DEV Community: Marco Rinaldi

The Security Risks of MCP Servers and How to Mitigate Them Across a Fleet

Marco Rinaldi — Wed, 24 Jun 2026 18:38:09 +0000

[Model Context Protocol (MCP) servers grant AI agents powerful capabilities but also introduce significant security risks, including unauthorized data access and command execution. A unified AI gateway like Bifrost combined with an endpoint agent provides the visibility and control necessary to mitigate these risks across an entire fleet of machines.]

Model Context Protocol (MCP) is an emerging standard that allows AI models to interact with external tools and data sources, transforming them into capable agents. These agents can perform complex tasks by discovering and executing functions exposed by MCP servers. While this enables powerful new workflows, it also creates a substantial new attack surface. An unsecured MCP server can become a gateway for data exfiltration, unauthorized API calls, or lateral movement within a network. For organizations with hundreds or thousands of developers using these tools, securing this ecosystem at scale is a critical challenge.

Many security teams lack visibility into which MCP servers are being used on company devices. This "shadow agent" problem makes it impossible to enforce consistent security policies. Mitigating these risks requires a centralized approach that combines discovery, policy enforcement, and real-time governance. Platforms like Bifrost, an open-source AI gateway from Maxim AI, offer a control plane for this purpose, extending policy from the gateway to the individual developer's machine.

What are MCP Servers and Why Do They Pose a Risk?

An MCP server is an application that exposes a set of tools (functions, APIs, data sources) to an AI model, such as those used by agents like Claude Code or in editors like Cursor. The AI agent can query the MCP server to understand what tools are available and then request the execution of those tools to accomplish a goal.

The security risks stem from the capabilities granted to these tools:

Data Access: A tool might have the ability to read local files, access databases, or connect to internal APIs. An overly permissive tool could expose sensitive corporate or customer data.
Command Execution: Some tools may execute shell commands or run scripts. A vulnerability in such a tool could lead to arbitrary code execution on the host machine.
Unauthenticated Access: Many MCP servers are run locally by developers for convenience and may lack robust authentication, making them accessible to any process on the machine or even the local network.
Supply Chain Vulnerabilities: The tools themselves, often installed from public registries, can contain vulnerabilities. A compromised tool could be used to attack the agent or the underlying system.

Without a central inventory, security teams cannot know which developers are running which MCP servers, what tools those servers expose, or what data they can access. This lack of visibility makes it nearly impossible to conduct risk assessments or enforce security standards.

Fleet-Wide Mitigation Strategies for MCP Security

Securing a handful of MCP servers is a configuration task. Securing them across an entire organization's fleet of devices is a governance and infrastructure problem. An effective strategy requires three core components: visibility, control, and enforcement.

Discovery and Inventory: The first step is to build a comprehensive, real-time inventory of all MCP servers running across the fleet. You cannot secure what you cannot see. This requires an endpoint agent capable of detecting when AI applications like Claude Code or Cursor are configured to use an MCP server.
Centralized Policy Management: Once servers are discovered, administrators need a central place to approve or deny them. Policy should not be managed on individual machines. A central control plane allows for consistent rule application, such as denying all new servers by default until they are reviewed by a security team.
Endpoint Enforcement: A policy is only effective if it is enforced. An endpoint agent must be able to actively block connections to denied MCP servers, preventing AI models from executing their tools. This enforcement must happen on the device itself, before a request can be made.

This approach moves MCP security from an honor system to a governed ecosystem, ensuring that only vetted and approved tools are accessible to AI agents operating on company devices.

How Bifrost Governs MCP Servers at Scale

The Bifrost AI gateway and its endpoint component, Bifrost Edge, are designed to address the challenge of fleet-wide MCP governance directly. The platform provides the necessary layers of visibility, control, and enforcement. The gateway acts as the central policy engine, while the endpoint agent ensures those policies are applied everywhere.

Step 1: Discovering MCP Servers with Bifrost Edge

When deployed across a fleet via MDM solutions like Jamf or Intune, Bifrost Edge immediately begins inventorying AI tool usage.

Automated Discovery: The agent identifies AI applications on each machine and inspects their configurations to find connected MCP servers.
Fleet-Wide Inventory: This data is sent to a central admin dashboard, providing a unified, real-time view of every MCP server in use across the organization, deduplicated for clarity.
New Server Alerts: When a new, unknown MCP server is detected on any machine, it appears in an approval queue for review.

Step 2: Centralized Approval Workflows

Within the Bifrost admin console, security and platform teams can manage the entire lifecycle of an MCP server.

Approve or Deny: From the approvals dashboard, administrators can review each discovered server and explicitly approve or deny it.
Fleet-Wide Application: A single click applies the decision across every device running the Edge agent. Denying a server means no agent on any company machine can connect to it.
Default-Deny Posture: Organizations can configure a default-deny policy, ensuring no new MCP server can be used until it has been vetted and explicitly approved, significantly reducing the risk from unknown tools.

Step 3: On-Device Enforcement and Auditing

The combination of the gateway's policy engine and the endpoint agent ensures that rules are not just suggestions.

Connection Blocking: Bifrost Edge enforces the approval list directly on the employee's machine. If an AI agent attempts to connect to a denied MCP server, the connection is blocked before it is initiated.
Fine-Grained Access Control: For approved servers, Bifrost provides further control. Using MCP tool groups, administrators can define which specific tools are accessible to different users or teams via their assigned virtual keys.
Comprehensive Auditing: All MCP discovery and tool execution events can be logged, creating an immutable audit trail for compliance and incident response. This ensures that beyond routing and access control, Bifrost's governance and security controls are extended from the central gateway to every endpoint.

