US Provisional Patent Filed

We Patented an AI Firewall That Stops Data Leakage Before It Ever Reaches the LLM

Enterprise data protection purpose-built for the LLM era. Bidirectional scanning, multi-classifier intelligence, and graduated enforcement — all at the proxy boundary.

Delphi Security Research Team · March 2026

The $4.88M Problem Nobody's Solving

The average cost of a data breach reached $4.88 million in 2024. Now, enterprises are connecting their most sensitive data — customer records, financial models, source code, legal documents — directly to large language models. Every API call is a potential exfiltration vector. Every model response might contain data the model was never supposed to surface.

Existing DLP solutions were designed for email attachments and USB drives. They have no concept of a prompt, a system instruction, or a model completion. They cannot parse the semantic intent behind a natural language query that says "summarize the financial projections from last quarter's board deck." Legacy DLP is blind to the AI data leakage problem.

We built something that isn't.

The Core Innovation

A purpose-built data loss prevention system that operates at the proxy boundary between your application and any LLM provider — inspecting, classifying, and enforcing enterprise data policies on every token flowing in both directions, in real-time.

Bidirectional: Because Data Leaks Both Ways

Most security tools focus on what goes into the model. That's only half the problem. Sensitive data can leak in the prompt — an employee pasting customer PII into a query. But it can also leak in the response — a model trained on proprietary data surfacing trade secrets, or an output containing synthesized personal information that should never leave the system boundary.

Our patented technology inspects both directions at the proxy boundary — a single enforcement point that sits between every application and every model provider.

Application Request → Input Scanner → Policy Engine → LLM Provider
Application Response ← Output Scanner ← Enforcement Action ← LLM Provider

Enforcement actions: Log / Alert / Redact / Block

A Multi-Classifier Engine That Thinks in Parallel

Detecting sensitive data in natural language is fundamentally harder than scanning structured databases. A credit card number in a prompt doesn't always look like 16 digits — it might be spelled out, split across sentences, or embedded in a code snippet.

Our patented multi-classifier engine runs multiple detection strategies simultaneously against every input and output. Each classifier votes independently, and their findings are aggregated through a proprietary decision framework.

Pattern Recognition — High-speed structural matching that catches known data formats across dozens of categories — faster than you can blink.

Semantic Analysis — Understands the meaning behind requests. Catches exfiltration attempts that don't contain any obvious patterns.

Domain Dictionaries — Industry-specific vocabularies for healthcare, finance, legal, and defense — tuned to catch domain-relevant leakage.

Contextual Keywords — Policy-defined term sets that adapt to your organization's specific sensitive data landscape.

Built-in Intelligence — Pre-trained classifiers for PII, PHI, financial data, credentials, and source code — ready out of the box.

Custom Policies — Enterprise-configurable rules that map to your compliance requirements — HIPAA, SOC 2, GDPR, PCI-DSS.

Graduated Enforcement: Not Everything Is a Block

Legacy DLP systems have two modes: allow or deny. Real enterprise data protection needs nuance.

Our patented graduated enforcement engine maps each policy violation to the most appropriate response:

Log — Silent audit trail. Capture everything for compliance without disrupting workflow.

Alert — Notify the security team in real-time. The user continues, but eyes are watching.

Redact — Surgically remove sensitive tokens. The message flows, but the data stays home.

Block — Full stop. The request or response never crosses the boundary.

Why This Matters

A sales rep pasting a customer's phone number into a prompt doesn't need the same response as an attacker systematically extracting your training data. Graduated enforcement means your DLP is proportional, auditable, and doesn't create false productivity barriers.

Output-Side Layered Detection

Scanning model outputs is a fundamentally different challenge than scanning inputs. Our patented output-side detection uses a layered approach where fast, deterministic checks run first, and progressively more sophisticated analysis is applied only when needed.

L1 Fast Pattern Rules — Deterministic checks that execute in microseconds — catching credit card numbers, SSNs, API keys, and other structured data before deeper analysis begins.

L2 Heuristic Analysis — Statistical and behavioral heuristics that identify suspicious patterns in generated text — data that looks sensitive even if it doesn't match known formats.

L3 Input-Echo Detection — Compares output tokens against the original input to detect prompt reflection attacks — where the model is tricked into repeating sensitive data it received.

L4 Semantic Policy Arbiter — An LLM-powered final checkpoint that understands the meaning and context of flagged content, reducing false positives for legitimate business communications.

⚡ Live Scan Simulation

• Analyzing quarterly revenue grew 23% year-over-year... — CLEAN

• Detected: Customer SSN pattern 4XX-XX-XXXX in output — PII DETECTED

• Action: Redacting SSN → [REDACTED] per Policy DLP-003 — REDACTED

• Scanning: The marketing budget for Q3 is allocated to... — CLEAN

• Detected: API credential pattern in generated code block — CREDENTIAL

• Action: Blocked response — credential exfiltration risk — BLOCKED

• Remaining 847 tokens scanned: no violations detected — ALL CLEAR

LLM-Arbitrated Semantic Enforcement

Here's the problem with rule-based DLP: "Send me the Johnson account details" could be a perfectly legitimate request from an account manager, or a targeted data theft attempt from a compromised session. Pattern matching can't tell the difference.

Our patented LLM-arbitrated semantic enforcement layer uses a dedicated language model as the final policy arbiter for ambiguous cases — evaluating the full context: who is asking, what policy applies, and whether the request makes sense given the user's role and the conversation history.

Flagged Content → Confidence Level Assessment
  High      → Auto Enforce
  Ambiguous → Semantic Arbiter LLM
  Low       → Pass Through

The Timeout Guarantee

If the semantic arbiter doesn't return a verdict within the configured timeout window, the system automatically falls back to the strict policy default. Security is never delayed waiting for intelligence — if the smart layer is slow, the strict layer takes over instantly.

Built for the Agentic AI Era

When autonomous AI agents operate across MCP servers, tool chains, and multi-step workflows, data protection becomes exponentially harder. An agent might retrieve customer data from a CRM, pass it through a summarization model, store intermediate results in a vector database, and send the final output to an email API — all without a human in the loop.

Our DLP technology is designed for exactly this scenario. By operating at the proxy boundary, it intercepts every LLM interaction regardless of which agent, tool, or workflow initiated it.

What This Means for Enterprise AI Adoption

Every enterprise AI deployment today faces the same tension: the business wants to connect powerful language models to sensitive data to unlock productivity. The security team wants to ensure not a single byte of regulated information crosses an unauthorized boundary. Until now, those two goals were in direct conflict.

Our patented DLP technology resolves this tension. It lets enterprises deploy AI confidently, knowing that every interaction — every prompt, every completion, every agent action — passes through a purpose-built data protection layer. Not adapted from legacy tools. Not bolted on as an afterthought. Engineered from the ground up for the AI era.

Stats

• Per-token scan latency for pattern classifiers: <5ms

• Bidirectional coverage — inputs and outputs: 100%

• Graduated enforcement levels per policy: 4

Patent Notice: This blog describes patented technology. U.S. Provisional Patent Application filed by Delphi Security Inc. Specific implementation details are protected under intellectual property law. This article provides a high-level overview for informational purposes only.