Data Loss Prevention has been a standard practice in enterprise email and file sharing for years. The same principles apply to LLM workflows — possibly with even greater urgency, since LLM interactions involve rich, unstructured data that's harder to monitor with traditional tools. A DLP strategy for Cowork covers both inbound data (what goes into Claude) and outbound data (what Claude produces).
Inbound and outbound protection
Inbound DLP inspects data before it reaches the LLM, catching sensitive information that shouldn't be part of the conversation. Outbound DLP monitors Claude's output to prevent the model from surfacing or reconstructing sensitive data in its responses. Both layers are necessary because the risks are different: inbound protects against exposure to the model, while outbound protects against exposure to the user or downstream systems.
Integration with existing DLP solutions like Nightfall provides a practical starting point for businesses that already have DLP infrastructure. For those starting from scratch, purpose-built solutions for LLM data protection are emerging rapidly. The key is having the layer in place from day one — not bolting it on after a data incident.