By implementing this lifecycle of discovery, central management, and endpoint enforcement, organizations can safely unlock the power of AI agents without exposing themselves to the significant security risks of ungoverned MCP servers. This centralized model turns a chaotic and invisible landscape into a managed, secure, and auditable part of the AI infrastructure. Teams looking to secure their AI agent deployments can request a Bifrost demo to see the platform's MCP governance capabilities.

Sources

A Technical Comparison of AI DLP Tools for the Enterprise

Marco Rinaldi — Wed, 24 Jun 2026 18:32:17 +0000

As enterprises adopt generative AI, they create new pathways for sensitive data exfiltration. This comparison of AI DLP tools examines different approaches to mitigating this risk, highlighting why AI-specific governance platforms like Bifrost provide a more effective control plane than traditional solutions.

The widespread adoption of generative AI applications presents a significant Data Loss Prevention (DLP) challenge for enterprise security teams. When employees use tools like ChatGPT, Claude, or terminal-based coding agents, they can inadvertently expose intellectual property, customer data, or internal credentials in prompts. An effective AI DLP strategy requires tools that can inspect, govern, and audit this new type of traffic. Solutions range from traditional network security platforms to dedicated AI governance gateways like Bifrost, an open-source AI gateway designed for this purpose.

This article compares the leading categories of AI DLP tools and evaluates their effectiveness in securing enterprise AI usage.

Key Criteria for Evaluating AI DLP Solutions

Traditional DLP focuses on patterns in data at rest or in transit across standard channels like email and file transfers. According to ISACA, a global association for IT governance professionals, a core DLP function is to classify content and enforce policies based on that classification. AI traffic, however, introduces new complexities that require a more specialized evaluation framework.

A robust evaluation of an AI DLP tool should consider the following criteria:

Protocol-Level Visibility: Can the tool differentiate between a standard API call and a generative AI prompt? Does it understand the structure of LLM requests, streaming responses, and Model Context Protocol (MCP) traffic for AI agents?
Real-Time Policy Enforcement: The tool must be able to block or redact sensitive data before it leaves the corporate network and reaches a third-party model provider, not just log it after the fact.
Granularity of Control: Does the solution allow for context-aware policies? For example, can it apply different rules based on the user, their team, the specific AI model being accessed, or the project they are working on?
Endpoint vs. Gateway Coverage: A comprehensive solution must govern AI usage everywhere it happens. This includes both server-side applications routing through a central gateway and, critically, the "shadow AI" tools running directly on employee workstations.
Auditability: The tool must provide detailed, immutable logs of all AI interactions, including prompts, responses, and policy violations, to support compliance with frameworks like SOC 2 and ISO 27001.

The Comparison: Top AI DLP Approaches

No single product category owns the entire AI DLP space. Most enterprises will deploy a layered strategy, but the effectiveness of that strategy depends heavily on the capabilities of the core components.

1. Bifrost: AI Gateway with Endpoint Governance

Bifrost is an AI gateway that acts as a central control plane for all AI traffic. It provides deep, protocol-aware inspection and policy enforcement for LLM and MCP requests.

Its approach to DLP is built on a combination of gateway-level controls and endpoint enforcement. At the gateway, teams can use virtual keys to assign specific access rights, budgets, and policies to different users or applications. This allows for highly granular control over who can access which models and under what conditions.

For real-time data protection, Bifrost offers a system of configurable guardrails. These include:

Secrets Detection: A built-in guardrail that uses pattern matching to find and block API keys, database credentials, and other secrets before they are sent in a prompt.
Custom Regex: Allows security teams to define their own patterns for sensitive information, such as customer IDs, project codenames, or PII, and enforce redaction or rejection policies.
Third-Party Integrations: Connects to specialized services like AWS Bedrock Guardrails and Azure Content Safety for more advanced content analysis.

The most significant differentiator for Bifrost is its ability to extend this governance to the last mile. Traditional gateways only see traffic explicitly configured to pass through them. Bifrost Edge is an endpoint agent that transparently routes all AI traffic from employee machines—including from desktop apps like Claude Desktop and web apps like ChatGPT—through the central Bifrost gateway. This closes the "shadow AI" loophole, ensuring that the same security and governance policies are enforced everywhere.

Best for: Enterprises that need a dedicated, AI-native control plane for deep visibility, granular policy enforcement, and comprehensive coverage across both infrastructure and employee endpoints.

2. Secure Web Gateways (SWGs) and CASBs

Secure Web Gateways (SWGs) and Cloud Access Security Brokers (CASBs) from vendors like Zscaler and Netskope are established players in enterprise security. They excel at inspecting general web traffic and enforcing broad policies, such as blocking access to unapproved websites or scanning file uploads for malware.

Many of these platforms have added features to identify traffic to popular AI services. For example, they can block access to chatgpt.com entirely or apply basic keyword filtering to the data being sent.

However, these tools generally operate at the HTTP level and lack the specialized understanding of AI protocols. They may struggle to parse the complex JSON payloads of modern LLM requests, interpret streaming responses, or understand the tool-use conversations happening over MCP. This can lead to a trade-off between overly broad blocking (which hinders productivity) and permissive policies that fail to catch nuanced data leaks.

