# AI data loss prevention review brief

## Exposure surface

List prompts, retrieved sources, logs, tool outputs, exports, and providers touched by the workflow. Identify the highest data class and whether each surface enforces the required controls.

## Gaps

Document missing masking, provider routing, log redaction, retention, export review, or owner approval. Treat secrets and unapproved regulated data flows as blockers.

## Decision

Approve, hold, or approve with a time-bound compensating control. Every exception needs an owner, expiry date, monitoring signal, and remediation action.