The prompt is the new perimeter.
Your team is pasting customer records, source code and API keys into someone else’s model right now. Flowstate inspects every prompt, on every tool, and flags what shouldn’t be leaving the building — before it does.
You blocked the USB ports. The browser tab is wide open.
A decade of DLP investment, MDM rollouts and zero-trust architecture — and your team is now copy-pasting your most sensitive data into a free-tier consumer chatbot every afternoon. Most of it goes uninspected, untracked and unblocked.
Source code, R&D material, sales data, customer records — up from 10.7% two years ago. The growth curve is the story.
Cyberhaven, 2025 AI Adoption & Risk Report →The top tools you’d expect to see. The long tail of niche AI services your team experiments with isn’t. Security has zero visibility into nearly nine in ten sessions.
LayerX, Enterprise GenAI Security Report 2025 →32% of all corporate-to-personal data movement now happens through GenAI tools — ahead of email, file shares and removable media. 67% of that activity is on unmanaged personal accounts.
LayerX, Enterprise AI & SaaS Data Security Report 2025 →Provider-level controls only help if the provider is approved. Network-level DLP only helps if you can decrypt the traffic. The only place to catch a prompt before it leaves is at the prompt.
Inspect every prompt. Classify what matters. Block what shouldn’t leave.
Content-level inspection across every approved and unapproved AI tool your team reaches for. The check happens before the prompt ever reaches the model.
"How do you see the prompt at all?"
In-line on managed devices, at the network egress, and via provider APIs where they exist. Approved tools, shadow tools, free-tier consumer plans — every channel your team types into AI on a company device.
- In-line on managed endpoints (Jamf, Intune, Kandji)
- Network-edge inspection for BYOD and contractors
- API hooks for approved enterprise plans
Claude · enterprise API 
ChatGPT · in-line endpoint 
Cursor · in-line endpoint 
Gemini · consumer / free 
Grok · shadow / unapproved "What counts as sensitive?"
The obvious things — secrets, PII, payment data — out of the box. The harder things — customer identifiers, internal IP, source code, jurisdictional flags, personal-vs-business use — trained on your data dictionary and refined per organisation.
- Pre-trained on 60+ secret formats and PII patterns
- Custom classifiers for your data — SKUs, account IDs, internal repos
- Confidence scores, not just yes/no — tune your thresholds
AWS, GCP, Azure, Stripe, GitHub, OpenAI tokens, JWTs, private keys.
Names, emails, phone numbers, addresses, account IDs, order references.
Internal repo paths, proprietary algorithms, unreleased product specs.
PANs, IBANs, sort codes, CVVs — PCI-scope content out of scope.
PHI, contract text, M&A material, anything tagged “privileged.”
Wedding speeches, holiday plans, side projects — logged not blocked.
"What happens when it’s a hit?"
A graduated response, decided per-classification. Redact and pass for low-risk patterns. Warn and confirm for ambiguous ones. Hard block and notify SOC for the things that should never have left the building.
Eight risks. One inspection layer.
The categories your security team already cares about — finally extended to the channel your team actually uses.
API keys & secrets
AWS, GCP, Stripe, GitHub, internal SSO — 60+ recognised secret formats with automatic revocation.
Customer data & PII
Names, emails, addresses, order references — matched against your CRM dictionary, not a generic regex.
Source code & IP
Internal repo paths, proprietary algorithms, unreleased product material flagged before the paste lands.
Payment data
PANs, IBANs, CVVs — PCI scope kept out of prompts where it doesn’t belong.
Shadow AI providers
Unapproved tools blocked on first contact. Discovery report for security review, not silent denial.
Personal use
Best-man speeches and holiday plans don’t belong on the company budget. Logged, not blocked — surfaced for a chat.
Cross-jurisdiction
EU-resident user prompts routed to US providers, flagged for review. Schrems II compliance with the receipts.
Anomalous patterns
Volume spikes, off-hours bursts, prompt-injection probes, jailbreak attempts. Behaviour, not just content.
Alerts your SOC will actually read.
Routed through the channels your security team already lives in. Severity-tuned. Deduplicated. Linked to the prompt, the user, the device, the classifier hit.
Live secret detected
CriticalBlock, revoke at provider, page SOC. Incident opened with full session context, classifier confidence, and rotation status.
Customer data exfiltration
HighPII pattern matched against CRM dictionary. User prompted to confirm business use; full payload logged for the DPO audit trail.
Shadow AI provider seen
MediumNew AI endpoint reached from a managed device. Blocked by default. Discovery ticket opened for security review — not silent denial.
Anomalous pattern
Behavioural800 prompts from one user in two hours, mostly outside working hours, hitting a tool they’ve never used. Surfaced for a check-in, not a block.
Lives where your security team already lives.
Every detection is a structured event. Pipe it into the SIEM you already pay for. No new pane of glass for the SOC to ignore.
Stop finding out about leaks from someone else.
Book a demo and watch a live prompt feed from your own organisation — with detections, redactions and blocks running in real time.