Best for: Organizations looking to apply broad, high-level access controls to AI websites as an extension of their existing web security posture. They serve as a good first line of defense but often lack the depth needed for comprehensive AI DLP.

3. Native Platform DLP

Cloud and SaaS providers are increasingly building DLP capabilities directly into their own platforms. A prominent example is Microsoft Purview, which offers data classification and protection policies that can be applied to services like Microsoft Copilot.

The primary advantage of this approach is deep integration. Purview can leverage its understanding of an organization's data sensitivity labels within Microsoft 365 to inform the policies it applies to Copilot prompts. If a user tries to paste content from a "Highly Confidential" document into a prompt, the system can block it.

The limitation is that this protection is typically confined to the provider's own ecosystem. A policy that governs Copilot for Microsoft 365 has no bearing on a developer using Google's Gemini in their terminal or a marketing team member using Claude to summarize a document. This creates security silos and leaves significant gaps in coverage for organizations that use a multi-provider AI strategy.

Best for: Companies that are heavily invested in a single provider's ecosystem and primarily need DLP for that provider's native AI tools.

Why AI-Specific Governance Is Critical for DLP

Generic DLP tools fall short because they treat AI traffic like any other form of web traffic. An effective AI DLP strategy recognizes that this traffic is fundamentally different. An AI gateway like Bifrost is purpose-built to understand these differences.

Prompt and Response Inspection: The most sensitive data in an AI interaction is often in the unstructured text of the prompt or the model's response. A specialized gateway can parse these fields specifically, applying targeted guardrails without having to decipher the entire API request structure.
Agent and Tool Risk (MCP): As AI agents become more common, they will use protocols like MCP to interact with external tools and APIs. A tool that doesn't understand MCP cannot see or govern an agent that is granted access to read a private code repository or a customer database. Bifrost's function as an MCP gateway provides visibility and control over this emerging vector for data loss.
Comprehensive Audit Trails: For compliance and incident response, teams need more than just a record that a user accessed an AI service. They need an immutable log of the interaction itself. Bifrost provides detailed audit logs that capture the full request and response, policy decisions, and metadata needed for forensics.

Conclusion: A Layered Strategy with an AI Gateway at the Core

Protecting against data loss in the age of generative AI requires a modern, layered approach. While SWGs and native platform tools have a role to play, a dedicated AI governance platform is essential for providing the deep visibility and granular control required.

By deploying an AI gateway like Bifrost with its endpoint agent, Bifrost Edge, organizations can establish a central, AI-aware control plane. This ensures that a consistent set of data protection policies is applied to all AI usage, from internal applications to the shadow AI tools running on employee devices. For teams serious about preventing AI-driven data exfiltration, this combination provides the most robust and comprehensive solution available. Teams can request a Bifrost demo to see how these controls work in practice.

Sources

ISACA, Data Loss Prevention (DLP)
Bifrost Documentation, Guardrails
Bifrost Documentation, Bifrost Edge Overview
Zscaler, Inc., Homepage
Netskope, Inc., Homepage
Microsoft Corporation, Microsoft Purview

How to Prevent Data Leaks Through Generative AI Apps

Marco Rinaldi — Wed, 24 Jun 2026 18:32:14 +0000

A comprehensive strategy for preventing data leaks from generative AI requires centralized governance at the gateway and security enforcement at the endpoint. Tools like Bifrost provide a unified platform to manage both, securing corporate data from the risks of shadow AI without blocking productivity.

The rapid adoption of generative AI applications in the workplace has introduced a new and complex vector for corporate data leakage. Unlike traditional data breaches, AI-related leaks often happen unintentionally, when employees use unsanctioned AI tools to improve their productivity. Pasting sensitive source code, customer data, or internal financial reports into a public-facing AI chat application can lead to the exposure of proprietary information. This phenomenon, known as "shadow AI," operates outside the visibility of IT and security teams, bypassing established security controls.

A recent study found that a significant percentage of employees share sensitive work information with AI tools without company permission, creating a substantial risk of data loss. Addressing this requires a new approach to security that extends from the central infrastructure to every employee's device. An effective strategy combines an AI gateway for centralized policy control with an endpoint agent to govern the tools people use daily. Bifrost, an open-source AI gateway, is an example of a platform built to provide this layered defense.

Understanding How Generative AI Apps Leak Data

Data can be exfiltrated through generative AI applications in several ways, many of which are not immediately obvious and bypass traditional security measures like firewalls.

Prompt Leakage: The most direct method is when employees copy and paste sensitive information directly into AI prompts. This could be anything from proprietary source code and financial data to personally identifiable information (PII) from customer records. Once this data is submitted, it may be used by the AI provider to train future models, potentially resurfacing in responses to other users.
Shadow AI Usage: When employees use unapproved AI tools—often through personal accounts—they operate outside of any corporate governance or security oversight. This "shadow AI" ecosystem creates significant blind spots for security teams, as there is no audit trail for what data has been shared.
Insecure Integrations: AI tools are often integrated with other corporate systems like databases or CRMs. If these integrations lack proper access controls, the AI can become a privileged entry point for data exfiltration. According to Gartner, a substantial number of AI-related security failures will be attributable to such integration failures.
Model Training Data: If an organization uses its own sensitive data to fine-tune a model, that information can become embedded in the model's parameters. Attackers can then use carefully crafted queries to trick the model into revealing parts of its training data.

Strategies for Preventing AI-Related Data Leaks

A robust strategy for preventing AI data leaks relies on visibility and control. Organizations cannot govern AI usage they cannot see. This means implementing a system that can monitor and manage all AI traffic, regardless of where it originates. The most effective architecture combines a centralized AI gateway with endpoint security.

