@blamejs/exceptd-skills 0.9.1

package/data/dlp-controls.json

@@ -0,0 +1,1039 @@
+{
+  "_meta": {
+    "schema_version": "1.0.0",
+    "last_updated": "2026-05-11",
+    "skill_refs_field": "dlp_refs",
+    "note": "DLP controls relevant to mid-2026 threat reality. Legacy controls (email/web/USB) are kept because compliance frameworks still cite them; modern controls (LLM prompt, MCP tool-arg, embedding-store) are the actual operational gap. The dlp-gap-analysis skill consumes this catalog.",
+    "tlp": "CLEAR",
+    "source_confidence": {
+      "scheme": "Admiralty (A-F + 1-6)",
+      "default": "B2",
+      "note": "B = usually reliable; 2 = probably true. Per-entry overrides via entry-level source_confidence field. Public-record catalogs (NVD, ATLAS, CWE, RFC, framework publishers) get A1 (completely reliable, confirmed). Project-curated catalogs (zeroday-lessons, exploit-availability) default to B2 with source citations."
+    },
+    "freshness_policy": {
+      "default_review_cadence_days": 90,
+      "stale_after_days": 180,
+      "rebuild_after_days": 365,
+      "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
+    }
+  },
+  "DLP-CHAN-EMAIL-OUT": {
+    "id": "DLP-CHAN-EMAIL-OUT",
+    "name": "Outbound email DLP",
+    "category": "channel",
+    "modern_or_legacy": "legacy",
+    "description": "Inspection of outbound SMTP/Exchange/M365/Workspace mail flow for content matching protected classes (PII, PHI, PCI, source code, classified markings). The canonical DLP channel since the early 2000s.",
+    "covers": [
+      "outbound corporate email body and attachments",
+      "BCC/forward to personal addresses",
+      "auto-forwarding rules"
+    ],
+    "does_not_cover": [
+      "mail sent from unmanaged personal accounts on managed endpoints",
+      "encrypted attachments without key escrow",
+      "content typed into LLM web UIs"
+    ],
+    "attack_techniques_addressed": [
+      "T1048.003",
+      "T1567.002"
+    ],
+    "framework_controls_partially_mapping": [
+      "NIST-800-53-AC-4",
+      "NIST-800-53-SC-7",
+      "ISO-27001-2022-A.8.12",
+      "PCI-DSS-4.0-3.4",
+      "GDPR-Art32"
+    ],
+    "vendor_categories": [
+      "Microsoft Purview DLP",
+      "Google Workspace DLP",
+      "Symantec DLP",
+      "Forcepoint DLP",
+      "Proofpoint Information Protection"
+    ],
+    "ai_pipeline_applicability": "Not applicable as a primary control point. Email DLP sees prompts only if a user emails them; the LLM channel bypasses it entirely.",
+    "lag_notes": "Frameworks treat email as the canonical egress channel. In mid-2026 telemetry, LLM-prompt egress outpaces email egress for sensitive content in dev-heavy orgs.",
+    "evidence_examples": [
+      "Purview DLP policy hit logs",
+      "Symantec DLP incident records with SMTP channel tag"
+    ],
+    "privacy_regimes": [
+      "GDPR",
+      "CCPA",
+      "LGPD",
+      "PIPEDA",
+      "POPIA"
+    ],
+    "last_verified": "2026-05-11"
+  },
+  "DLP-CHAN-WEB-UPLOAD": {
+    "id": "DLP-CHAN-WEB-UPLOAD",
+    "name": "Web upload / HTTP(S) egress DLP",
+    "category": "channel",
+    "modern_or_legacy": "legacy",
+    "description": "Proxy or endpoint inspection of HTTP(S) file uploads to web destinations (file-sharing, webmail, social, generic POST). Implemented in SWG / SASE / CASB.",
+    "covers": [
+      "multipart/form-data file uploads",
+      "POST bodies to known categories (file share, paste sites)",
+      "managed-browser uploads"
+    ],
+    "does_not_cover": [
+      "uploads inside TLS-pinned native apps without endpoint agent",
+      "content pasted into web LLM UIs (technically a POST, but classification rarely tuned for prompt text)",
+      "WebRTC data channels"
+    ],
+    "attack_techniques_addressed": [
+      "T1567",
+      "T1041"
+    ],
+    "framework_controls_partially_mapping": [
+      "NIST-800-53-SC-7",
+      "NIST-800-53-AC-4",
+      "ISO-27001-2022-A.8.20",
+      "ISO-27001-2022-A.8.23"
+    ],
+    "vendor_categories": [
+      "Secure Web Gateway (Zscaler, Netskope, iboss, Cloudflare Gateway)",
+      "CASB (Microsoft Defender for Cloud Apps, Netskope CASB)",
+      "Endpoint DLP (Trellix, Forcepoint)"
+    ],
+    "ai_pipeline_applicability": "Partial. SWG/CASB can see POSTs to chat.openai.com / claude.ai / gemini.google.com, but content classification was tuned for file uploads, not free-form prompt text — high false-negative rate on prompts.",
+    "lag_notes": "NIST AC-4 and ISO A.8.23 treat 'web' as a uniform channel. In practice the LLM-prompt sub-channel needs distinct classification logic.",
+    "evidence_examples": [
+      "SWG block logs by URL category 'Generative AI'",
+      "CASB shadow-IT discovery reports with AI-tool tag"
+    ],
+    "privacy_regimes": [
+      "GDPR",
+      "CCPA",
+      "LGPD"
+    ],
+    "last_verified": "2026-05-11"
+  },
+  "DLP-CHAN-USB-REMOVABLE": {
+    "id": "DLP-CHAN-USB-REMOVABLE",
+    "name": "Removable media / USB DLP",
+    "category": "channel",
+    "modern_or_legacy": "legacy",
+    "description": "Endpoint control over data written to USB mass storage, MTP devices, and other removable media. Block, read-only, or content-classify-then-allow.",
+    "covers": [
+      "USB mass-storage write",
+      "MTP transfers to phones",
+      "SD cards, optical media"
+    ],
+    "does_not_cover": [
+      "device-to-device wireless (AirDrop, Quick Share)",
+      "tethered phone hotspot exfil",
+      "any AI-pipeline channel"
+    ],
+    "attack_techniques_addressed": [
+      "T1052.001",
+      "T1025"
+    ],
+    "framework_controls_partially_mapping": [
+      "NIST-800-53-MP-7",
+      "NIST-800-53-SC-41",
+      "ISO-27001-2022-A.7.10",
+      "PCI-DSS-4.0-9.4.6"
+    ],
+    "vendor_categories": [
+      "Endpoint DLP (Microsoft Purview Endpoint DLP, Trellix DLP Endpoint, Forcepoint DLP Endpoint)",
+      "EDR with device-control (CrowdStrike Falcon Device Control, SentinelOne)"
+    ],
+    "ai_pipeline_applicability": "Not applicable. USB controls are orthogonal to AI egress.",
+    "lag_notes": "PCI-DSS 9.4.6 still explicitly cites removable media. Coverage of this channel is required for paper compliance even though it is a shrinking fraction of real exfil.",
