Data Leakage Through AI Prompts: 12 Realistic Examples (and Controls That Stop Them)

Introduction

Every time an employee pastes text into a generative AI (GenAI) tool, uploads a file, or copies an artificial intelligence (AI)-generated response into an email, data is moving. Most organizations have controls in place for file transfers, email attachments, and web traffic. Almost none of them were designed to see what happens inside an AI prompt.

That gap has a name: prompt data leakage. It is the accidental or intentional exposure of sensitive information through AI prompts, file uploads, or model outputs, where the exposure vector is conversational rather than transactional. A user asks a question, pastes a document, or copies a response, and sensitive data moves with it.

The scale of what's moving through those blind spots is significant. ChatGPT alone generated 410 million data loss prevention (DLP) policy violations in a single year, a 99.3% year-over-year increase. Most of that activity looked like ordinary work: a developer pasting a function to debug, a marketer drafting copy against a tight deadline, an HR manager cleaning up a performance review.

Traditional DLP tools were built to inspect files in transit. They were not built to classify what a user typed into a chat interface, flag what they attached to a model session, or catch sensitive data echoed back inside a response. Prompts, uploads, and outputs are all data movement. They just do not look like it to legacy controls.

The scenarios, controls, and rollout guidance that follow are built around that reality.

Where data leaks in AI workflows

AI-related data exposure does not come from a single entry point. It happens across three distinct vectors, and most organizations have meaningful gaps in at least one of them.

Prompt text (copy/paste)

The most common vector. Employees paste content directly into AI interfaces without a clear mental model of where that text goes.

Common examples include:

• Personally identifiable information (PII), payment card industry (PCI) data, and protected health information (PHI)
• Credentials and API keys
• Internal strategy documents, source code, and contracts

Attachments and uploads

File-based exposure often carries more data in a single event than a pasted prompt. Uploads tend to contain structured data and can include entire datasets.

Common examples include:

• Spreadsheets, PDFs, and presentations
• Call transcripts and meeting notes
• Screenshots (a DLP blind spot worth naming explicitly, since image-based content bypasses most text-based inspection)

Outputs and downstream reuse

This is the vector traditional controls miss entirely. Sensitive data does not have to leave through the prompt. It can leave through the response.

Common examples include:

• Sensitive data echoed back in model outputs
• AI-generated content reused in external communications, policy documents, or customer-facing materials
• Hallucinated facts treated as validated information and passed downstream

The scenarios that follow are organized across these three vectors. Some are obvious in hindsight, and others happen so routinely they rarely get flagged at all.

12 leakage scenarios

Scenario 1: Contract summary pasted into a public chatbot

A legal team member pastes a vendor contract into a public AI tool to generate a plain-language summary.

• Example prompt: "Here's our vendor agreement. Can you summarize the key terms, obligations, and termination clauses in plain language? [full contract text pasted below]"
• Leak vector: Prompt/Attachment (if uploaded as PDF)
• Data at risk: Confidential commercial terms, counterparty names, financial obligations
• Most effective control pattern: Block/Isolate
• Recommended enforcement: Inline DLP, cloud app control, browser isolation

Scenario 2: HR performance review rewrite

An HR manager pastes a draft performance improvement plan into a GenAI tool to improve the writing.

• Example prompt: "Can you rewrite this performance review to sound more professional? [employee name], [salary], current rating: needs improvement, flagged for potential termination."
• Leak vector: Prompt
• Data at risk: PII, employment records, compensation data
• Most effective control pattern: Block/Redact
• Recommended enforcement: Inline DLP (PII detectors), app-level policy controls

Scenario 3: Candidate resume uploaded to generate interview questions

A recruiter uploads a candidate's resume to a public AI tool to generate tailored interview questions.

• Example prompt: "I'm interviewing this candidate next week. Based on their resume, generate 10 technical interview questions." [resume attached]
• Leak vector: Attachment
• Data at risk: PII (name, address, employment history, education)
• Most effective control pattern: Warn/Isolate
• Recommended enforcement: Upload controls, browser isolation, inline DLP

Scenario 4: Customer contact list pasted for cleanup

A marketing operations employee pastes a raw CRM export into a public chatbot to remove duplicates and standardize formatting.

• Example prompt: "Clean up this contact list—remove duplicates, fix formatting, and sort alphabetically. [list of customer names, emails, and phone numbers pasted below]"
• Leak vector: Prompt
• Data at risk: PII (customer contact data)
• Most effective control pattern: Block/Redact
• Recommended enforcement: Inline DLP (PII/contact data detectors), app-level policy controls

Scenario 5: Sales Outreach Draft Using Raw CRM Notes

A sales rep pastes internal account notes into a GenAI tool to draft a follow-up email.