Centralized Policy Enforcement with an AI Gateway

An AI gateway acts as a single control point for all AI traffic within an organization, sitting between applications and the various LLM providers. This centralization allows platform teams to enforce consistent security and governance policies for every request.

Platforms like Bifrost provide several key features for preventing data leaks at the gateway level:

Data Loss Prevention (DLP): An AI gateway can inspect both prompts and responses in real-time for sensitive data patterns. Bifrost's guardrails feature allows for native secrets detection to catch credentials, custom regular expressions to block PII, and integration with third-party content safety tools.
Virtual Keys and Access Control: Instead of using shared provider API keys, teams can issue virtual keys that are scoped to specific users, teams, or projects. Each key can have its own budget, rate limits, and model access permissions, providing granular control over AI usage and preventing abuse.
Audit Logs: A centralized gateway creates an immutable audit log of every request and response. This visibility is crucial for compliance with frameworks like SOC 2 and for investigating potential incidents.

The Endpoint Problem: Closing the "Shadow AI" Gap

While a gateway is effective for managing traffic from sanctioned applications, it cannot control the "shadow AI" usage on employee laptops. An employee using ChatGPT in their browser or running a local AI coding assistant can still bypass gateway policies. This is where endpoint governance becomes critical.

Endpoint AI agents run directly on employee devices and can access local file systems and clipboard data, operating outside the view of network-based security tools. To close this gap, organizations need a solution that extends governance from the gateway to the device itself.

Implementing Endpoint AI Governance

Endpoint AI governance provides the last-mile enforcement needed for a complete data protection strategy. It involves deploying an agent on each company machine that can identify and control AI traffic at the source.

The Bifrost AI gateway and Bifrost Edge work together to solve this problem. The gateway serves as the central policy engine, while Bifrost Edge is an endpoint agent that extends the gateway's policies to every machine.

This combined approach enables several critical capabilities:

Automatic AI App Discovery: The Bifrost Edge agent discovers all AI applications being used on a device, including desktop apps, browser-based AI, and coding agents. This eliminates the "shadow AI" blind spot.
Centralized App and MCP Governance: From a central dashboard, administrators can see a fleet-wide inventory of all discovered AI apps and the MCP servers they connect to. They can then create and enforce policies to allow or deny specific applications and MCP servers across the entire organization.
Endpoint Policy Enforcement: The Edge agent ensures that all AI traffic from an employee's machine is routed through the company's Bifrost gateway. This means the same guardrails, virtual keys, budgets, and audit logging policies that apply to server-side applications are also enforced on endpoint traffic.
MDM Deployment: For seamless rollout, agents like Bifrost Edge can be deployed and configured across an entire fleet of macOS, Windows, and Linux machines using existing MDM platforms like Jamf or Microsoft Intune.

A Unified Approach to AI Security

Preventing data leaks from generative AI requires a layered security strategy that acknowledges the reality of shadow AI. Simply blocking all AI tools is not a viable option, as it hinders productivity and encourages employees to find workarounds.

A unified platform that combines a central AI gateway with endpoint governance provides the necessary visibility and control. This architecture allows organizations to set and enforce consistent data protection policies across all forms of AI usage, from internal applications to the unsanctioned tools running on employee devices. Teams evaluating AI security solutions can request a demo of Bifrost or review the open-source repository to learn more.

Sources

Applying DLP to Prompts for ChatGPT and Claude

Marco Rinaldi — Wed, 24 Jun 2026 18:31:15 +0000

Applying Data Loss Prevention (DLP) to prompts is essential for preventing sensitive data from being sent to third-party LLMs. An AI gateway like Bifrost can enforce DLP policies, scan for secrets, and redact PII before prompts leave the corporate network, securing the use of tools like ChatGPT and Claude.

A primary challenge for enterprises adopting generative AI is preventing the accidental exposure of sensitive data. When employees use models like OpenAI's ChatGPT or Anthropic's Claude, any proprietary code, customer information, or intellectual property included in a prompt is sent to a third-party service. This creates a significant risk of data leakage, violating compliance standards like SOC 2, GDPR, or HIPAA. To address this, organizations implement Data Loss Prevention (DLP) strategies for AI, and a central point of enforcement is an AI gateway. Bifrost, an open-source AI gateway from Maxim AI, provides tools to inspect and control the data within prompts before they reach any model.

The Challenge of Sensitive Data in LLM Prompts

Large Language Models have no inherent understanding of what constitutes sensitive information. They process prompts as-is, which can lead to several data security issues:

Training on Prompts: Some service providers may use submitted data to train future versions of their models. While major providers like OpenAI and Anthropic now offer enterprise agreements with zero-data-retention policies, this is not always the default and may not apply to all service tiers.
Accidental Exposure: An employee seeking help debugging a function might paste a code snippet containing proprietary algorithms or embedded API keys. Similarly, a support agent might paste a customer conversation that includes Personally Identifiable Information (PII) to summarize it.
Compliance Violations: The transfer of regulated data (such as financial information or protected health information) to a third-party AI service without proper controls can violate data protection regulations, leading to significant fines and legal consequences.
Shadow AI: Employees often use personal or unmanaged accounts for AI tools on their work machines. This "shadow AI" usage bypasses any existing security controls, creating a major blind spot for IT and security teams.