+    "evidence_examples": [
+      "Endpoint DLP USB block events",
+      "Device control allow-list configuration"
+    ],
+    "privacy_regimes": [
+      "GDPR",
+      "CCPA",
+      "HIPAA"
+    ],
+    "last_verified": "2026-05-11"
+  },
+  "DLP-CHAN-LLM-PROMPT": {
+    "id": "DLP-CHAN-LLM-PROMPT",
+    "name": "LLM prompt-text egress detection",
+    "category": "channel",
+    "modern_or_legacy": "modern",
+    "description": "Inspection of free-form text submitted to LLM endpoints (Anthropic, OpenAI, Google, Meta, third-party hosted, on-prem) for protected content. Implemented at SDK, proxy, or browser-isolation layer.",
+    "covers": [
+      "text typed or pasted into LLM web/desktop UIs",
+      "API prompts sent via SDK",
+      "system-prompt leakage via prompt injection responses"
+    ],
+    "does_not_cover": [
+      "binary attachments to LLM (separate control)",
+      "RAG retrievals embedded in context (separate control)",
+      "MCP tool arguments (separate control)"
+    ],
+    "attack_techniques_addressed": [
+      "AML.T0024",
+      "AML.T0051",
+      "AML.T0057"
+    ],
+    "framework_controls_partially_mapping": [
+      "NIST-800-53-AC-4",
+      "NIST-800-53-SC-7",
+      "NIST-AI-RMF-MAP-4.1",
+      "ISO-27001-2022-A.8.12",
+      "ISO-42001-A.6.2.4",
+      "EU-AI-Act-Art15"
+    ],
+    "vendor_categories": [
+      "AI-aware DLP (Nightfall, Microsoft Purview AI Hub, Symantec DLP 2026, Forcepoint AI Security, Netskope GenAI)",
+      "Browser-isolation prompt inspection (Island, Talon, Menlo Security)",
+      "LLM gateway with policy (Portkey, LiteLLM-proxy, Cloudflare AI Gateway)"
+    ],
+    "ai_pipeline_applicability": "Primary control point. Without SDK-level prompt logging or an LLM gateway, this control cannot detect at all — TLS-pinned native apps bypass network DLP.",
+    "lag_notes": "Legacy frameworks (NIST SC-7, AC-4; ISO A.8.12) assume the egress channel set is email/web/USB. The LLM prompt is a fourth channel with no existing framework requirement. EU AI Act Art 15 cites robustness but not DLP. ISO/IEC 42001:2023 A.6.2.4 references information classification for AI but is not prescriptive on prompt-egress controls.",
+    "evidence_examples": [
+      "SDK-level prompt logging on Anthropic / OpenAI SDKs",
+      "LLM gateway audit logs (Portkey, Cloudflare AI Gateway)",
+      "Microsoft Defender for Cloud Apps AI policies with prompt-content alerts"
+    ],
+    "privacy_regimes": [
+      "GDPR (Art 5 minimisation, Art 32 security)",
+      "CCPA/CPRA",
+      "LGPD",
+      "EU AI Act Art 10 (data governance)"
+    ],
+    "last_verified": "2026-05-11"
+  },
+  "DLP-CHAN-LLM-CONTEXT": {
+    "id": "DLP-CHAN-LLM-CONTEXT",
+    "name": "LLM context-window egress detection",
+    "category": "channel",
+    "modern_or_legacy": "modern",
+    "description": "Inspection of non-prompt content placed into the model context: file attachments, RAG retrievals, tool outputs, document summarization inputs. Distinct from the user-prompt channel because content origin and classification path differ.",
+    "covers": [
+      "file attachments to LLM (PDF, code, images with embedded text)",
+      "RAG retrievals injected into context",
+      "tool/function outputs returned to the model",
+      "long-document summarization payloads"
+    ],
+    "does_not_cover": [
+      "the user-typed prompt itself (separate control)",
+      "model output / response data (separate control)"
+    ],
+    "attack_techniques_addressed": [
+      "AML.T0024",
+      "AML.T0048",
+      "AML.T0057"
+    ],
+    "framework_controls_partially_mapping": [
+      "NIST-800-53-AC-4",
+      "NIST-800-53-SI-12",
+      "NIST-AI-RMF-MEASURE-2.10",
+      "ISO-27001-2022-A.5.34",
+      "ISO-42001-A.7.4",
+      "EU-AI-Act-Art10"
+    ],
+    "vendor_categories": [
+      "AI-aware DLP (Microsoft Purview AI Hub, Nightfall AI, Forcepoint AI Security)",
+      "RAG-aware gateways (Portkey, Cloudflare AI Gateway with content rules)",
+      "Document-classification engines feeding RAG (Microsoft Purview Information Protection labels propagated to RAG corpus)"
+    ],
+    "ai_pipeline_applicability": "Primary control point for RAG-heavy deployments. Without content classification at retrieval time, the RAG layer becomes a confused-deputy egress channel — sensitive corpus content can be returned to under-cleared users.",
+    "lag_notes": "ISO A.5.34 covers privacy in PII processing but does not contemplate retrieval-time classification enforcement. NIST AI-RMF MEASURE 2.10 references information integrity but not retrieval-time egress filtering.",
+    "evidence_examples": [
+      "RAG retrieval audit logs with sensitivity labels",
+      "Purview labels visible on documents in vector store",
+      "Retrieval-time access decisions logged with user clearance vs. label"
+    ],
+    "privacy_regimes": [
+      "GDPR (Art 5, Art 32)",
+      "CCPA/CPRA",
+      "LGPD",
+      "HIPAA (where PHI enters RAG)"
+    ],
+    "last_verified": "2026-05-11"
+  },
+  "DLP-CHAN-MCP-TOOL-ARG": {
+    "id": "DLP-CHAN-MCP-TOOL-ARG",
+    "name": "MCP tool-call argument DLP",
+    "category": "channel",
+    "modern_or_legacy": "modern",
+    "description": "Inspection of arguments passed by an LLM-driven agent to an MCP (Model Context Protocol) tool call. The arguments may contain protected content extracted from the model context and routed to a third-party tool (search, file write, HTTP fetch).",
+    "covers": [
+      "tool-call argument payloads (JSON) sent to MCP servers",
+      "URL parameters in tool-initiated HTTP fetches",
+      "filesystem write paths and content"
+    ],
+    "does_not_cover": [
+      "the prompt that produced the tool call (separate control)",
+      "MCP server-side response data (separate control)",
+      "non-MCP plugin frameworks (OpenAI plugins, custom function-calling) — same idea, different implementation"
+    ],
+    "attack_techniques_addressed": [
+      "AML.T0051",
+      "AML.T0053",
+      "AML.T0010"
+    ],
+    "framework_controls_partially_mapping": [
