EVIDENCE TRAIL
Output egress DLP — PII / secret / IP detection at the agent boundary
Verbatim excerpts from the upstream sources cited on the mitigation page, with what each source does and does not prove. No upstream document uses the phrase "egress DLP" in an agentic context verbatim — OWASP Top 10 Agentic 2026 §ASI02 is the closest, naming "Execution Sandboxes and Egress Controls" as a mitigation, and Microsoft Purview DLP provides the canonical production-engine description. The "agentic egress seam" framing is Helmwart's normalised label for applying the mail-DLP / endpoint-DLP pattern to agent output channels.
Last cross-checked against upstream sources: · 8 sources
References
Each entry shows what the source supports and what it does not prove.
OWASP LLM Top 10 v2025 — LLM02:2025 Sensitive Information Disclosure
§LLM02:2025 Sensitive Information Disclosure — Prevention and Mitigation Strategies, "Advanced Techniques"
"Implement tokenization to preprocess and sanitize sensitive information. Techniques like pattern matching can detect and redact confidential content before processing."
Supports: Names pattern-matching-based detection and redaction as the mitigation technique for sensitive information. This is the DLP primitive: identify via pattern, redact before the data crosses a boundary.
Does not prove: Frames the control at model-training time ("before processing"), not at the egress seam of an agentic system. The Helmwart placement — intercepting agent output and tool-call parameters in flight — is an architectural extension beyond what this entry describes. Also does not name DLP, egress gates, or tool-call parameters by name.
OWASP Top 10 for Agentic Applications 2026
§ASI02 Tool Misuse and Exploitation — Prevention and Mitigation Guidelines, Mitigation 3 "Execution Sandboxes and Egress Controls"
"Execution Sandboxes and Egress Controls. Run tool or code execution in isolated sandboxes. Enforce outbound allowlists and deny all non-approved network destinations."
Supports: Verbatim naming of "egress controls" as a mitigation for agentic tool misuse. "Enforce outbound allowlists and deny all non-approved network destinations" is the network-layer egress gate; the DLP inspection layer operates on the payload traversing that same gate.
Does not prove: The egress control described here is a network allowlist, not a content-inspection DLP gate. It blocks unauthorised destinations, not sensitive content flowing to authorised ones. Helmwart's DLP layer addresses the complementary case: data that should not leave even via an approved channel.
OWASP Top 10 for Agentic Applications 2026
§ASI02 Tool Misuse and Exploitation — Prevention and Mitigation Guidelines, Mitigation 8 "Logging, Monitoring, and Drift Detection"
"Logging, Monitoring, and Drift Detection. Maintain immutable logs of all tool invocations and parameter changes. Continuously monitor for anomalous execution rates, unusual tool-chaining patterns (e.g., DB read followed by external transfer), and policy violations."
Supports: Establishes that tool-call parameter contents and chaining patterns must be logged and monitored. The pattern "DB read followed by external transfer" is the canonical data-exfiltration sequence that egress DLP is positioned to interrupt or flag.
Does not prove: Describes detective monitoring after execution, not an interception gate that can quarantine sensitive content before it leaves. The DLP control acts in-line; this mitigation is out-of-band.
OWASP Agentic AI — Threats & Mitigations v1.1
§Agentic Threats Taxonomy Navigator — Step 3: Tool, Execution and Supply Chain-Based Threats — "Tool Misuse", Description
"Tool Misuse occurs when attackers manipulate AI agents into abusing their authorized tools through deceptive prompts and operational misdirection, leading to unauthorized data access, system manipulation, or resource exploitation while staying within granted permissions."
Supports: Defines the threat class that egress DLP directly addresses: an agent operating within its granted permissions but exfiltrating data — the scenario where access control alone is insufficient and content inspection at the egress seam is the only detection point.
Does not prove: Describes the threat, not the control. Does not name DLP, content inspection, or egress interception as the mitigation response.
OWASP Agentic AI — Threats & Mitigations v1.1
§Mitigation Strategies — Playbook 3: Securing AI Tool Execution & Preventing Unauthorized Actions Across Supply Chains — Step 2: Monitor & Prevent Tool Misuse and Supply Chain Anomalies (Reactive)
"Monitor AI tool interactions for unintended side effects. Detect cases where AI tool outputs trigger unexpected security-sensitive operations, signs of drift, exfiltration, or sudden capability changes."
Supports: Explicitly names "signs of drift, exfiltration" as the monitoring target for AI tool output. Egress DLP is the mechanism that catches exfiltration signals at the tool-call parameter seam.
Does not prove: Describes a reactive monitoring step. Does not specify DLP content classification as the detection mechanism, nor does it address the inline interception and quarantine path that the Helmwart control uses.
Microsoft Purview Data Loss Prevention
§Learn about data loss prevention — "DLP in Microsoft Purview" section
"DLP uses deep content analysis—not a simple text scan. It analyzes content: For primary data matches to keywords; By the evaluation of regular expressions; By internal function validation; By secondary data matches that are in proximity to the primary data match. DLP also uses machine learning algorithms and other methods to detect content that matches your DLP policies."
Supports: Verbatim description of the multi-layer detection stack (regex, proximity matching, ML) that underlies production DLP engines. This is exactly the engine architecture Helmwart's Layers 1–3 decompose: regex/entropy (Layer 1), NER (Layer 2), classifier (Layer 3).
Does not prove: Microsoft Purview DLP is an enterprise product built for human-generated content in Microsoft 365 channels. It does not natively monitor agentic tool-call parameters or LLM output streams. The Helmwart deployment pattern requires adapting the same detection primitives to novel egress channels.
Microsoft Presidio — OSS PII / secret detection toolkit
Presidio homepage — project description
"Presidio helps to ensure sensitive data is properly managed and governed. It provides fast identification and anonymization modules for private entities in text and images such as credit card numbers, names, locations, social security numbers, bitcoin wallets, US phone numbers, financial data and more."
Supports: Verbatim description of an open-source, deployable PII / secret detection toolkit. This is the concrete self-hosted implementation for the NER layer of the egress DLP stack — the alternative to Purview for teams that cannot or will not use a SaaS product.
Does not prove: Presidio is a detection and anonymization library, not an egress gate. It does not provide the interception harness, routing logic (pass / redact / quarantine), or agentic-specific pattern libraries (e.g., tool-call credential field detection). Those are Helmwart deployment work.
NIST AI 600-1 — Generative AI Profile (NIST AI RMF)
No verbatim excerpt pulled yet — open the original to verify the cited section.
Supports: MEASURE 2.6 names egress controls for AI-generated content as a deployment-evaluation requirement. The MDX cites this as evidence for output inspection as a class of AI risk control. MEASURE 2.6 text (verified in prior m-fail-closed evidence trail): "The AI system to be deployed is demonstrated to be safe, its residual negative risk does not exceed the risk tolerance, and it can fail safely, particularly if made to operate beyond its knowledge limits."
Does not prove: NIST AI 600-1 does not use the term "data loss prevention" or "egress DLP." MEASURE 2.6 is about general safety evaluation at deployment, not specifically about output content classification. The MDX's claim that NIST AI 600-1 "names egress controls for AI-generated content" overstates what the document says; the actual measure is a safety-residual-risk evaluation requirement, not an egress-gate mandate.