Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Somewhere in your environment right now, an AI agent is reading files, querying a database, and passing output through a channel your DLP has never seen. It's running under a legitimate user credential, inside a sanctioned tool, and it will not trigger a single alert. When it's done, there will be no record of what it accessed or where that data went. This is not an edge case. It is the default state of most enterprise environments in 2026.

AI agents create data exfiltration risk by combining three capabilities that are dangerous together: access to private data, exposure to untrusted content, and the ability to communicate externally. When all three exist in one agent, an attacker can hide instructions inside an email, document, or webpage the agent processes and trick it into sending sensitive data out. No software vulnerability is required. The attacker doesn't need to break in. They just need to talk to your agent.

In April 2026, Vercel disclosed that attackers had accessed internal systems and customer credentials — not by breaking into Vercel directly, but by compromising a third-party AI tool one of its employees had connected to their corporate account.

On March 24, 2026, thousands of development pipelines ran a routine vulnerability scan. What they actually executed was a credential stealer.

A recently patched Google Chrome vulnerability is a signal security leaders cannot ignore. But it's only the beginning of a much larger story. In January 2026, a high-severity vulnerability was disclosed in Chrome's Gemini AI integration: CVE-2026-0628. The flaw allowed a malicious browser extension with only basic permissions to escalate privileges and gain access to a user's camera, microphone, local files, and the ability to screenshot any website, all without user consent. Google patched it quickly.

‍A DLP solution is only as strong as what it can detect. Gaps in detector coverage aren't just a technical inconvenience; they're exposure windows. Every format that goes unrecognized is a policy that can't fire, a remediation that can't happen, and a breach waiting to occur. Three new detectors are now available in Nightfall: personal photos (selfies and headshots), Malaysian Driver's License numbers, and South African National ID numbers.

Every new AI feature that ships into a platform your employees already use is a security question your stack probably can't answer yet. It sounds like hyperbole, but it's the structural reality of how AI adoption works in 2026. A recent update to WhatsApp is a useful illustration of why.

A sales rep opened Glean—an AI-powered enterprise search platform that connects to your company's SaaS apps and lets anyone query across all of them in natural language—typed "Who are my top 10 customers?" and got a clean, formatted list pulled from Salesforce, cross-referenced with HubSpot, and confirmed against data sitting in Google Drive. They copy-pasted that list into a personal Gmail draft. No alerts fired. No policies triggered. No one noticed. This isn't a hypothetical.

When Anthropic announced Claude Code Security on February 20th—a tool that scans codebases for vulnerabilities and suggests patches for human review—the reaction from markets was swift and brutal. Major cybersecurity names watched their stock prices fall by double digits within days. The implied thesis behind the selling: AI can now do what these companies do, so why pay for them? It's a compelling fear and an inaccurate conclusion at the same time. The DLP space is a clear example of why.

For 83 days, attackers moved freely through Conduent's systems and exfiltrated 8 terabytes of healthcare records, Social Security numbers, and personal data belonging to tens of millions of Americans. No alarm sounded. No transfer was blocked. The breach was discovered when systems stopped working. Not because anyone detected the data leaving.