+      "NIST-800-53-AC-4",
+      "NIST-800-53-CA-3",
+      "NIST-AI-RMF-GOVERN-1.3",
+      "ISO-27001-2022-A.5.14",
+      "ISO-42001-A.6.2.6"
+    ],
+    "vendor_categories": [
+      "MCP gateway / proxy with content inspection (emerging — Portkey MCP support, Anthropic enterprise MCP gateway preview)",
+      "Agent observability platforms (LangSmith, Helicone, Langfuse) with policy plugins",
+      "AI-aware DLP applied at the LLM gateway layer (Cloudflare AI Gateway with tool-arg rules)"
+    ],
+    "ai_pipeline_applicability": "Primary control point for agentic workflows. Tool calls are the agent's egress hands; uninspected tool-arg traffic is the modern equivalent of unauthenticated SMTP relay. Per CVE-2026-30615, the MCP trust surface is also an inbound vector.",
+    "lag_notes": "No major framework names MCP or tool-call argument inspection as a control. ISO/IEC 42001 references AI system component governance abstractly. The control category is operationally required but compliance-invisible — DR-1 risk.",
+    "evidence_examples": [
+      "MCP gateway audit logs with tool-name + arg-hash",
+      "Agent observability traces (LangSmith / Langfuse) with arg content",
+      "LLM-gateway tool-call policy hits"
+    ],
+    "privacy_regimes": [
+      "GDPR",
+      "CCPA/CPRA",
+      "LGPD"
+    ],
+    "last_verified": "2026-05-11"
+  },
+  "DLP-CHAN-CLIPBOARD-AI": {
+    "id": "DLP-CHAN-CLIPBOARD-AI",
+    "name": "Clipboard-to-AI-tool egress detection",
+    "category": "channel",
+    "modern_or_legacy": "modern",
+    "description": "Detection of clipboard content being pasted into AI tool surfaces (LLM web UIs, IDE AI assistants, AI-enabled desktop apps). Implemented at endpoint or via managed-browser hooks.",
+    "covers": [
+      "paste into chat.openai.com / claude.ai / gemini.google.com / copilot.microsoft.com",
+      "paste into IDE AI sidebars (Cursor, Windsurf, Copilot Chat)",
+      "paste into ChatGPT desktop app, Claude desktop app"
+    ],
+    "does_not_cover": [
+      "clipboard content used outside AI tools (general clipboard DLP, separate control)",
+      "drag-and-drop into AI tools (file-handling path)"
+    ],
+    "attack_techniques_addressed": [
+      "AML.T0024",
+      "T1056.004"
+    ],
+    "framework_controls_partially_mapping": [
+      "NIST-800-53-AC-4",
+      "NIST-800-53-SC-7",
+      "ISO-27001-2022-A.8.12"
+    ],
+    "vendor_categories": [
+      "Endpoint DLP with clipboard awareness (Microsoft Purview Endpoint DLP, Forcepoint DLP Endpoint, Trellix DLP)",
+      "Managed enterprise browser (Island, Talon, Chrome Enterprise Premium, Edge for Business with policy)",
+      "Endpoint AI guardrails (Polymer, Zscaler AI Protection)"
+    ],
+    "ai_pipeline_applicability": "Primary control point for unmanaged-LLM use. Paste is the dominant ingress path for prompt content; SDK logging doesn't see it because it happens before the LLM call.",
+    "lag_notes": "Frameworks have no clipboard-specific control. ISO A.8.12 covers data leakage generally; clipboard→AI is a sub-channel that needs explicit instrumentation.",
+    "evidence_examples": [
+      "Endpoint DLP clipboard-paste event with destination process name",
+      "Managed-browser paste-blocked events on Generative AI URL category"
+    ],
+    "privacy_regimes": [
+      "GDPR",
+      "CCPA/CPRA",
+      "LGPD"
+    ],
+    "last_verified": "2026-05-11"
+  },
+  "DLP-CHAN-CODE-COMPLETION": {
+    "id": "DLP-CHAN-CODE-COMPLETION",
+    "name": "Code-completion context exfiltration DLP",
+    "category": "channel",
+    "modern_or_legacy": "modern",
+    "description": "Inspection or suppression of source code, secrets, and proprietary content sent to AI code-completion services (GitHub Copilot, Cursor, Codeium, Tabnine, Amazon Q Developer) as completion context.",
+    "covers": [
+      "surrounding-file context windows shipped with completion requests",
+      "secrets present in source that get included in context",
+      "proprietary algorithms / IP shipped as completion context"
+    ],
+    "does_not_cover": [
+      "user-typed chat to the assistant (separate prompt-egress control)",
+      "training-time data ingestion by the vendor (contractual control, not technical)"
+    ],
+    "attack_techniques_addressed": [
+      "AML.T0024",
+      "AML.T0048",
+      "T1213.003"
+    ],
+    "framework_controls_partially_mapping": [
+      "NIST-800-53-AC-4",
+      "NIST-800-53-SC-7",
+      "NIST-800-53-SA-15",
+      "ISO-27001-2022-A.8.12",
+      "ISO-27001-2022-A.8.28",
+      "EU-AI-Act-Art10"
+    ],
+    "vendor_categories": [
+      "Code-assistant vendor enterprise controls (GitHub Copilot Business/Enterprise content exclusions, Cursor Privacy Mode, Codeium enterprise context-filtering)",
+      "Pre-commit / pre-context secret scanners (gitleaks, trufflehog, GitHub secret scanning) feeding exclusion lists",
+      "AI-aware DLP at the network egress (Nightfall for code, Polymer)"
+    ],
+    "ai_pipeline_applicability": "Primary control point. Once context leaves the IDE, no downstream DLP sees it. Vendor-side exclusions are the only practical control unless the assistant is self-hosted.",
+    "lag_notes": "NIST SA-15 (development process security) and ISO A.8.28 (secure coding) predate AI code assistants and do not address vendor-side context retention. Frameworks treat this as a 'third-party data sharing' question, which is contractual, not technical.",
+    "evidence_examples": [
+      "Copilot Business content-exclusion policy with file globs",
+      "Cursor Privacy Mode org setting confirmation",
+      "Pre-commit secret-scan blocks preventing secrets entering repo (preventive)"
+    ],
+    "privacy_regimes": [
+      "GDPR (where source contains personal data)",
+      "trade-secret regimes (US DTSA, EU Trade Secrets Directive 2016/943)"
+    ],
+    "last_verified": "2026-05-11"
+  },
+  "DLP-CHAN-IDE-TELEMETRY": {
+    "id": "DLP-CHAN-IDE-TELEMETRY",
+    "name": "IDE / dev-tool telemetry DLP",
+    "category": "channel",
+    "modern_or_legacy": "modern",
