Compliance · Data Protection
Which sensitive files agents reached into — and how much moved.
Your data-exposure surface: what sensitive data agents touched, who owns it, and where the privacy risk sits. Content scanning is the next step.
Bottom line
Agents touched 6 sensitive paths across 3 categories; 3 are high-severity (credentials/secrets), top: ./.env. Prompt & response content is not yet inspected — today this is movement, not content.
8
agents monitored
reporting telemetry
3
high-severity exposures
credentials / secrets reached
6
sensitive paths touched
3 categories
691
files written
4.8MB moved
Sensitive access by category
opens · by severitySensitive access by user
owner attributionTop sensitive paths
5 paths · 6 distinct touchedPrompt & response content inspection
preview · not builtToday's signal is data movement — which sensitive paths were opened and how much was written or streamed. It does not yet read what is inside an agent's prompts and responses. Content scanning ships with the DLP engine.
Secrets in prompts
API keys / tokens pasted into context
not inspected today
PII in content
names, emails, customer records
not inspected today
Source code
proprietary code in prompts or responses
not inspected today
Fields: dlp.by_category · dlp.by_owner · dlp.top_paths · dlp.volume.file_writes · dlp.volume.stream_bytes · dlp.sensitive_paths · agents.length — from app/data/c16-fleet.ts (qcontrol /api/dlp shape).