AI agents leak enterprise data in two ways, and the defenses most enterprises already run address only the first.

The first is well understood: sensitive data flowing out through the AI pipeline. Someone pastes a customer record or a contract into a prompt, it goes to an external model, and the organization is now trusting that vendor's retention and training policies with it.

The second is subtler, and it is the one teams consistently underweight. Agents surface data the user was never supposed to see. An agent queries a source on the user's behalf, and when permissions are even slightly off, which is common, it returns whatever it finds: over-shared drives, stale access, a service account with too much reach. The agent has no model of who should see what, so it surfaces everything within reach.

Why the usual fixes leave the same blind spot

The common fixes already in use all leave the same gap. Browser extensions only see the browser, so the moment someone switches to a desktop app, a CLI, or an API, they go blind to most of the real workflow. Network DLP sees the traffic, but it sees TLS-encrypted blobs without the structure to know that a given payload is a customer record with a tax ID in it. Zero-data-retention contracts are mostly reserved for the largest deals, and even with one in place, nothing stops an agent from returning data a user was never allowed to see. Enterprise "no-training" tiers address one risk, but the data still sits with the vendor for up to 30 days, and training was never the main exposure. Full gateways on every device cover the workflow in principle, yet they break on mobile and have to sit on every endpoint, which rarely holds in practice.

The deeper issue is that the tools most teams already own were built to scan data at rest. A DSPM scan can tell you, with high confidence, that column 14 of your support database holds Social Security numbers, but it runs overnight and files a report, which does nothing to stop an agent from reading that column into a model's context at 2pm the next day. Agents move data in motion, in real time, faster than any periodic scan keeps up with, so policy has to fire the moment the agent makes the tool call, not in next quarter's audit.

Closing both gaps takes two layers working together

Closing this takes control over the pipeline and real-time intelligence on the data flowing through it, working together.

• Control over the pipeline decides which sources an agent can reach and what comes back.
• Real-time data intelligence classifies the data in flight, then enforces policy on the spot.

That combination is what lets you block an HR manager from seeing SSNs in an AI-generated summary, or redact a confidential field before it reaches the user instead of after the fact.

This is the architecture we have been building at MintMCP, and it is why we have partnered with Teleskope. MintMCP governs the pipeline through the MCP Gateway: which servers an agent can reach, which tools it can call, and per-user identity on every request. The gateway terminates the connection between the AI client and the data source, so it sees each tool call the way the protocol describes it, which tool, which arguments, and the full response coming back. That position is what makes inline classification possible, because it is the one place with enough structure to read the payload in both directions and act on it.

Teleskope classifies the data moving through that pipeline in real time and enforces policy at the point of the tool call, so sensitive fields get blocked or redacted before they ever reach the user. Teleskope published a clear breakdown of how MCP gateways and DLP/DSPM fit together if you want the full architecture.

See it on your own data

The fastest way to understand where your agents are exposed is to watch the two layers run against your own sources. Book a demo and we will walk through how MintMCP and Teleskope close both leak paths in your environment.