+    "description": "Control over telemetry emitted by IDEs and dev tools (VS Code, JetBrains, Visual Studio, terminal tools) that may include file paths, repository names, error payloads containing snippets, and crash dumps with memory content.",
+    "covers": [
+      "IDE crash dumps and error reports",
+      "extension marketplace telemetry",
+      "AI-extension usage telemetry with prompt previews",
+      "terminal command telemetry in instrumented shells"
+    ],
+    "does_not_cover": [
+      "primary AI assistant context (separate control DLP-CHAN-CODE-COMPLETION)",
+      "git push to vendor-hosted repos (covered by source-control egress controls)"
+    ],
+    "attack_techniques_addressed": [
+      "T1213.003",
+      "T1119"
+    ],
+    "framework_controls_partially_mapping": [
+      "NIST-800-53-AC-4",
+      "NIST-800-53-SI-12",
+      "ISO-27001-2022-A.8.16",
+      "ISO-27001-2022-A.5.34"
+    ],
+    "vendor_categories": [
+      "IDE policy management (JetBrains policy server, VS Code enterprise policy, Visual Studio enterprise admin)",
+      "Extension allow-list and telemetry-suppression GPO/MDM",
+      "Network egress controls suppressing telemetry endpoints (typically SWG)"
+    ],
+    "ai_pipeline_applicability": "Partial. AI extensions emit telemetry separate from their primary inference traffic; suppressing this catches secondary leakage paths but not the primary prompt/context channels.",
+    "lag_notes": "ISO A.5.34 and GDPR Art 25 (data-protection by design) require minimisation; vendor telemetry defaults rarely meet this without configuration.",
+    "evidence_examples": [
+      "GPO/MDM telemetry settings deployed",
+      "SWG block rules on vendor telemetry domains",
+      "JetBrains data-sharing-disabled policy confirmation"
+    ],
+    "privacy_regimes": [
+      "GDPR (Art 5 minimisation, Art 25 PbD)",
+      "CCPA/CPRA"
+    ],
+    "last_verified": "2026-05-11"
+  },
+  "DLP-CLASS-REGEX-PII": {
+    "id": "DLP-CLASS-REGEX-PII",
+    "name": "Regex / keyword / dictionary classification",
+    "category": "classification",
+    "modern_or_legacy": "legacy",
+    "description": "Pattern-based content classification (regex, exact-data-match, keyword lists, document fingerprinting). Required by every prescriptive privacy regime that names specific data types.",
+    "covers": [
+      "structured PII (SSN, IBAN, credit card with Luhn, passport)",
+      "PHI identifiers (NPI, MRN, DEA)",
+      "PCI cardholder data",
+      "exact-data-match for customer DBs"
+    ],
+    "does_not_cover": [
+      "semantically equivalent paraphrases",
+      "obfuscated content (base64, leetspeak, ROT)",
+      "unstructured trade-secret content"
+    ],
+    "attack_techniques_addressed": [
+      "T1048",
+      "T1567",
+      "T1213"
+    ],
+    "framework_controls_partially_mapping": [
+      "PCI-DSS-4.0-3.4",
+      "HIPAA-164.312(e)",
+      "GDPR-Art32",
+      "NIST-800-53-SI-12",
+      "ISO-27001-2022-A.8.12"
+    ],
+    "vendor_categories": [
+      "Every commercial DLP (Microsoft Purview, Symantec, Forcepoint, Trellix, Proofpoint, Netskope, Zscaler)",
+      "Open-source (Apache Tika + custom regex, presidio from Microsoft)"
+    ],
+    "ai_pipeline_applicability": "Partial. Regex on LLM prompts catches structured identifiers but misses the dominant AI-pipeline risk (unstructured proprietary content). Necessary but insufficient.",
+    "lag_notes": "PCI-DSS and HIPAA still require pattern-based detection. Frameworks treat regex coverage as table stakes; it remains required for compliance even though it is the weakest classifier.",
+    "evidence_examples": [
+      "DLP policy with PCI cardholder-data classifier",
+      "Presidio analyzer config in prompt-inspection pipeline"
+    ],
+    "privacy_regimes": [
+      "GDPR",
+      "CCPA/CPRA",
+      "LGPD",
+      "PIPEDA",
+      "POPIA",
+      "HIPAA",
+      "PCI-DSS"
+    ],
+    "last_verified": "2026-05-11"
+  },
+  "DLP-CLASS-ML-CLASSIFIER": {
+    "id": "DLP-CLASS-ML-CLASSIFIER",
+    "name": "ML-based content classification",
+    "category": "classification",
+    "modern_or_legacy": "modern",
+    "description": "Supervised or zero-shot ML classifiers that label content (financial, legal, source-code, M&A-confidential) without explicit pattern rules. Used to catch unstructured proprietary content regex cannot match.",
+    "covers": [
+      "unstructured proprietary content categories",
+      "intent-based classifications ('this looks like an M&A document')",
+      "code vs. natural language discrimination"
+    ],
+    "does_not_cover": [
+      "adversarial-paraphrase bypasses",
+      "novel content classes the model wasn't trained on",
+      "low-resource languages with sparse training data"
+    ],
+    "attack_techniques_addressed": [
+      "AML.T0024",
+      "T1567",
+      "T1213"
+    ],
+    "framework_controls_partially_mapping": [
+      "NIST-800-53-SI-12",
+      "NIST-AI-RMF-MEASURE-2.7",
+      "ISO-27001-2022-A.8.12",
+      "ISO-42001-A.7.4",
+      "EU-AI-Act-Art15"
+    ],
+    "vendor_categories": [
+      "AI-classifier DLP (Microsoft Purview trainable classifiers, Nightfall AI ML detectors, Symantec DLP ML, Forcepoint Risk-Adaptive Protection)",
+      "Custom (sentence-transformers + scikit-learn / lightgbm pipelines)"
+    ],
+    "ai_pipeline_applicability": "Primary control point for unstructured AI-pipeline egress. The only practical answer for 'is this prompt revealing our roadmap?'",
+    "lag_notes": "Frameworks reference 'data classification' abstractly. EU AI Act Art 15 cites robustness requirements but does not name DLP classifiers as a control category. NIST AI-RMF MEASURE 2.7 covers performance / robustness of AI systems used in controls — applies recursively when the DLP classifier itself is AI.",
+    "evidence_examples": [
+      "Trainable-classifier accuracy report (P/R/F1) on labeled validation set",
+      "Adversarial-paraphrase robustness test results",
+      "False-positive rate by content category"
+    ],
+    "privacy_regimes": [
+      "GDPR (where classifier outputs are decisional)",
+      "EU AI Act (where DLP classifier qualifies as high-risk AI system used in workplace monitoring — Annex III consideration)"
