The £47M Question: Why DLP Network-Layer Proxy Beats App-Layer for LLM Security

TL;DR: Most enterprises try to secure AI assistants (Copilot, Gemini, etc.) with app-layer controls - labels, DLP in specific locations, endpoint agents. Necessary, not sufficient. Why? Assistants fetch across Microsoft Graph and connectors, joining mail, files, chats, and third-party systems. App tools govern places; assistants operate across flows. Add zero-click risks like EchoLeak and today’s API-first threat mix, and you have a gap the size of your network. The fix is dull and decisive: put a network-layer DLP proxy at the LLM boundary to pseudonymise sensitive tokens before inference, enforce residency and geofencing, and emit SIEM-grade telemetry, without storing raw secrets. Microsoft’s own docs confirm Copilot’s cross-corpus reach (and offer Restricted SharePoint Search as a containment belt), while OWASP and DBIR show APIs and joins are where breaches thrive. Govern the wire, not just the apps, and the £47M exposure (think 4% turnover fines) becomes manageable, measurable, and insurable. [See references]

1. The Problem in One Minute

Your assistants live on Microsoft Graph. A single prompt can traverse Outlook, SharePoint, OneDrive, Teams and any Copilot connectors you’ve switched on. If the user can access it, the assistant can join it. That’s the design. [1][9]

App-layer controls, Microsoft Purview DLP, labels, encryption, endpoint DLP, are vital. They protect locations and activities (sites, apps, devices). But the assistant’s superpower is in-flight aggregation across apps and tenants. That join happens before any one app can see or stop it. [1][3]

Microsoft now offers Restricted SharePoint Search to fence Copilot to curated sites - helpful, and a public acknowledgment that broad discovery surfaces too much. It’s a belt. You still need the brace. [2]

2. Where App-Layer Controls Break

Scope mismatch. Purview DLP governs defined locations and user actions. Assistants operate across flows and joins, including third-party data pulled in by connectors. You can be perfectly labeled and still leak through aggregation. [1][10]

Discovery sprawl. Copilot connectors ingest external content into Graph “so Copilot can reason over the entirety of your enterprise content.” Great for productivity. It also expands the blast radius of any prompt. [9]

API is the frontline. OWASP’s API Top-10 and Verizon DBIR highlight APIs and web apps as dominant breach vectors. LLM programs run on APIs, not webpages. If you’re not inspecting API boundaries, you’re not really inspecting. [5][6]

New exploit classes. In 2025, researchers disclosed EchoLeak, a zero-click chain against Microsoft 365 Copilot that could exfiltrate data without user interaction, reminding everyone that AI assistants are a live attack surface, not just a feature. App-layer labeling doesn’t neutralize zero-click exfil chains. A wire-level deny/strip does. [7][8]

4. Real-World Signals (Not Hype)

• Copilot respects permissions and scope. Prompts traverse Graph and honor Conditional Access; widen Graph with connectors and you widen what Copilot can answer. [1][9]

• Microsoft added fences. Restricted SharePoint Search limits Copilot to curated sites. It helps- but it doesn’t scrub payloads in flight. [2]

• APIs are noisy and risky. OWASP’s API Top-10 and Azure guidance on API-threat mitigation reinforce that APIs need dedicated controls (schema, rate limiting, payload checks). LLM calls are exactly that: API calls. [4][5][11]

• Breach economics persist. IBM’s 2025 report pegs the average breach around $4.4M globally. For UK GDPR, regulators can fine up to £17.5M or 4% of worldwide turnover your ~£47–48M exposure if revenue is ~£1.2B. [14][15]

  
  

The Wire Remembers What Apps Forget

Apps protect their content in their silos. LLMs don’t live in silos. They live on the wire: User → Assistant → Graph/Connectors. The durable control point is the network-layer boundary where prompts and responses cross a chokepoint you own.

At that chokepoint, you can pseudonymise likely MNPI/PII before inference, enforce residency/geofencing at egress, and log decisions to your SIEM without storing raw content. This mirrors well-understood gateway patterns, decrypt, inspect, enforce, re-encrypt - as seen in secure microservices and API gateway designs. Apply the same pattern to LLM traffic. [12][11]

5. What the Network Sees that Apps Don’t

Pre-inference scrubbing. App DLP sees a file opened in an app. The proxy sees the prompt payload and the retrieval intent across apps. It can mask names, emails, account IDs, and deal tokens before the model turns them into hints.

