When you give an AI agent the ability to send emails, post to Slack, and write to databases, you have a data exfiltration surface that no traditional DLP tool was designed for. Agents don’t click on phishing links. They compose entire messages from scratch, pull context from knowledge bases, and act on instructions that might include sensitive data. The threat model is fundamentally different.
That’s why I built a dedicated DLP engine into AgenticMail Enterprise. It sits in the action pipeline, scanning every outbound communication and data write before it leaves the system. If a rule triggers, the action gets blocked, flagged for review, or allowed with a warning depending on the severity level you’ve configured.
53 Rules, 7 Categories
The engine ships with 53 rules organized into seven pre built rule packs:
PII Detection covers social security numbers, passport numbers, dates of birth, phone numbers, physical addresses, and other personally identifiable information. The patterns are locale aware, so a UK National Insurance number and a US SSN both get caught.
Credentials catches API keys, connection strings, private keys, tokens, passwords in plaintext, and common secret formats from AWS, GCP, Azure, Stripe, and about a dozen other providers. This one triggers more than you’d expect. Agents love to be “helpful” by including the full connection details in their responses.
Financial Data covers credit card numbers (with Luhn validation), bank account and routing numbers, tax IDs, and financial statement fragments. If an agent is summarizing a report and accidentally includes raw account numbers, this pack catches it.
HIPAA handles protected health information: medical record numbers, diagnosis codes, prescription details, patient names in clinical context, and insurance identifiers. Healthcare orgs running agents need this on day one.
GDPR enforces data subject protections. It flags attempts to transmit personal data of EU residents without proper consent markers, catches cross border transfer attempts, and identifies special category data like biometric or genetic information.
Intellectual Property detects code snippets, patent references, trade secret markers, confidential document headers, and proprietary data patterns that you define. You can add custom regex patterns for your own classification scheme.
Agent Safety is the category that doesn’t exist in traditional DLP. It catches prompt injection attempts in agent outputs, detects when an agent tries to override its own guardrails, flags self referential loops, and blocks attempts to exfiltrate its own system prompt or tool definitions.
One Click Deployment, Per Rule Toggle
Each rule pack deploys with a single click. Once active, every individual rule within the pack can be toggled on or off independently. Some organizations need HIPAA but don’t care about the patent reference detector. Others want everything maxed out. The granularity is there.
Every rule has a severity level: low, medium, high, or critical. You configure what happens at each severity. Maybe low severity gets logged but allowed through, medium triggers a review queue, and critical blocks immediately with an alert to the security team.
Real Time Scanning
The scanning happens synchronously in the action pipeline. There’s no batch processing or delayed review. When an agent composes an email containing a credit card number, the send action fails before any bytes leave the server. The agent gets a structured error explaining which rule triggered, and it can reformulate its response.
This is important because agents are fast. A batch DLP system that scans after the fact might catch the violation, but the data is already gone. By the time you get the alert, the email has been delivered, the Slack message has been read, and the database write has propagated.
The latency cost is minimal. Most rules are regex based with some validation logic on top. The full 53 rule scan adds roughly 2 to 4 milliseconds per action. For the protection it provides, that’s essentially free.
Why Agents Need Purpose Built DLP
Traditional DLP tools watch network traffic and file systems. They assume a human is the actor. An AI agent doesn’t use a browser to upload files to a personal drive. It uses API calls that look identical to legitimate application traffic. The exfiltration vector is the agent’s own tool use.
You need DLP that understands the agent’s action model. That’s what sitting inside the action pipeline gives you. Every tool call, every outbound message, every data write passes through the same scanning engine. There’s no bypass path because there’s no separate network path to monitor.
53 rules is just the starting set. The engine supports custom rules with the same severity and action framework. But for most teams, the seven packs cover the territory. Turn them on, tune the severity levels, and your agents are operating with guardrails that actually match the threat model.
Source Code
The PII detection patterns form the foundation of the DLP engine, covering common sensitive data formats with regex:
const PII_PATTERNS: Record<string, RegExp> = {
email: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g,
ssn: /\b\d{3}-?\d{2}-?\d{4}\b/g,
credit_card: /\b(?:\d{4}[- ]?){3}\d{4}\b/g,
phone: /\b(?:\+?1[-.\s]?)?\(?\d{3}\)?[-.\s]?\d{3}[-.\s]?\d{4}\b/g,
api_key: /(?:sk|pk|api|key|token|secret|password)[_-]?[a-zA-Z0-9]{20,}/gi,
aws_key: /(?:AKIA|ASIA)[A-Z0-9]{16}/g,
};