Understanding the evolving landscape of DLP
As we’ve developed the Mimecast Incydr product strategy, we’ve seen the urgency of organizations’ need for data protection guidance in their questions about Data Loss Prevention (DLP). Inquiries on this subject remain consistently high, especially with the prevalence of GenAI tools and AI agents being adopted at a rapid pace. This reflects the significance of the data loss problem and underscores the volume of concerns surrounding data loss—despite investment.
The initial wave of DLP was primarily about defining parameters, setting up strict boundaries and monitoring transgressions. It was an era dominated by ‘allow and deny’ policies, heavy content inspection, and classification. It was also an era of complexity, endpoint performance issues, and false positives. But as workplaces grew more decentralized, cloud-based, and reliant on AI, the complexity of data protection increased.
Traditional, content-heavy, classification-based DLP solutions, while still prevalent, are not catering to the dynamic data security requirements of modern organizations to protect humans, data, and AI. So, with a persistent need for data protection that covers all risk surfaces including the endpoint, email, AI tools, and cloud, a wide array of options developed. Now, DLP isn’t just a standalone product. It’s a capability integrated into platforms from email security to agentic protection platforms. DLP also isn’t complete without an underlying understanding of risk regardless of where it happens.Â
In fact, according to the Gartner Marketing Guide for Data Loss Prevention, 2025, Gartner projects that by 2027, 70% of CISOs in larger enterprises will adopt a consolidated approach to address both insider risk and data exfiltration use cases. The need to consider employee behavior, AI tools and agents, and changing patterns of work will drive evolution in DLP. It’s not simply that files containing sensitive information live in one clear location or match certain patterns; the valuable data that drives businesses exists at the perimeter, and is more portable and being generated faster than ever.
Risk context is essential for effective operations around DLP. Human behavior can signal intent and risk, and is at the core of what Mimecast does. With the proliferation of AI tools and agents, if agentic risk is looked at without the human risk context, it creates noise and confusion for analysts. Modern DLP tools must understand and protect all of a company’s risk surfaces and all of its data, both structured and unstructured.
So, what’s next? To me, it sounds like DLP may well become an expected component of managing all data risk – whether done by humans or agents. But exactly how Data Loss Prevention tools address different risk surfaces and pull context together still differs among vendors.
Content inspection and classification: more harm than good?
Traditional DLP tools face several challenges. They rely heavily on content inspection, which can be resource-intensive and cause performance issues. They also generate false positives, leaving the data protection problem unresolved. Finding and classifying valuable, sensitive data is a major hurdle. It often limits a project’s success and consumes a lot of time. It’s like being trapped in quicksand—the harder you try to pinpoint each piece of critical data, the deeper you sink into operational challenges. This results in teams caught in an unenviable cycle: either invest excessive effort, often leading to diminishing returns, or acquiesce and accept the looming risk.
False positives are a glaring side effect: the oversensitive system might flag legitimate actions, causing business disruptions. More dangerously, unidentified assets—those slipping through classification cracks—are harder to measure. Data like pastes to unsanctioned GenAI tools or data generated from the same tools make the entire idea of content classification difficult to match the reality of today’s work.
These blind spots leave organizations exposed to unexpected data loss—the kind that makes headlines. According to IBM’s 2025 Cost of a Data Breach Report, shadow AI added an extra $670,000 to the global average breach cost. This category is also the fastest growing breach type. Data classification might evolve into a niche specialty, with third-party experts or tools easing the pressure on DLP systems’ built-in content inspections. Content inspection alone is not enough to accurately detect risk. It must be balanced with user and agent-centric risk monitoring to detect all malicious and accidental data loss.
Meeting evolving needs: robust risk detection and response without burdening teams
To meet the demands of the modern Data Loss Prevention market, we need more robust detection and prioritization methods. We also need a more effective way to control surfaced risks. Critically, this has to be done without overloading already resource-constrained security teams and without limitations on end user productivity. Mimecast takes a unique approach to this challenge. We define the known risks to monitor and also surface unknown risks from day one through an AI-driven prioritization model that requires no policy setup. No months-long deployment and fast time-to-value.
Instead of relying on heavy content inspection, Incydr uses context for enhanced data protection by understanding where files originated, whether the destinations to which they are moving are trusted, who’s moving them, and when. By incorporating human behavior and intent into risk context, it allows organizations to respond intelligently and automatically to data protection threats, whether it’s being done by the human or by an AI agent. A one-size-fits-all response to data threats doesn’t work. If we can correct 80% of the uncovered risks, and they aren’t malicious, they warrant a different response than malicious data theft.
Incydr supports effective prevention and remediation with a suite of adaptive controls that enable appropriate responses to both everyday mistakes and unacceptable activity. In addition to blocking, the product leverages in-the-moment education, controls to revoke cloud sharing, and automation that isolates endpoints, supports conditional access, stops local sync apps, disables USB ports, or locks a device. Incydr corrects user mistakes, blocks unacceptable activity, and investigates and contains active insider threats.
Data Loss Prevention tools evolve quickly. We’re staying a step ahead with risk detection that doesn’t require classification and has the benefit of context across all risk surfaces—whether it’s data movement by humans or AI agents. And we’re making solutions that actually reduce security burden with a spectrum of automated responses.Â
Close your DLP Gap in 30 Days
A 30-day Proof of Value scoped to 50-100 users produces a usable picture of all unsanctioned data movement in your environment in week one. By day 30, you have evidence, controls, and a unified governance story on data protection for humans, AI, and data for the board.
Â
Â
**This blog has been updated from a previous version.