Net-new · not in wf1
Security · Data governance (shared with Compliance)
Where does our sensitive data go when agents send it to an LLM?
Lens
1 open PII leak
support-copilot sent customer records to an unapproved Gemini endpoint (generativelanguage.googleapis.com, not on the approved list).
Sensitive-Data Flow
allowedmonitoredflagged / blocked
Sensitive data
PIIhigh
customer records · 1,240
Secrets / API keyshigh
tokens, creds · 86
Source codemedium
repo snippets · 410
PHInone-detected
health data · 0
→
Agents
support-copilot
Support · Gemini
data-pipeline-agent
Data · Anthropic
claude-code-prod
Platform · Anthropic
cursor-ide
Eng · mixed
→
Destinations
Approved LLMsallowed
Anthropic, OpenAI
Unapproved LLM endpointflagged
generativelanguage.googleapis.com
Internal storesallowed
vector DB, S3 (in-VPC)
flagged pathPII (customer records)→support-copilot→unapproved Gemini endpoint142 records · 14m ago
Observed Flows
Data type → Agent → DestinationClassVolumeLast seen
PII (customer records) → support-copilot → unapproved Gemini endpointFLAGGED142 rec14m ago
Source code → cursor-ide → Anthropic (approved)allowed410 files2m ago
PII (customer records) → support-copilot → Anthropic (approved)allowed1.1k rec1m ago
Secrets / API keys → data-pipeline-agent → OpenAI (approved)blocked12 keys38m ago
Source code → claude-code-prod → Anthropic (approved)allowed210 files5m ago
PII (embeddings) → data-pipeline-agent → internal vector DBallowed8.4k rec3m ago
Sensitive Data Detected
PII
1,240
customer records
Secrets
86
tokens & API keys
Source code
410
repo snippets
PHI
0
none detected