The security team watches the dashboards. Network traffic, endpoint alerts, mail gateway, firewall: all green. No suspicious outbound connections, no blocked attachments. On paper, nothing is leaking.
Two floors up, an employee pastes a client file into ChatGPT, in a browser tab, on a personal account. Encrypted traffic to an ordinary website. No alert. No log that matters. The data is out the door, and the dashboards stayed green.
That is not a fault in your security. It is a blind spot in where you are looking.
You're watching the wrong place
Almost all work now happens in the browser: AI tools, email, CRM, documents, forms, ticketing. That is where sensitive data leaves the organisation. Not through your network, not through your file server, but through a text field in a tab. And that is precisely where most security does not look. Network DLP and logs do not see a copy-paste in a browser, or only once the data is long gone. You do not get control by logging better. You get it by being present the moment someone pastes or types.
Why the classic approach fails here
Classic data loss prevention was built for a world that is disappearing: files on a drive, email through a gateway, traffic over a network you control. DLP, proxies and endpoint tools are strong there.
But a prompt is not an attachment. A paste into a SaaS app is not a file transfer. It is encrypted traffic to an ordinary website, often through an account the organisation does not manage. Research by LayerX found that 82% of the data employees paste into GenAI tools goes through unmanaged accounts. That puts it outside the view of the tools you probably already have.
And even what you do log, you log after the fact. A log is a record of what already happened. By the time the line appears, the data has left. You can reconstruct an incident with it, but you cannot prevent one.
What is actually happening
The numbers show how far the centre of gravity has moved.
Omdia's State of Workforce Security found that around 85% of the workday is spent in the browser, in SaaS and web apps. The browser is no longer a window onto work. It is the workplace.
And that is where it goes wrong. LayerX found that 77% of users paste data into GenAI tools, and that GenAI is now the single largest channel through which corporate data leaks from a work environment into a personal one. Copy-paste, the most ordinary action there is, has become the biggest blind spot. Not through a sophisticated attack, but through Ctrl+C and Ctrl+V in a tab.
This is the pattern we see across the series: the risk appears at the human, at the moment of action, in the browser. And it is exactly where most organisations have no visibility.
The objection, taken seriously
The fair objection: "We have DLP, a CASB and a proxy. We do see what happens."
For some of it, true. For managed flows, known apps and corporate accounts, those tools do good work, and they remain necessary. This is not an argument against your existing stack.
But the most dangerous behaviour falls outside that stack: a paste into a free AI tool, on a personal account, in a browser. No data processing agreement, often no corporate identity. Your CASB sees the approved app, not the shadow tab next to it. And what your proxy logs, it logs after the event. The question is not whether you have tools, but whether they look where the work, and the leak, actually happen today.
What to do instead
Four shifts that bring visibility back to where the work is.
- Put detection in the browser. Where typing and pasting happen, not in a network layer that only sees the traffic pass by encrypted.
- Signal before send. Help the employee at the moment of action, so the leak never forms, instead of finding it later in a log.
- Cover the whole browser, not one app. AI, email, SaaS and forms: the risk is anywhere a text field sends data out.
- Measure in aggregate. Which data types, which tools, and whether the line falls after you change something, without tracking individuals.
That last shift turns a blind spot into a measurable picture. This is what that looks like:
Outlook