Methods for Prompt DLP Enforcement

Organizations use several methods to apply DLP to AI prompts, each with different points of enforcement and effectiveness.

1. User Training and Manual Policies

The most basic approach is to establish clear internal policies about what data can and cannot be used in prompts and to train employees on these guidelines.

Pros: Low technical overhead to implement.
Cons: Relies entirely on human vigilance and is prone to error. It is not a preventative control and offers no technical enforcement or audit trail.

2. Browser Extensions and Endpoint Agents

Some solutions use browser extensions or simple endpoint agents to scan text entered into web-based AI interfaces.

Pros: Can catch data before it leaves the browser.
Cons: Limited to specific web pages (e.g., chat.openai.com) and easily bypassed. They do not cover API-based integrations, desktop applications like Claude Desktop, or CLI-based coding agents.

3. Integrated DLP in AI Platforms

Certain enterprise AI platforms include built-in DLP features. These are often tied to the specific platform and may not cover the full spectrum of AI tools an organization uses.

Pros: Tightly integrated with the platform's workflow.
Cons: Creates vendor lock-in and does not address the use of other, unmanaged AI services.

4. Centralized AI Gateway

An AI gateway acts as a single point of entry for all LLM traffic. By routing all requests through a central proxy, security teams can inspect every prompt from any source (API, desktop app, custom integration) and apply consistent DLP policies.

Pros: Provides universal, consistent policy enforcement across all AI applications and models. Offers detailed audit logs for compliance.
Cons: Requires routing all AI traffic through the gateway, which needs to be highly performant to avoid adding latency.

How an AI Gateway Enforces Prompt DLP

An AI gateway like Bifrost is a powerful control point for implementing robust DLP. It inspects every request in transit and applies a series of security checks, known as guardrails, before forwarding the request to the upstream LLM provider.

The process is transparent to the end-user. A developer making an API call or an analyst using ChatGPT Desktop interacts with their tool as usual. The gateway intercepts the traffic and enforces policy in real-time.

Key DLP Features in Bifrost

Bifrost provides specific guardrail capabilities designed to detect and handle sensitive data within prompts.

Secrets Detection: The gateway includes a built-in secrets detection guardrail that scans prompts for patterns matching API keys, database credentials, private keys, and other tokens. If a secret is found, the request can be blocked entirely, and an alert can be generated. This prevents credentials from accidentally being exposed to a third-party model or logged in its systems.
PII Redaction with Custom Regex: Organizations can define their own patterns for sensitive data using the custom regex guardrail. This is commonly used to find and redact PII like social security numbers, credit card numbers, phone numbers, or internal project codenames. The gateway can either block the request or redact the sensitive portion, replacing it with a placeholder before it is sent to the LLM.
Third-Party Guardrail Integration: Beyond its native capabilities, Bifrost integrates with specialized AI security providers like AWS Bedrock Guardrails, Azure Content Safety, and Patronus AI. This allows teams to apply sophisticated, pre-built content policies for PII, toxicity, and other sensitive topics directly at the gateway layer.
Comprehensive Audit Logs: Every request and its outcome are recorded in immutable audit logs. This provides a complete trail for security reviews and compliance reporting, showing which prompts were sent, which were blocked by DLP policies, and why.

Extending DLP to the Endpoint with Bifrost Edge

A gateway can only enforce policies on traffic it sees. The rise of desktop AI apps and CLI agents creates a "last mile" problem where employee machines generate AI traffic that may not be routed through the central gateway.

To solve this, Bifrost's governance and security controls are extended to the device level with Bifrost Edge. Edge is an endpoint agent that runs on employee machines (macOS, Windows, and Linux) and automatically routes all AI traffic from supported desktop apps, browsers, and coding agents through the organization's Bifrost instance. This ensures that the same DLP guardrails and security policies apply to prompts from tools like ChatGPT Desktop or Claude Desktop, closing the shadow AI loophole.

Implementing a Secure AI Workflow

For organizations looking to leverage the power of tools like ChatGPT and Claude securely, applying DLP at the prompt level is not optional. While user education is a necessary first step, technical enforcement is required for reliable protection. An AI gateway offers a centralized, scalable, and comprehensive solution for inspecting and controlling data before it leaves the network perimeter.

Teams evaluating AI security solutions can request a demo of Bifrost to see how its guardrails and endpoint governance can be applied or review the project's open-source repository.

How to Redact Sensitive Data Before It Reaches an LLM

Marco Rinaldi — Wed, 24 Jun 2026 18:31:14 +0000

Sending sensitive data to third-party Large Language Models (LLMs) creates significant security and compliance risks. This guide explores automated redaction techniques that sanitize prompts before they leave your network, allowing teams to use AI tools without exposing confidential information.

Large Language Models (LLMs) from providers like OpenAI, Anthropic, and Google are powerful tools, but using them with sensitive data introduces a critical risk: data leakage. Every time an employee pastes customer information, internal project details, or regulated data like Personally Identifiable Information (PII) into a prompt, that data is sent to servers outside of your control. This can lead to compliance violations under regulations like GDPR and HIPAA, and it exposes proprietary information to potential misuse.

The core of the problem is that LLMs don't inherently distinguish between sensitive and non-sensitive information. To a model, a Social Security number is just another sequence of tokens. The solution is to intercept and sanitize this data before it ever reaches the LLM. This process is known as inline prompt redaction.

What is Inline Prompt Redaction?

Inline prompt redaction is an automated process that detects and removes or masks sensitive information from user prompts in real time. Instead of relying on users to self-censor, this technique acts as a checkpoint, ensuring that confidential data never leaves the security of your own environment.

