrupted patient care, and inflicted massive reputational damage.

Traditional DLP policies are rarely effective in these scenarios. Once attackers penetrate the perimeter, they often blend into legitimate traffic, moving data in ways that mimic normal business processes.

The only viable defense in these cases from a DLP standpoint is real-time, intent-aware detection: spotting unusual data flows, recognizing when files are headed to suspicious destinations, and correlating this with attacker-like behaviors (use of admin accounts at odd hours or from odd locations, mass compression of files, or lateral movement across systems). In other words, security teams need the same behavioral context used for insider risk – but tuned for external actors who adapt quickly.

What Can We Do? Unified and Intelligent DLP

The real problem with most DLP tools isn’t that they’re useless. It’s that they’re incomplete.

One solution is designed to prevent accidental sharing. Another tries to catch insider misuse. A third focuses on malware and exfiltration. Each may work in isolation, but together they leave significant blind spots behind. Attackers, as well as well-meaning employees, exploit those gaps every day.

The only durable way forward is a unified approach that understands intent. That means:

• Contextual intelligence that knows the difference between an employee sending a customer contract to the wrong inbox vs. an engineer siphoning code to a personal repo.
• Real-time prevention that can stop an exfiltration attempt in the moment, not weeks later in an audit log.
• Adaptive, AI-driven learning that continuously tunes itself to normal behavior, supporting employees instead of blocking them with rigid policies.

We must move from a one-dimensional filter to a living system that interprets why something is happening, not just what.

Ask yourself this: Does our current DLP strategy actually cover all three hazards: human error, insider risk, and malicious actors, or are we betting everything on just one?

An organization that answers this question honestly and builds for intent will be the one that prevents tomorrow’s data losses, not just react to them.