• Example prompt: "Write a follow-up email for this prospect. They have a $2M budget, are frustrated with [competitor], and their decision deadline is end of quarter. Contact is [name], VP of IT."
• Leak vector: Prompt
• Data at risk: Confidential account intelligence, prospect PII, competitive positioning
• Most effective control pattern: Warn/Redact
• Recommended enforcement: Inline DLP, content classification, logging

Scenario 6: Employee benefits and claims data

A benefits administrator pastes employee claims data into an AI tool to generate a summary report.

• Example prompt: "Summarize these employee claims for my monthly report. [employee names, claim types, diagnosis codes, and amounts pasted below]"
• Leak vector: Prompt/Attachment
• Data at risk: PHI, PII
• Most effective control pattern: Block/Isolate
• Recommended enforcement: Inline DLP (PHI detectors), browser isolation, upload controls

Scenario 7: Proprietary source code pasted for debugging

A developer pastes a proprietary function into a public AI coding assistant to troubleshoot a bug.

• Example prompt: "This function keeps returning null on the third iteration. Can you find the bug? [proprietary source code pasted below]"
• Leak vector: Prompt
• Data at risk: Proprietary source code, internal logic, IP
• Most effective control pattern: Block/Warn
• Recommended enforcement: Inline DLP (source code detectors), app-level policy, sanctioned coding tool allowlist

Scenario 8: Internal budget spreadsheet uploaded for forecasting

A finance analyst uploads a departmental budget file to a public AI tool to build a forecast model.

• Example prompt: "Here's our Q3 actuals. Can you build a forecast model through end-of-year and flag any categories running over budget?" [spreadsheet attached]

• Leak vector: Attachment

• Data at risk: Confidential financial data, internal cost structures
• Most effective control pattern: Block/Isolate
• Recommended enforcement: Upload controls, browser isolation, and inline DLP

Scenario 9: Product roadmap pasted for stakeholder summary

A product manager pastes an unreleased roadmap into a GenAI tool to create a stakeholder-ready summary.

• Example prompt: "Can you turn this into a clean one-pager for our leadership presentation? [internal roadmap with unreleased feature names, timelines, and pricing attached]"
• Leak vector: Attachment/Prompt
• Data at risk: Unreleased product plans, competitive intelligence, pricing
• Most effective control pattern: Block/Warn
• Recommended enforcement: Inline DLP, upload controls, app-level policy

Scenario 10: Draft patent uploaded for editing

An engineer uploads a draft patent filing to a public AI tool to improve the language before submission.

• Example prompt: "Can you make this patent draft clearer and more readable? Keep all the technical details intact." [draft patent attached]
• Leak vector: Attachment
• Data at risk: Unreleased IP, proprietary technical methods
• Most effective control pattern: Block/Isolate
• Recommended enforcement: Upload controls, browser isolation, cloud app control

Scenario 11: Live API keys pasted during integration troubleshooting

A developer pastes a live API key into a public AI tool while troubleshooting an integration failure.

• Example prompt: "My API call keeps returning a 403. Here's my request with the auth header: Authorization: Bearer [live API token]. What am I doing wrong?"
• Leak vector: Prompt
• Data at risk: Credentials, API keys, authentication tokens
• Most effective control pattern: Block
• Recommended enforcement: Inline DLP (credential/token detectors), hard block policy, logging

Scenario 12: AI output reused in customer-facing communications

An employee pastes an AI-generated response directly into a customer-facing email or external document without reviewing it for accuracy or sensitive content.

This scenario has no user prompt to inspect. The data left the environment inside the model's response, and traditional input-focused controls do not catch it.

• The risk here is twofold: Sensitive data echoed back in model outputs, and hallucinated facts passed downstream as validated information (in a customer communication, a policy document, or external-facing content)
• Leak vector: Output (downstream exposure)
• Data at risk: Sensitive data echoed in model response, hallucinated facts treated as validated information
• Most effective control pattern: Content moderation/Logging
• Recommended enforcement: Output inspection, content moderation policies, AI audit trail

Controls that stop each scenario

The right control depends on the data at risk and the workflow it lives in. Applying a hard block across every scenario creates friction that pushes usage toward tools that are harder to monitor. The goal is appropriate enforcement, not maximum restriction.

Control pattern library

• Allow: The right response when approved AI applications are interacting with non-sensitive data. No intervention needed. Log for audit and move on.
• Warn: A coaching message surfaces before the user submits a prompt or upload. They acknowledge it and either proceed or stop. Most effective for first-time violations and lower-severity data classes where education matters more than enforcement.
• Block: A hard stop for high-severity data: credentials, regulated information (PII/PCI/PHI), unreleased plans, source code. The transaction ends and the policy violation is logged.
• Redact: Sensitive elements are automatically replaced before the prompt reaches the model (identifiable information swapped for placeholders, financial figures rounded, credentials masked). The user keeps working; the risk doesn't travel with them.
• Isolate: Browser isolation lets users access AI applications while cutting off the paths data usually escapes through (copy/paste, upload, download, and print are all disabled). The right pattern for regulated use cases where data cannot leave a controlled environment under any circumstance.