The process generally involves four steps:

Detect: The system scans the outgoing prompt for sensitive data patterns.
Replace: Each piece of identified sensitive data is replaced with a placeholder or token (e.g., [EMAIL_1]).
Forward: The sanitized, harmless prompt is sent to the external LLM provider.
Audit: The redaction event is logged for compliance and security monitoring.

This approach allows applications to get the benefits of the LLM's reasoning capabilities while preventing the underlying sensitive data from being exposed.

Core Techniques for Data Redaction

Several methods can be used to detect and redact sensitive information from text. These techniques can be used alone or in combination for greater accuracy.

1. Pattern Matching (Regex)

The most straightforward approach is using regular expressions (regex) to find patterns that match common sensitive data formats. This is effective for structured data like:

Credit Card Numbers
Social Security Numbers (SSNs)
Phone Numbers
IP Addresses

For example, a simple regex can identify a U.S. SSN:

\b\d{3}-\d{2}-\d{4}\b

While fast and efficient, regex can be brittle. It may struggle with inconsistent formatting or fail to identify sensitive data that doesn't follow a strict pattern, like names.

2. Named Entity Recognition (NER)

Named Entity Recognition (NER) is a machine learning technique that identifies and categorizes named entities in text, such as names of people, organizations, locations, and more. NER models are trained on large datasets to recognize the context around words, making them much more robust than simple pattern matching for identifying unstructured PII.

Libraries like spaCy and pre-trained models from platforms like Hugging Face provide powerful, off-the-shelf NER capabilities that can be integrated into a redaction pipeline.

3. Reversible Redaction and Pseudonymization

A key challenge with redaction is that it can strip the context an LLM needs to provide a useful response. For example, if a prompt says, "Summarize this conversation between [PERSON_1] and [PERSON_2]," the LLM loses important conversational context.

Reversible redaction, or pseudonymization, solves this by replacing sensitive data with consistent, traceable tokens. The redaction system maintains a temporary map of the original values to the tokens.

Outgoing Prompt: "Contact Jane Doe at jane@acme.com about invoice #12345."
Sanitized Prompt Sent to LLM: "Contact [PERSON_1] at [EMAIL_1] about invoice [INVOICE_ID_1]."
LLM Response: "Drafted email to [PERSON_1] at [EMAIL_1] regarding [INVOICE_ID_1]."
De-anonymized Response to User: "Drafted email to Jane Doe at jane@acme.com regarding invoice #12345."

This method preserves privacy while maintaining the utility of the LLM interaction.

Where to Implement Redaction: The AI Gateway

Implementing redaction logic directly in every application that uses an LLM is inefficient and difficult to maintain. A more robust and scalable approach is to centralize this function in an AI Gateway.

An AI Gateway is a proxy server that intercepts all traffic between your applications and external AI services. By deploying redaction as a policy within the gateway, an organization can enforce consistent data protection across all AI usage, without requiring changes to individual applications.

This architecture offers several advantages:

Centralized Control: A single point to manage and update redaction policies.
Zero Application Changes: Developers can often integrate the gateway with a one-line code change to the base URL of the AI provider's SDK.
Comprehensive Auditing: All requests and redaction events are logged in one place.
Uniform Security: Ensures that no application can accidentally bypass security controls.

Several open-source and commercial products offer these gateway capabilities, acting as a critical control point for enterprise AI adoption.

Conclusion

Integrating LLMs into business workflows doesn't have to mean sacrificing data privacy. By implementing automated, inline redaction techniques, organizations can prevent sensitive information from ever reaching third-party models. Centralizing this capability in an AI gateway provides a scalable and enforceable way to secure AI interactions, enabling teams to innovate responsibly while maintaining a strong security and compliance posture.

Sources

What Is AI Data Loss Prevention and Why Traditional DLP Misses It

Marco Rinaldi — Wed, 24 Jun 2026 18:30:31 +0000

Bifrost provides AI Data Loss Prevention through gateway-level guardrails and endpoint visibility, addressing the security gaps in traditional DLP tools that generative AI exploits. This article examines the new data leakage vectors created by AI and how a modern approach can secure them.

The adoption of generative AI has created new and significant pathways for sensitive data to leave an organization, many of which are invisible to traditional Data Loss Prevention (DLP) tools. Employees paste proprietary code into web-based chatbots to debug it, upload confidential documents to summarize them, and interact with AI features embedded in SaaS applications, all outside the view of legacy security controls. This phenomenon, often called "shadow AI," is a primary vector for modern data breaches.

AI-specific Data Loss Prevention is a new layer of security designed to close these gaps. It moves beyond simple pattern-matching to understand the context of data, monitor the conversational nature of AI interactions, and enforce policies directly at the points where employees use AI. Leading this approach are AI gateways like Bifrost, an open-source AI gateway that serves as a central control plane for all AI traffic, providing the visibility and enforcement needed to prevent these new forms of data loss.

Why Traditional DLP Fails in the AI Era

Traditional DLP was designed for a world of structured data and predictable channels. It excels at scanning email attachments, blocking file transfers to USB drives, and monitoring network traffic for well-defined patterns like credit card numbers or social security numbers. However, the interactive and browser-centric nature of generative AI breaks this model in several fundamental ways.