+    ],
+    "last_verified": "2026-05-11"
+  },
+  "DLP-CLASS-EMBEDDING-MATCH": {
+    "id": "DLP-CLASS-EMBEDDING-MATCH",
+    "name": "Embedding-similarity match to protected corpus",
+    "category": "classification",
+    "modern_or_legacy": "modern",
+    "description": "Compute embedding of candidate egress content, compare to embedding index of protected corpus (source repos, sensitive documents, customer data). High similarity triggers DLP action.",
+    "covers": [
+      "paraphrased restatements of protected documents",
+      "code fragments that semantically match private repos",
+      "leakage of training-data-equivalent content"
+    ],
+    "does_not_cover": [
+      "content with no representative in the protected corpus",
+      "adversarially perturbed embeddings (rare in practice for short text)"
+    ],
+    "attack_techniques_addressed": [
+      "AML.T0024",
+      "AML.T0048",
+      "AML.T0057"
+    ],
+    "framework_controls_partially_mapping": [
+      "NIST-800-53-SI-12",
+      "NIST-AI-RMF-MEASURE-2.10",
+      "ISO-27001-2022-A.8.12",
+      "ISO-42001-A.7.4"
+    ],
+    "vendor_categories": [
+      "AI-aware DLP with embedding match (Nightfall AI, Microsoft Purview AI Hub semantic match preview, Forcepoint AI Security)",
+      "Custom (pgvector / Qdrant / Pinecone over protected corpus + cosine threshold)"
+    ],
+    "ai_pipeline_applicability": "Primary control point for trade-secret and code leakage. The only classifier that can catch 'they explained our private algorithm in their own words.'",
+    "lag_notes": "No framework names embedding-similarity as a control. Compliance auditors will not ask for it; security teams should require it for high-IP-value organizations.",
+    "evidence_examples": [
+      "Embedding index manifest with corpus inventory",
+      "Threshold tuning report (cosine similarity vs. FP/FN rate)",
+      "Per-event similarity score in DLP incident log"
+    ],
+    "privacy_regimes": [
+      "trade-secret regimes (US DTSA, EU 2016/943)",
+      "GDPR (where corpus contains personal data and embeddings are themselves processing)"
+    ],
+    "last_verified": "2026-05-11"
+  },
+  "DLP-CLASS-WATERMARK": {
+    "id": "DLP-CLASS-WATERMARK",
+    "name": "Output watermarking and provenance signals",
+    "category": "classification",
+    "modern_or_legacy": "modern",
+    "description": "Embed detectable provenance markers (steganographic watermarks, statistical watermarks for LLM outputs, C2PA content credentials) so that subsequent appearance of protected content can be traced.",
+    "covers": [
+      "AI-generated text watermarking (statistical token-distribution marks)",
+      "image / video provenance (C2PA, Content Credentials)",
+      "document watermarks (visible + invisible)"
+    ],
+    "does_not_cover": [
+      "paraphrased text that breaks statistical watermarks",
+      "screenshotted content that bypasses document watermarks",
+      "re-encoded media without provenance preservation"
+    ],
+    "attack_techniques_addressed": [
+      "AML.T0024",
+      "T1567"
+    ],
+    "framework_controls_partially_mapping": [
+      "EU-AI-Act-Art50",
+      "NIST-AI-RMF-MEASURE-3.1",
+      "ISO-42001-A.6.2.5"
+    ],
+    "vendor_categories": [
+      "LLM watermarking research / vendor APIs (Google SynthID for text/image, OpenAI watermarking work)",
+      "C2PA content credentials (Adobe, Microsoft, Sony, Leica camera firmware)",
+      "Document watermarking (Adobe Acrobat, Microsoft Information Protection labels with visible marks)"
+    ],
+    "ai_pipeline_applicability": "Partial. Provides post-hoc forensic value when content reappears. Does not prevent egress in real time. EU AI Act Art 50 makes AI-output marking a legal obligation for general-purpose AI systems serving EU users from 2026.",
+    "lag_notes": "EU AI Act Art 50 is ahead of NIST and ISO; US frameworks have no equivalent prescriptive watermarking requirement. Statistical text watermarks remain a research-grade control with documented bypass methods.",
+    "evidence_examples": [
+      "SynthID watermark detection report on suspicious content",
+      "C2PA manifest verification result",
+      "Document-watermark match in forensic review"
+    ],
+    "privacy_regimes": [
+      "EU AI Act Art 50 (transparency)",
+      "EU DSA (where applicable)"
+    ],
+    "last_verified": "2026-05-11"
+  },
+  "DLP-SURFACE-RAG-CORPUS": {
+    "id": "DLP-SURFACE-RAG-CORPUS",
+    "name": "RAG corpus as protected surface",
+    "category": "surface",
+    "modern_or_legacy": "modern",
+    "description": "Treat the document corpus indexed for RAG as a protected data surface. Includes ingest-time classification, label propagation, retrieval-time access control, and per-document retention.",
+    "covers": [
+      "sensitivity labeling of corpus documents",
+      "retrieval-time access-control evaluation (user clearance vs. document label)",
+      "ingest exclusions for documents that should never enter the index",
+      "right-to-erasure propagation to corpus and to derived embeddings"
+    ],
+    "does_not_cover": [
+      "the embedding store as a separate surface (DLP-SURFACE-EMBEDDING-STORE)",
+      "model training data (DLP-SURFACE-TRAINING-DATA)"
+    ],
+    "attack_techniques_addressed": [
+      "AML.T0024",
+      "AML.T0048",
+      "AML.T0057"
+    ],
+    "framework_controls_partially_mapping": [
+      "NIST-800-53-AC-3",
+      "NIST-800-53-AC-4",
+      "NIST-800-53-SC-28",
+      "NIST-AI-RMF-MEASURE-2.10",
+      "ISO-27001-2022-A.5.34",
+      "ISO-42001-A.7.4",
+      "GDPR-Art5",
+      "GDPR-Art17",
+      "EU-AI-Act-Art10"
+    ],
+    "vendor_categories": [
+      "RAG platforms with label-aware retrieval (Microsoft Copilot for M365 with Purview label honoring, Glean with permission mirroring, Vertex AI Search with IAM propagation)",
+      "Document classification engines feeding RAG (Microsoft Purview Information Protection, BigID, OneTrust DSAR)"
+    ],
+    "ai_pipeline_applicability": "Primary control point. RAG without label-aware retrieval is the confused-deputy default state — under-cleared users get over-cleared retrievals.",