See how Zscaler enforces these controls in practice.

Core enforcement capabilities

Effective enforcement across all twelve scenarios depends on controls that work together across every layer of the AI workflow.

• Prompt visibility: See and classify prompt content at scale. This is the foundation. Without it, every other control is operating blind.
• Inline DLP inspection: Detect and act on sensitive data in prompts and uploads in real time before the data reaches an external model.
• Cloud app control: Granular allow/block/warn/isolate policies applied by application, user, group, or risk category.
• Browser isolation: Isolate AI application sessions. Control cut/paste, download, and print without blocking access entirely.
• Content moderation: Enforce acceptable use policies on outputs. Off-topic, restricted, or harmful content caught before downstream reuse.
• AI audit trail: Log users, prompts, responses, and applications for investigation and compliance reporting. This is what proves the controls are working.

Recommended policy starter set

These are the minimum viable guardrails for organizations at the beginning of an AI data protection program:

• Block credentials and API key patterns in all AI channels
• Inline DLP for PII, PCI, and PHI in prompts and uploads
• Isolation for unsanctioned GenAI application categories
• Warn and coach for first-time policy violations
• Allowlist for sanctioned AI tools, including Microsoft Copilot and other embedded AI
• Extend runtime guardrails to private AI applications and internally developed models

The starter set above gives you a defensible baseline. From there, policies should evolve as your AI application footprint grows and usage patterns become clearer.

Phased rollout approach

Most organizations cannot stand up full enforcement on day one. The following phased approach is designed to build coverage progressively, with visibility established before policy is applied.

Phase 1: Visibility first (Week 1)

Controls cannot protect what you cannot see.

• Discover all GenAI applications in active use across the environment
• Enable prompt-level visibility and content classification
• Define "red data,” or the data classes that trigger hard enforcement: credentials, regulated data, source code

Do not apply enforcement policy yet. Understand the baseline first.

Phase 2: Protect data in motion (Weeks 2–3)

• Deploy inline DLP for prompts using high-confidence detectors
• Apply upload controls and block or isolate by application category and data class
• Configure department- and role-based policies

This is where Scenarios 1 through 11 get covered. Scenario 12 (output-based exposure) requires a separate track.

Phase 3: Optimize and scale (Week 4+)

• Expand coverage to additional applications and GenAI categories
• Add automated coaching workflows for policy violations
• Refine allow/block/redact thresholds by department and use case
• Extend protections to private AI applications and internally developed models aligned with runtime guardrails capability

Optimization is ongoing. As AI application usage evolves, policies need to evolve with it.

What to monitor and measure

Metrics only work if coverage is complete. Before tracking reduction trends, confirm the AI audit trail covers all in-scope applications, user populations, and data classes. Gaps in logging mean gaps in your risk picture.

Adoption and exposure metrics

• Count of GenAI applications in use—sanctioned vs. unsanctioned
• Count of users interacting with GenAI, by department
• Prompt volume and upload volume over time

Data protection metrics

• DLP violation count in prompts and uploads, by data type (PII, PCI, PHI, source code, credentials)
• Block vs. warn vs. redact rates
• Top triggering detectors and policies

Risk reduction and productivity metrics

• Sensitive prompt rate over time: The primary signal that risk is actually declining
• Repeat-offender rate: An indicator of whether coaching and policy enforcement are changing behavior
• Mean time to policy deployment for newly discovered AI applications: A measure of how quickly governance keeps pace with adoption
• AI-channel incident metrics: Tracked where logging coverage allows

Downward trends in sensitive prompt rate and repeat-offender rate are the clearest indicators that the program is working.

Quick "safe prompting" checklist

• No credentials or API keys in any prompt
• No regulated data (PII, PCI data, or PHI)
• Use placeholders instead of real identifiers: [CLIENT_A], [EMPLOYEE_B]
• Use sanctioned AI tools accessed through corporate accounts
• If uncertain about data sensitivity: use browser isolation or skip the upload

Securing AI starts with seeing it

Prompt data leakage is not a user behavior problem. It is a visibility and enforcement gap—and it is one that existing controls were not built to close. The scenarios above are not edge cases. They are what happens when AI becomes part of daily work before security architecture catches up.

The ThreatLabz 2026 AI Security Report maps the full scope of enterprise AI data exposure—the applications, the violation types, and the patterns security teams need to understand before they can act on them.

Read the ThreatLabz 2026 AI Security Report