Blindness to Browser-Based Prompts

The most common form of AI data leakage involves an employee copying sensitive information from a secure application and pasting it directly into the prompt of a public AI tool like ChatGPT, Claude, or Gemini. No file is created, no email is sent, and no network rule is violated from the perspective of a legacy DLP system. Research shows that 70% of modern data leaks happen directly within the browser, a channel where traditional DLP has minimal visibility.

Inability to Understand Context

Legacy DLP relies heavily on regular expressions (regex) and keyword matching. This approach is effective for structured data but fails with the unstructured, conversational content common in AI interactions. A traditional tool can't distinguish between a developer using a code snippet for a legitimate work task and one exfiltrating proprietary algorithms. It lacks the context to understand user intent, leading to a high rate of false positives and alert fatigue for security teams.

No Visibility into "Shadow AI"

The proliferation of unapproved AI tools used by employees without IT oversight creates massive security blind spots. When teams use dozens of different AI-powered SaaS apps, code assistants, and browser extensions, each one becomes a potential exfiltration point. Traditional DLP, which is configured for a known set of applications, is completely unaware of this shadow AI usage and cannot enforce any policies on it.

Failure to Inspect AI Responses

Data loss isn't just about what users put into AI models; it's also about what comes out. An AI model might inadvertently reveal sensitive information from its training data, or a Retrieval-Augmented Generation (RAG) system could surface a confidential internal document to an unauthorized user. Legacy DLP systems were built to monitor data leaving an organization and have no mechanism to inspect, classify, or redact the content of AI-generated responses.

How AI-Specific DLP Provides Protection

AI-aware Data Loss Prevention addresses the shortcomings of legacy tools by building security around the way AI actually works. It combines endpoint visibility, gateway-level inspection, and contextual understanding to create a comprehensive defense.

A modern AI DLP solution provides several key capabilities:

Real-Time Prompt and Response Inspection: It analyzes the content of user prompts and AI-generated outputs in real time, before the data can be transmitted to an external model or returned to the user.
Contextual Analysis: Instead of just matching keywords, it uses more advanced techniques, often including AI itself, to understand the data's sensitivity based on its origin, user role, and intended destination.
Shadow AI Discovery: It provides visibility into all the AI tools employees are using, whether they are approved or not, creating an inventory of potential risk points.
Endpoint Enforcement: It enforces policies directly on the user's machine, allowing it to see and control copy-paste actions and interactions within any application, including desktop and browser-based AI tools.

Bifrost: An AI Gateway Approach to Data Loss Prevention

An AI gateway is a centralized proxy that intercepts all requests to and from LLM providers, making it a natural enforcement point for AI DLP. The Bifrost AI gateway integrates these security controls directly into the AI traffic flow, providing a unified solution for visibility, governance, and data protection.

Centralized Guardrails and Redaction

Bifrost allows security teams to configure guardrails that inspect every prompt and response that passes through the gateway. These guardrails can use multiple techniques to prevent data loss:

Secrets Detection: Bifrost can automatically detect and block API keys, credentials, and other secrets before they are sent to an external model.
Custom Regex: Teams can define custom patterns to identify and redact organization-specific sensitive data, such as project codenames, customer IDs, or proprietary information.
Third-Party Integrators: Bifrost integrates with specialized content safety and DLP providers like AWS Bedrock Guardrails, Azure Content Safety, and others to apply sophisticated, context-aware scanning.

These policies are applied universally to any request routed through the gateway, ensuring consistent protection regardless of the application or user.

Audit Logs for Compliance and Incident Response

A critical component of any DLP strategy is having a clear record of data flows. Bifrost generates immutable audit logs for every interaction, providing a detailed trail for compliance audits and security investigations. Security teams can see exactly what data was sent, which user sent it, which model received it, and what the response was. This visibility is essential for meeting regulatory requirements like GDPR, HIPAA, and SOC 2.

Extending DLP to the Endpoint with Bifrost Edge

The biggest challenge for any gateway is ensuring all traffic actually flows through it. To solve the problem of shadow AI, where users interact with AI tools directly from their machines, the gateway's policies must be extended to the endpoint.

This is the role of Bifrost Edge, an endpoint agent that routes all AI traffic on employee machines through the organization's Bifrost gateway. It provides a complete solution to AI data loss by:

Discovering Shadow AI: Edge inventories all the AI applications and services being used across the fleet, including desktop apps like Claude and ChatGPT, and browser-based tools.
Enforcing Gateway Policies: It ensures that every AI prompt from any governed application is inspected by Bifrost's guardrails, applying the same secrets detection and data redaction policies everywhere.
Blocking Unapproved Tools: Administrators can create policies to block the use of unsanctioned or high-risk AI applications directly on the device, preventing data exposure at the source.

By combining a central AI gateway for policy enforcement with an endpoint agent for universal coverage, the Bifrost platform provides the comprehensive visibility and control needed to prevent data loss in the generative AI era.

Securing the Future of AI

Traditional security tools were not built for the dynamic, conversational, and often ungoverned ways that employees interact with AI. As a result, organizations are exposed to new and significant data leakage risks that their existing DLP solutions cannot see.

Addressing this gap requires a modern approach centered on an AI gateway that can inspect, govern, and audit every AI interaction. By centralizing policy enforcement and extending it to the endpoint, teams can safely enable the productivity benefits of AI without sacrificing control over their most sensitive data.

Teams looking to implement AI Data Loss Prevention can request a demo of Bifrost to see how its gateway and endpoint controls can secure their AI workflows.