+    "lag_notes": "GDPR Art 17 (right to erasure) does not anticipate that erasure must propagate to a vector store derived from the source document. Most RAG implementations cannot answer 'have you forgotten this person?' Until major frameworks codify retrieval-time access control, the operational requirement is documented but compliance-invisible.",
+    "evidence_examples": [
+      "Permission-mirroring configuration in RAG platform",
+      "Retrieval audit log with user clearance + document label",
+      "Erasure-propagation procedure with vector-store re-index step"
+    ],
+    "privacy_regimes": [
+      "GDPR (Art 5, Art 17, Art 32)",
+      "CCPA/CPRA (deletion)",
+      "LGPD",
+      "HIPAA"
+    ],
+    "last_verified": "2026-05-11"
+  },
+  "DLP-SURFACE-EMBEDDING-STORE": {
+    "id": "DLP-SURFACE-EMBEDDING-STORE",
+    "name": "Vector / embedding store as protected surface",
+    "category": "surface",
+    "modern_or_legacy": "modern",
+    "description": "Treat the vector database / embedding store as an independent protected data surface. Embeddings can be inverted to recover content (embedding-inversion attacks); the store must be access-controlled, encrypted, and audited.",
+    "covers": [
+      "IAM and network controls on vector DB (Pinecone, Qdrant, Weaviate, pgvector, OpenSearch k-NN, Milvus)",
+      "encryption at rest of embedding vectors",
+      "audit logging of vector queries and dumps",
+      "embedding-inversion resistance considerations"
+    ],
+    "does_not_cover": [
+      "the underlying corpus (DLP-SURFACE-RAG-CORPUS)",
+      "the model weights themselves"
+    ],
+    "attack_techniques_addressed": [
+      "AML.T0044",
+      "AML.T0048",
+      "T1530"
+    ],
+    "framework_controls_partially_mapping": [
+      "NIST-800-53-AC-3",
+      "NIST-800-53-SC-28",
+      "NIST-800-53-AU-2",
+      "ISO-27001-2022-A.8.20",
+      "ISO-27001-2022-A.8.24",
+      "GDPR-Art32"
+    ],
+    "vendor_categories": [
+      "Managed vector DB with enterprise controls (Pinecone enterprise, Qdrant Cloud, Weaviate Cloud, Azure AI Search, Vertex AI Vector Search)",
+      "Self-hosted with standard data-plane controls (pgvector inside Postgres with row-level security)"
+    ],
+    "ai_pipeline_applicability": "Primary control point. The embedding store is a derived dataset that inherits the sensitivity of its source corpus but is rarely scoped into DLP inventories.",
+    "lag_notes": "GDPR processors-and-controllers framing does not contemplate embeddings as a separate processing artifact. NIST 800-53 SC-28 (protection at rest) applies but is not specific to vector representations. Embedding-inversion as an attack class is not named in any current framework.",
+    "evidence_examples": [
+      "Vector-DB IAM policy snapshot",
+      "Encryption-at-rest configuration on vector store",
+      "Audit log of administrative dumps or large query exfil"
+    ],
+    "privacy_regimes": [
+      "GDPR (Art 32 security of processing; embedding-inversion considerations for personal data)",
+      "CCPA/CPRA",
+      "LGPD"
+    ],
+    "last_verified": "2026-05-11"
+  },
+  "DLP-SURFACE-TRAINING-DATA": {
+    "id": "DLP-SURFACE-TRAINING-DATA",
+    "name": "Model training data as protected surface",
+    "category": "surface",
+    "modern_or_legacy": "modern",
+    "description": "Treat data used for model fine-tuning, distillation, or pre-training as a protected surface, with governance over lineage, consent, sensitivity, and post-training extraction risk.",
+    "covers": [
+      "training-set lineage and consent records",
+      "membership-inference and training-data-extraction risk assessment",
+      "differential-privacy or de-identification of training data",
+      "opt-out propagation from upstream sources"
+    ],
+    "does_not_cover": [
+      "the corpus used at retrieval time (DLP-SURFACE-RAG-CORPUS)",
+      "the live prompt traffic (DLP-CHAN-LLM-PROMPT)"
+    ],
+    "attack_techniques_addressed": [
+      "AML.T0024",
+      "AML.T0044",
+      "AML.T0048"
+    ],
+    "framework_controls_partially_mapping": [
+      "NIST-AI-RMF-MAP-4.1",
+      "NIST-AI-RMF-MEASURE-2.10",
+      "ISO-42001-A.7.4",
+      "EU-AI-Act-Art10",
+      "GDPR-Art5",
+      "GDPR-Art6"
+    ],
+    "vendor_categories": [
+      "Data governance platforms (Collibra, BigID, OneTrust DataDiscovery)",
+      "ML lineage / observability (Weights & Biases, MLflow, Comet)",
+      "Differential-privacy training tooling (Google DP libraries, Opacus for PyTorch)"
+    ],
+    "ai_pipeline_applicability": "Primary control point for any organization fine-tuning or distilling models. Once data enters training, removal is not free — the model is the artifact.",
+    "lag_notes": "EU AI Act Art 10 (data and data governance) is the most prescriptive existing framework; ISO/IEC 42001:2023 A.7.4 references training data quality but is not prescriptive on extraction-risk testing. NIST AI-RMF treats this under MAP-4 and MEASURE-2.10. GDPR right-to-erasure interacts uncomfortably with trained model weights.",
+    "evidence_examples": [
+      "Training-set lineage manifest",
+      "Membership-inference attack test report",
+      "Differential-privacy epsilon budget configuration"
+    ],
+    "privacy_regimes": [
+      "GDPR (Art 5, Art 6, Art 17)",
+      "EU AI Act Art 10",
+      "CCPA/CPRA",
+      "LGPD"
+    ],
+    "last_verified": "2026-05-11"
+  },
+  "DLP-ENFORCE-BLOCK": {
+    "id": "DLP-ENFORCE-BLOCK",
+    "name": "Hard block enforcement",
+    "category": "enforcement",
+    "modern_or_legacy": "legacy",
+    "description": "Terminate or refuse the egress action when classification triggers. The strongest enforcement mode; produces the highest disruption and forces the highest classifier quality.",
+    "covers": [
+      "block on confirmed PCI, PHI, secrets, source-code patterns",
+      "block on embedding-similarity to protected corpus above threshold",
+      "block on regulated cross-border transfer"
+    ],
+    "does_not_cover": [
+      "false-positive cases — block converts FP into business-impact incident",