Connector provenance. The proxy tags and scores traffic that involves external connectors (e.g., Salesforce, ServiceNow, file shares indexed into Graph). App DLP rarely correlates that lineage at run time. [10]

TLS-level enforcement. Proxies and secure gateways terminate TLS, inspect, and re-encrypt, standard practice in API gateways and network firewalls when policy requires content inspection. This is how you implement “deny with reason,” kill-switches, and schema checks at line rate. [13][11]

Join analytics. At the wire you can compute MNPI-join scores (mail + files + chat + connector + blackout timing) and route to private LLM when risk spikes. App DLP isn’t built to score intent. OWASP LLM guidance flags prompt-layer issues your proxy can neutralize. [4]

No raw secrets in logs. SIEM events capture decisions, not data. You keep audit truth without retaining what regulators call “special category” content.

6) Cost & the £47M Exposure Math

Why “£47M”? Because UK GDPR lets the ICO fine up to 4% of global turnover (or £17.5M, whichever is higher). For a company on ~£1.2B revenue, that’s ~£48M. Add breach response costs (IBM: ~$4.4M average) and capital-markets consequences if MNPI leaks, and your upside for a sub-penny per call control plane is obvious. [15][14]

Evidence note: No public dataset cleanly isolates “LLM-only” fines or losses yet. The figure illustrates order-of-magnitude exposure using official penalty caps and mainstream breach costs.

To validate: run a tabletop, estimate avoided incidents × IBM average cost, and compare to proxy COGS at your volume.

7) Field Report (Composite, Plausible)

Context: FTSE-250 manufacturer. Copilot pilot across Finance, Sales, HR. Two Copilot connectors: Salesforce (opportunities) and a data-warehouse export folder. Purview DLP and labels enforced in SharePoint/OneDrive; endpoint DLP on finance laptops.

Week 2: Sales Ops shares “People in org” links for a draft forecast pack. Finance exports land in a SharePoint mirror via the connector. A sales analyst prompts: “Summarise variance vs plan; include top 5 churn drivers and any board-pack language.” Copilot (correctly) joins mail + files + chat + connector.

What happens: The answer mentions “larger-than-expected adjustments in Region B vs July board deck.” Not a number, but a hint.• App DLP is silent: nothing left the site, no attachment exfiltration, labels intact.• The leak is the join.

Network-layer outcome: Proxy flags mail+files+chat+connector within 7 days of a blackout date; denies with reason and auto-routes to private LLM on pseudonymised tokens; SIEM logs a high MNPI-join score and connector provenance; no raw content stored. Drill shows a 90-second kill-switch across assistants. (EchoLeak’s lesson: assistants can be abused across flows; you need an in-flight control.) [7]

8. What “Good” Looks Like (Minimal Viable Network Design)

• Universal choke point. Route all assistant traffic (Copilot, Gemini, agents) through a network-layer DLP proxy.

• API-boundary pseudonymisation. Mask MNPI/PII before inference; rehydrate on return for authorised roles/time windows.

• Zero-trace telemetry. Emit SIEM-grade logs (who/when/decision/rules) with no raw secrets.

• Private LLM fallback. Auto-route high-risk prompts; keep the UX.

• Residency/geofencing. Enforce at egress; document supplementary measures.

• Curation + labels. Keep Restricted SharePoint Search on until least-privilege work reduces sprawl; let Purview handle content governance in its domain. [2]

9. Objections & Clean Answers

“Purview already does this.” Purview is essential, labels, encryption, activity policies, endpoint protections. It’s place-centric. LLM risk is flow-centric. Microsoft’s Restricted SharePoint Search exists because broad discovery is risky. Use both. [1][2]

“We can’t break TLS for inspection.” You already do in API gateways and secure web gateways where policy requires. TLS termination at a trusted proxy is standard, documented practice (Azure Application Gateway; AWS Network Firewall TLS inspection). Do it at the LLM boundary with tight cert hygiene and audit. [13][11]

“Logging sensitive content makes us liable.” Don’t log content. Log decisions. Pseudonymise at ingress; send tokenised events to SIEM (resource types, labels touched, rule IDs, allow/deny). That’s the point of zero-trace design.

“Latency will kill adoption.” At API gateways, policy checks happen in milliseconds. With batching and caching, sub-penny per call economics and sub-100ms overhead are achievable—far less than a user retry.