Sources

How to Stop PII and Secrets From Being Sent to AI Tools

Marco Rinaldi — Wed, 24 Jun 2026 18:30:26 +0000

A multi-layered approach using data classification, AI gateways, and endpoint governance is the most effective way to prevent sensitive data from reaching third-party AI models. Bifrost, an open-source AI gateway, provides tools to implement these controls.

The adoption of AI tools, from large language models (LLMs) to specialized APIs, has introduced a significant security challenge: preventing sensitive data from leaving an organization's control. Employees regularly copy-paste internal documents, customer data, and even code snippets containing credentials into prompts. When this data is sent to a third-party AI provider, it can be stored, logged, or even used for model training, creating serious compliance and security risks.

Preventing this data leakage requires a deliberate, multi-layered strategy. It is not enough to simply write a policy document; engineering teams must implement technical controls to identify, block, and audit the flow of sensitive information. This article outlines a four-layer approach to secure AI adoption.

Layer 1: Identify and Classify Sensitive Data

You cannot protect data if you are not aware of its existence and location. The first step in any data protection strategy is to discover and classify the sensitive information within your systems. This process involves scanning data repositories, both structured (databases) and unstructured (documents, source code), to tag information that should never be sent to an external AI.

Common categories of sensitive data include:

Personally Identifiable Information (PII): Names, email addresses, phone numbers, government ID numbers. This is often regulated under laws like GDPR in Europe and various state-level privacy laws in the US.
Protected Health Information (PHI): Medical records and other patient data protected by regulations like HIPAA in the United States.
Secrets and Credentials: API keys, database passwords, private certificates, and authentication tokens.
Intellectual Property (IP): Proprietary source code, financial data, and internal strategy documents.

Automated data discovery tools can scan for patterns (like credit card numbers or API key formats) and use named entity recognition (NER) models to identify PII in unstructured text. The output of this process is an inventory of what data is sensitive and where it resides, which informs the policies you will enforce in the next layers.

Layer 2: Intercept and Redact Traffic with an AI Gateway

An AI gateway is a centralized proxy that sits between your developers or internal applications and the external AI services they call. By routing all AI traffic through a single point, you can inspect every prompt and response, enforcing security policies before data leaves your network. This is the primary technical control for preventing data leakage from applications that are configured to use it.

Key capabilities for a gateway include:

Secrets and PII Detection

The gateway can use guardrails to scan outbound prompts for sensitive data. This is often done with a combination of techniques:

Regular Expressions (Regex): Effective for structured data like Social Security numbers, credit card numbers, or specific internal ID formats.
Named Entity Recognition (NER): Machine learning models that can identify entities like names, locations, and organizations in unstructured text.
Secrets Scanning: Algorithms that look for high-entropy strings and patterns characteristic of API keys and other credentials, similar to tools like Gitleaks.

The Bifrost AI gateway includes built-in guardrails for secrets detection and allows for the configuration of custom regex patterns to catch organization-specific data formats.

Redaction and Masking

When a guardrail detects sensitive data, the gateway can be configured to either block the request entirely or, more commonly, to redact or mask the data. Masking replaces the sensitive data with a generic placeholder (e.g., [REDACTED_EMAIL]) before forwarding the prompt to the AI model. This allows the user to get a useful response from the AI without exposing the underlying sensitive information.

Here is an example of a prompt before and after redaction by a gateway:

Original Prompt:

Summarize this customer support ticket for escalation. The user, Jane Doe (jane.doe@example.com), is reporting that her API key (sk-aBcdEfgH12345IjkLmnoPqrsTuvWxYz) is not working.

Redacted Prompt Sent to AI:

Summarize this customer support ticket for escalation. The user, [REDACTED_NAME] ([REDACTED_EMAIL]), is reporting that her API key ([REDACTED_SECRET]) is not working.

This ensures the AI model receives the context it needs without ever seeing the actual PII or secret.

Layer 3: Enforce Endpoint Governance

A gateway is effective for AI traffic from your servers and applications, but it does not cover "shadow AI"—the ungoverned use of AI tools on employee workstations. Developers using Claude Desktop, analysts using the ChatGPT web interface, or anyone using a CLI-based coding agent can easily send sensitive data to AI providers, completely bypassing your server-side gateway.

This is where endpoint governance becomes critical. An endpoint agent installed on employee machines can intercept AI-related traffic from any application and route it through your central gateway.

This approach ensures that the same security policies, guardrails, and audit logs that apply to your production applications also apply to every employee's daily AI usage. A tool like Bifrost Edge is designed for this purpose, extending gateway governance to desktop apps, web browsers, and coding agents without requiring users to change their workflows. This closes the "last mile" security gap that most organizations miss.

Layer 4: Implement Strong Access Controls and Auditing

Finally, a robust security posture relies on strong access control and comprehensive auditing. Instead of sharing a single, powerful organizational API key, use a gateway that supports virtual keys.

Virtual keys allow you to provision unique credentials for each user, team, or application. Each virtual key can have its own budget, rate limits, and access rules (e.g., restricting it to a specific set of models). This follows the principle of least privilege and dramatically reduces the risk associated with a compromised key.

All actions, from prompt submission to blocked requests, should be recorded in immutable audit logs. These logs are essential for demonstrating compliance with regulations like SOC 2 and for investigating potential security incidents. An AI gateway provides a centralized point for generating these logs across all AI usage in the organization.

By combining these four layers—data classification, a central gateway with guardrails, endpoint governance, and strong access controls—organizations can confidently adopt AI tools while keeping their most sensitive data secure.