+      "asynchronous channels where 'block' is meaningless (after-the-fact analytics)"
+    ],
+    "attack_techniques_addressed": [
+      "T1048",
+      "T1567",
+      "AML.T0024"
+    ],
+    "framework_controls_partially_mapping": [
+      "NIST-800-53-AC-4",
+      "PCI-DSS-4.0-3.4",
+      "HIPAA-164.312(e)",
+      "ISO-27001-2022-A.8.12"
+    ],
+    "vendor_categories": [
+      "Every commercial DLP enforcement mode (Microsoft Purview, Symantec, Forcepoint, Trellix, Proofpoint, Netskope, Zscaler, Nightfall)"
+    ],
+    "ai_pipeline_applicability": "Applicable to channels with inline control (LLM gateway, managed browser, SDK proxy). Not applicable where DLP is observational only.",
+    "lag_notes": "Block enforcement is mandated implicitly by prescriptive privacy regimes (PCI-DSS, HIPAA). For AI-pipeline channels, inline blocking requires the org to operate through a gateway or proxy — not architecturally guaranteed.",
+    "evidence_examples": [
+      "DLP policy action='block' configuration",
+      "Block-event incident records with user, content class, channel"
+    ],
+    "privacy_regimes": [
+      "GDPR Art 32 (technical measures)",
+      "PCI-DSS",
+      "HIPAA",
+      "CCPA/CPRA",
+      "LGPD"
+    ],
+    "last_verified": "2026-05-11"
+  },
+  "DLP-ENFORCE-REDACT": {
+    "id": "DLP-ENFORCE-REDACT",
+    "name": "Inline redaction enforcement",
+    "category": "enforcement",
+    "modern_or_legacy": "modern",
+    "description": "Modify the egress payload in-flight to remove or pseudonymise classified content (replace SSNs with tokens, strip secret tokens, mask names). Lower disruption than block; preserves business workflow.",
+    "covers": [
+      "regex-defined PII tokens replaced with format-preserving placeholders",
+      "secrets stripped from prompts",
+      "named-entity redaction in LLM-bound text"
+    ],
+    "does_not_cover": [
+      "unstructured proprietary content that cannot be cleanly redacted",
+      "redaction-reversibility — once a name is replaced the LLM cannot reason about the entity correctly",
+      "false-positives over-redact and degrade output quality"
+    ],
+    "attack_techniques_addressed": [
+      "AML.T0024",
+      "T1567"
+    ],
+    "framework_controls_partially_mapping": [
+      "NIST-800-53-AC-4",
+      "NIST-800-53-SI-12",
+      "ISO-27001-2022-A.8.11",
+      "GDPR-Art5",
+      "GDPR-Art32"
+    ],
+    "vendor_categories": [
+      "LLM-aware redaction (Microsoft Presidio + custom, Nightfall AI redaction mode, Forcepoint AI Security redact action, Cloudflare AI Gateway with regex rewrite)",
+      "Pseudonymisation tooling at LLM gateway (Portkey transforms)"
+    ],
+    "ai_pipeline_applicability": "Primary modern enforcement mode for LLM prompts. Preserves usability while honoring minimisation (GDPR Art 5). Critical for cross-border AI-pipeline use where raw PII transfer is restricted.",
+    "lag_notes": "GDPR Art 5 minimisation arguably requires redaction-or-equivalent on any prompt containing personal data leaving the controller — but no enforcement decision has yet tested this for LLM use.",
+    "evidence_examples": [
+      "Redaction-policy configuration with token format",
+      "Pre/post redaction sample diff in audit log",
+      "Round-trip quality test confirming LLM output usefulness after redaction"
+    ],
+    "privacy_regimes": [
+      "GDPR (Art 5 minimisation, Art 32)",
+      "CCPA/CPRA (de-identification standard)",
+      "LGPD",
+      "HIPAA (Safe Harbor de-identification)"
+    ],
+    "last_verified": "2026-05-11"
+  },
+  "DLP-ENFORCE-COACH": {
+    "id": "DLP-ENFORCE-COACH",
+    "name": "User-coaching / justification enforcement",
+    "category": "enforcement",
+    "modern_or_legacy": "modern",
+    "description": "On classification trigger, present a coaching prompt to the user explaining the policy and either allowing with logged justification or routing to a higher-friction approval. Trades enforcement strength for false-positive tolerance and culture-building.",
+    "covers": [
+      "paste into AI tool with confirmation prompt",
+      "outbound mail with 'are you sure?' coaching",
+      "approval-with-justification workflow for unusual but legitimate cases"
+    ],
+    "does_not_cover": [
+      "malicious insider (will simply provide false justification)",
+      "channels with no UI to coach into (programmatic SDK use)"
+    ],
+    "attack_techniques_addressed": [
+      "AML.T0024",
+      "T1567"
+    ],
+    "framework_controls_partially_mapping": [
+      "NIST-800-53-AT-2",
+      "NIST-800-53-AC-4",
+      "ISO-27001-2022-A.6.3",
+      "ISO-27001-2022-A.8.12"
+    ],
+    "vendor_categories": [
+      "Microsoft Purview adaptive policies with coaching",
+      "Forcepoint Risk-Adaptive Protection with user-coaching",
+      "Managed-browser coaching (Island, Talon)",
+      "Polymer DLP coaching prompts"
+    ],
+    "ai_pipeline_applicability": "Primary control point for non-malicious LLM misuse. Coaching scales without per-event review and provides the audit trail that maturing AI-use policies need.",
+    "lag_notes": "Frameworks treat user training (NIST AT-2, ISO A.6.3) as periodic; just-in-time coaching is a stronger control unrecognised in current standards.",
+    "evidence_examples": [
+      "Coaching-event log with user, content class, justification text",
+      "Conversion rate (coached -> proceed vs. coached -> abort) as a culture signal"
+    ],
+    "privacy_regimes": [
+      "GDPR (lawful basis documentation through justification)",
+      "workplace-monitoring regimes (works-council notification in EU, employer notice in CA/IL)"
+    ],
+    "last_verified": "2026-05-11"
+  },
+  "DLP-EVIDENCE-AUDIT": {
+    "id": "DLP-EVIDENCE-AUDIT",
+    "name": "DLP audit trail for compliance evidence",
+    "category": "evidence",
+    "modern_or_legacy": "legacy",
+    "description": "Tamper-evident logging of DLP events (policy hits, blocks, allows, coaching responses) suitable for compliance attestation and post-incident review. Required by every prescriptive privacy framework.",
+    "covers": [
+      "per-event logs (user, time, channel, classifier, action)",