“This feels hypothetical.” So did zero-click assistant exploits - until EchoLeak. So did API-first breach patterns—until OWASP/DBIR made them table stakes. Don’t wait for your first app-layer-only post-mortem. [7][5][6]

10) Checklist: Ship This in 30 Days

1. Inventory the surface. List assistant-capable sources (SharePoint sites, Teams, mailboxes, connectors, export folders). [10]

2. Clamp discovery. Turn on Restricted SharePoint Search for pilots (≤100 curated sites). [2]

3. Stand up the proxy. Insert the network-layer DLP proxy in front of assistants; terminate TLS under strict PKI controls. [13]

4. Mask at ingress. Pseudonymise MNPI/PII; define rehydration rules per role/time window.

5. Wire the SIEM. Emit zero-trace events: prompt features, resource mix, labels touched, allow/deny, reasons.

6. Score joins. Weight mail+files+chat+connector+timing; set blackout calendars and thresholds.

7. Detour path. Configure private-LLM fallback for high-risk prompts; capture attestation on rehydrate.

8. Egress policy. Enforce residency/geofencing; document supplementary measures.

9. Run the drill. 90-minute tabletop: deny with reason; kill-switch in <120s; produce a 1-page attestation.

10. Harden & handover. Expand curated search, fix noisy permissions, review every new connector like a firewall rule.

Call to Action

If your AI program runs on app-layer controls alone, you’re governing places while the risk rides the wire. Run a Network-Layer LLM Security Review with us. We’ll install a proxy at the LLM boundary, mask what matters before the model sees it, and prove control with SIEM analytics, no raw secrets stored. You’ll leave with a system the board can test, curated discovery that tames sprawl, and unit economics that keep the cost per protected call below a penny.

The £47M question isn’t if you can afford this control. It’s whether you can afford not to.

References

1. Microsoft Learn — “Microsoft 365 Copilot architecture and how it works” (Jan 28, 2025). https://learn.microsoft.com/en-us/copilot/microsoft-365/microsoft-365-copilot-architecture

2. Microsoft Learn — “Restricted SharePoint Search” (Jun 28, 2025). https://learn.microsoft.com/en-us/sharepoint/restricted-sharepoint-search

3. Microsoft Learn — “Learn about data loss prevention (Purview DLP)” (2025). https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp

4. OWASP — “OWASP Top 10 for LLM Applications” (latest 2025). https://owasp.org/www-project-top-10-for-large-language-model-applications/

5. OWASP — “API Security Top 10 (2023)”. https://owasp.org/API-Security/

6. Verizon — “2024 Data Breach Investigations Report” (May 2024). https://www.verizon.com/business/resources/reports/dbir/

7. Dark Reading — “Researchers Detail Zero-Click Copilot Exploit ‘EchoLeak’” (Jun 12, 2025). https://www.darkreading.com/application-security/researchers-detail-zero-click-copilot-exploit-echoleak

8. Cybersecurity Dive — “Critical flaw in Microsoft Copilot could have allowed zero-click attack” (Jun 11, 2025). https://www.cybersecuritydive.com/news/flaw-microsoft-copilot-zero-click-attack/750456/

9. Microsoft Learn — “Copilot connectors overview” (Jul 21, 2025). https://learn.microsoft.com/en-us/microsoft-365-copilot/extensibility/data-privacy-security

10. Microsoft Learn — “Share SharePoint files or folders” (sharing links explained). https://support.microsoft.com/en-us/office/share-sharepoint-files-or-folders-1fe37332-0f9a-4719-970e-d2578da4941c

11. Azure — “API Management: Mitigate OWASP API threats” (May 30, 2025). https://learn.microsoft.com/en-us/azure/api-management/mitigate-owasp-api-threats

12. NIST SP 800-204A — “Building Secure Microservices-based Applications Using Service-Mesh Architecture” (2020). https://csrc.nist.gov/publications/detail/sp/800-204a/final

13. Azure — “Application Gateway TLS inspection (TCP/TLS proxy overview)” (May 21, 2025). https://learn.microsoft.com/en-us/azure/application-gateway/tls-policy-overview

14. IBM — “Cost of a Data Breach Report 2025” (global average). https://www.ibm.com/reports/data-breach

15. ICO — “Penalties under UK GDPR” (overview of fines). https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/penalties/