Glossary

DLP

Data loss prevention — screening data in and out of tool calls to catch leakage and injection.

category ▸ Data & Provenance

audit/verify
#101hash ✓#102hash ✓#103hash ✓#104hash ✓#105hash ✓
head 0x9f3a…c1ok: true
verifyChain ▸ chained SHA-256 · signed receipts
What it means

DLP, in plain language.

Data loss prevention is the practice of inspecting data as it crosses a boundary to stop sensitive information from leaking and to catch malicious content from entering. For AI agents, the boundary that matters most is the tool call: what an agent sends to an external tool, and what it gets back and then surfaces.

Agentic DLP guards two directions at once. Outbound, it prevents an agent from exfiltrating PII or confidential fields. Inbound, it screens for prompt-injection — text crafted to hijack the agent's instructions — which has become one of the defining attack vectors against tool-using models.

In Cortex

How Cortex implements it.

This term isn't abstract here — it maps to a real capability in the runtime. Here is exactly how Cortex enforces or relates to it.

Data & Provenance

Cortex's MCP Gateway runs a DLP scan on every governed tool call: it screens input for injection and PII and blocks high-injection content before the call is made, then redacts PII from the output before the agent sees it. Every governed invocation — allowed or blocked — is recorded with redacted I/O and a reason.

Output guardrails extend the same idea to generated content, screening or redacting sensitive material before it leaves the agent.

See DLP enforced, not just defined.

Book a walkthrough and watch the controls in this glossary return real verdicts, seal real evidence, and trace every fact back to its source.