+      "retention aligned to regulatory requirement",
+      "log integrity (hash-chained or signed)"
+    ],
+    "does_not_cover": [
+      "forensic-grade payload capture (DLP-EVIDENCE-FORENSICS)",
+      "real-time alerting (operational, not evidence)"
+    ],
+    "attack_techniques_addressed": [
+      "T1070",
+      "T1562"
+    ],
+    "framework_controls_partially_mapping": [
+      "NIST-800-53-AU-2",
+      "NIST-800-53-AU-6",
+      "ISO-27001-2022-A.8.15",
+      "ISO-27001-2022-A.8.16",
+      "PCI-DSS-4.0-10",
+      "HIPAA-164.312(b)",
+      "GDPR-Art30"
+    ],
+    "vendor_categories": [
+      "Every DLP vendor (Microsoft Purview, Symantec, Forcepoint, Trellix, Proofpoint, Nightfall) with SIEM export",
+      "SIEM (Splunk, Sentinel, Elastic, Chronicle) ingesting DLP feeds"
+    ],
+    "ai_pipeline_applicability": "Primary control point for AI use evidence. Without DLP audit on prompt channels, EU AI Act Art 12 (record-keeping) is non-attestable for any high-risk AI use case.",
+    "lag_notes": "PCI-DSS Requirement 10 and HIPAA 164.312(b) presume audit logs on classical channels. EU AI Act Art 12 extends record-keeping to AI systems but is not specific about DLP integration.",
+    "evidence_examples": [
+      "DLP-to-SIEM data pipeline with retention policy",
+      "Log-integrity verification (hash chain) result",
+      "Sample event extract for an attestation"
+    ],
+    "privacy_regimes": [
+      "GDPR (Art 30 records of processing)",
+      "EU AI Act Art 12 (record-keeping)",
+      "HIPAA",
+      "PCI-DSS",
+      "CCPA/CPRA",
+      "LGPD"
+    ],
+    "last_verified": "2026-05-11"
+  },
+  "DLP-EVIDENCE-FORENSICS": {
+    "id": "DLP-EVIDENCE-FORENSICS",
+    "name": "Per-event forensic capture",
+    "category": "evidence",
+    "modern_or_legacy": "modern",
+    "description": "On DLP trigger, capture the full payload (with privacy-aware handling) for forensic reconstruction. Distinct from audit logs which carry metadata; forensics carries content.",
+    "covers": [
+      "full prompt + tool-arg payload on AI-channel triggers",
+      "full mail / file payload on classical-channel triggers",
+      "chain-of-custody handling for evidentiary use"
+    ],
+    "does_not_cover": [
+      "routine audit (DLP-EVIDENCE-AUDIT — metadata only)",
+      "indefinite retention — forensics retention should be incident-scoped, not bulk"
+    ],
+    "attack_techniques_addressed": [
+      "T1567",
+      "T1213",
+      "AML.T0024"
+    ],
+    "framework_controls_partially_mapping": [
+      "NIST-800-53-IR-4",
+      "NIST-800-53-AU-10",
+      "ISO-27001-2022-A.5.27",
+      "ISO-27001-2022-A.5.28",
+      "PCI-DSS-4.0-12.10"
+    ],
+    "vendor_categories": [
+      "DLP forensic capture modes (Symantec DLP, Forcepoint DLP, Microsoft Purview Activity Explorer with content)",
+      "DFIR platforms (Magnet AXIOM, Cellebrite Enterprise) for follow-on analysis"
+    ],
+    "ai_pipeline_applicability": "Primary control point for incident response on AI channels. Without prompt-payload capture, post-incident reconstruction of an AI-mediated data leak is forensically blind.",
+    "lag_notes": "Privacy-by-design constraints (GDPR Art 25) create tension with forensic capture; the resolution is incident-scoped retention with strict access. No framework prescribes capture rules for AI channels specifically.",
+    "evidence_examples": [
+      "Forensic-capture policy with retention and access-control rules",
+      "Chain-of-custody record for a recent incident",
+      "DPIA covering forensic-capture processing"
+    ],
+    "privacy_regimes": [
+      "GDPR (Art 25 PbD; Art 32 security; balanced against Art 6(1)(f) legitimate interest)",
+      "works-council and labor-law restrictions in EU member states (DE, FR, NL)",
+      "CCPA/CPRA"
+    ],
+    "last_verified": "2026-05-11"
+  },
+  "DLP-LAG-LEGACY-SCOPE": {
+    "id": "DLP-LAG-LEGACY-SCOPE",
+    "name": "Legacy DLP scope gap (meta-control)",
+    "category": "framework_lag",
+    "modern_or_legacy": "modern",
+    "description": "Meta-entry: explicitly names the gap between the channel set legacy frameworks cite (email / web / USB) and the operational channel set of 2026 (LLM prompt, LLM context, MCP tool-arg, clipboard-to-AI, code-completion context, IDE telemetry). Used by dlp-gap-analysis to flag framework-as-truth drift.",
+    "covers": [
+      "surfacing the gap during framework-gap-analysis",
+      "rejecting compliance attestations that scope DLP to legacy channels only",
+      "ratcheting policy scope when new AI channels are deployed"
+    ],
+    "does_not_cover": [
+      "any specific technical control — this entry is purely a gap declaration"
+    ],
+    "attack_techniques_addressed": [
+      "AML.T0024",
+      "AML.T0048",
+      "AML.T0051",
+      "AML.T0057"
+    ],
+    "framework_controls_partially_mapping": [
+      "NIST-800-53-AC-4",
+      "NIST-800-53-SC-7",
+      "ISO-27001-2022-A.8.12",
+      "PCI-DSS-4.0-3.4",
+      "HIPAA-164.312(e)",
+      "NIS2-Art21",
+      "EU-AI-Act-Art15",
+      "ISO-42001-A.7.4"
+    ],
+    "vendor_categories": [
+      "Not applicable — this is a meta-control, not a product category"
+    ],
+    "ai_pipeline_applicability": "Primary control point conceptually. The whole purpose of this entry is to insist that AI-pipeline channels are in scope when frameworks were written assuming they were not.",
+    "lag_notes": "This entry exists because every prescriptive privacy framework (NIST 800-53, ISO 27001:2022, PCI-DSS 4.0, HIPAA, GDPR Art 32) cites generic 'data leakage prevention' or specific legacy channels. None enumerates the AI channel set as of mid-2026. Treating any of these frameworks as exhaustive scope is DR-1 framework-as-truth drift.",
+    "evidence_examples": [
+      "dlp-gap-analysis skill output flagging legacy-only scope",
+      "Policy ratchet record adding LLM prompt channel to in-scope DLP"
+    ],
+    "privacy_regimes": [
+      "GDPR",
+      "EU AI Act",
+      "CCPA/CPRA",
+      "LGPD",
+      "PIPEDA",
+      "POPIA",
+      "HIPAA",
+      "PCI-DSS"
+    ],
+    "last_verified": "2026-05-11"
+  }
+}