AI agents can now read your employees’ laptops. Here’s what that means for data security and why Endpoint DLP can no longer treat local storage as a static risk. 

Desktop AI assistants, IDE copilots, and local agents now sit alongside your users. They hold broad permissions to read files, traverse folders, and act on data. The problem we originally built Endpoint DLP to solve hasn’t gone away. But a harder problem has overtaken it: AI is reading data before it ever leaves. They are fast, autonomous, and — by design — curious. Laptops once held just a few cached reports or customer lists. Today, they are active workspaces where AI agents continuously read and reason over data. The risk profile of data at rest on the endpoint has fundamentally changed.

Why Does Local AI Change the Risk of Local Data at Rest 

For most of DLP’s history, data sitting on a laptop has been treated as a relatively low-velocity risk. A file gets downloaded, sits in a folder, and either gets used, archived, or forgotten. Security teams traditionally worried about files only during egress. This includes copying to a USB, attaching to webmail, or uploading to unsanctioned SaaS apps. 

That model assumed the only thing actively touching local files was the user. That assumption no longer holds.

A developer installs Cursor to write code faster. Cursor indexes their entire local repo on day one. That repo might contain embedded AWS credentials and internal API specs. It could even hold a customer dataset pulled for a recent bug fix. The developer didn’t think twice. But Cursor has now read all of it, reasoned over it, and potentially sent portions to a remote model. No USB plugged in. No email sent. Traditional endpoint DLP has no visibility into these activities. 

How Local AI Bypasses Traditional Egress Controls

• Desktop AI applications like ChatGPT, Microsoft Copilot, and Claude Desktop routinely request broad folder access. A single “summarize this directory” prompt instantly moves sensitive documents into a model's context.
• AI-integrated developer tools such as Cursor, Windsurf, and GitHub Copilot index entire repositories for completion features. They read source code, credentials, and API specs on every keystroke.
• Local agents built on the Model Context Protocol (MCP) can autonomously open files and call remote services. Unlike humans, agents do not pause to check if a spreadsheet contains regulated data.
• Shadow AI on the endpoint is now the default. Employees install desktop AI tools faster than IT can inventory them, and most of these tools touch the file system on day one.

The endpoint is no longer passive storage. It is an active AI environment. Increasingly, non-human entities drive this processing.

The 2026 Verizon Data Breach Investigations Report highlights surging GenAI use alongside persistent human error. This creates a risky combination. Users authorize AI access without fully understanding the permissions they grant.

Traditional endpoint DLP can’t answer the question that matters most: what sensitive data is sitting on this machine right now, and who or what is reading it? 

Continuous Data-at-Rest Scanning via the Unified SASE Agent

Palo Alto Networks is expanding Endpoint DLP with continuous Data-at-Rest (DAR) scanning. This capability is delivered through your existing unified SASE agent. No new agent. No second console. No separate classification engine.

DAR scanning will continuously discover and classify sensitive content using the same LLM- and AI-powered

 classification engine that already powers our Network, SaaS, Email, Browser and Prisma AIRS DLP enforcement points. Sensitive data insights will be surfaced in Strata Cloud Manager Asset Explorer. This provides a single, queryable view of sensitive data across your entire fleet. It tracks PII, source code, financial records, and custom categories.

When the scanner detects a violation — for example, a quarter’s worth of exported customer records in a developer’s Downloads folder — it would generate an incident for triage. Security teams move from “we hope nothing sensitive is on that laptop” to a defensible inventory and a clear remediation path. 

Figure 1: Strata Cloud Manager Asset Explorer view of sensitive data discovered across endpoints.*

Knowing What an AI Agent Just Read

Our SASE agent performs the scan and monitors file activity simultaneously. By doing so, we could instantly correlate every access event with our local classification cache. The system would utilize this existing context to determine whether a file contains sensitive data the exact moment it is accessed by a desktop AI application, IDE copilot, or MCP-enabled agent. This proactive approach minimizes workflow impact, eliminates the need for repeated scanning, and avoids relying on the AI tool itself to self-report.

This changes the conversation with the user, the auditor, and the regulator. Instead of asking “did an AI agent exfiltrate sensitive data last quarter?” and trying to reconstruct the answer from process logs, security teams can see, in near real time, which processes — human-driven or agentic — are reading which classes of sensitive data. This visibility builds the foundation for downstream actions. It enables precise alerting, blocking, coaching, and AI-specific policy refinement.

It’s a shift from a reactive posture — catch the exfiltration as it leaves — to a proactive one: know what the AI is reading the moment it reads it.

Consistent Policy Enforcement Across Every Local Channel

When a file is classified, every local egress channel would inherit that knowledge instantly. This applies to USB, network shares, printers, Bluetooth, and clipboards. It also covers desktop sync tools like Google Drive and OneDrive, featuring tenancy controls to block personal accounts.

Write the policy once, and it enforces everywhere. No separate ruleset for USB, another for clipboard, a third for OneDrive. This avoids the messy, fragmented setup common in traditional DLP deployments. 

Figure 2: An Endpoint DLP solution that secures your data at-rest and in-motion consistently across data loss vectors such as USB, Network Shares, Printers, Bluetooth and  Desktop Applications*

Controls That Don’t Break the Business 

A control regime that blocks everything sensitive — including legitimate work — doesn’t survive contact with reality. The framework is designed to balance security with productivity. Real-time notifications explain why an action was blocked. Customizable exemption flows let users override with a documented business reason. The result is the same one we set out to achieve when we first launched Endpoint DLP: maximizing control while minimizing business disruption.

Figure 3: Customized End-user Coaching via Endpoint DLP

What Sets Palo Alto Networks Apart 

Most DLP vendors treat the endpoint as an afterthought. Our approach is different in three ways: 

• One agent, no tradeoffs. The same lightweight client that delivers Prisma Access now handles continuous DAR scanning and every egress channel. No second agent to deploy or certify. 
• AI-aware by design, not by instrumentation. Visibility into what desktop AI apps are reading — without instrumenting each tool individually, without waiting for the AI vendor to publish an audit API.
• Cloud-powered performance. EDM, document fingerprinting, OCR, and advanced ML run in the cloud. Endpoints scan continuously without becoming unusable.

The Endpoint Is Where AI and Data Now Meet

Enterprise data has shifted to the endpoint, and AI agents have followed. Securing it means more than catching exfiltration at the door. You must know what data lives on each machine, what is reading it, and when to act.

Palo Alto Networks Endpoint DLP combines continuous scanning with a unified classification cache. It uses clear coaching and exemption workflows built for modern, AI-driven workflows. We unify these critical protections through our single SASE agent. This extends consistent policies across your network, SaaS, email, and browser traffic.

Contact your representative to see how the next evolution of Endpoint DLP can extend your data security strategy to the place AI now calls home: your users’ laptops.

Forward-Looking Statements 

This blog contains forward-looking statements that involve risks, uncertainties and assumptions, including, without limitation, statements regarding the benefits, impact, or performance or potential benefits, impact or performance of our products and technologies or future products and technologies. Any unreleased services or features (and any services or features not generally available to customers) referenced in this or other press releases or public statements are not currently available (or are not yet generally available to customers) and may not be delivered when expected or at all. Customers who purchase Palo Alto Networks applications should make their purchase decisions based on services and features currently generally available.

*Dashboard and policy views shown will be available with an upcoming release.