ZTNA Controls Access. It Doesn't Stop the Leak.
.jpg)
Short answer: ZTNA is an access control. It decides who reaches which app. That's useful, and it's also only half of zero trust. Once a user is inside a permitted app, ZTNA doesn't inspect what they paste, type, or upload. The data can still walk out the front door you just opened. On-device Fly Direct adds the missing half: it inspects the prompt and the upload and blocks sensitive data before it leaves the device. Access control and data protection are two jobs, and modern risk needs both.
Access is a gate, not a guard
Think of ZTNA as a very good gate. It checks the badge, confirms the person belongs, and lets them into the right room. What it doesn't do is watch what they carry out. A gate controls entry. It doesn't inspect the briefcase on the way through.
For a lot of 2020-era risk, the gate was enough. The threat model was an outsider trying to get in, or an over-broad VPN giving a compromised account the run of the network. Tightening access to per-app, identity-verified sessions addressed that well.
For 2026 risk, where the fastest data-loss path is a text box in an AI tool, the gate leaves the most important door unwatched. The person is authorized. The app is sanctioned. And the sensitive data still leaves, in the content of a request the access control never looked inside.
Where the leak actually happens
The leak rarely happens at login. It happens after access, in the content: source code pasted into an assistant, a customer list uploaded to a chatbot, regulated data typed into a prompt. 77% of employees have already leaked sensitive data through tools like ChatGPT. An access control that verified the user perfectly still watches all of that go by, because inspecting content was never its job.
Notice that most of these leaks aren't malicious. They're a rushed employee trying to get work done: summarize this contract, debug this code, clean up this spreadsheet. The intent is productivity. The effect is regulated or proprietary data leaving the building through a sanctioned tool the access layer happily allowed. You can't gate your way out of a problem that lives inside permitted sessions.
We break down that exact failure in AI DLP: what it is and why regex won't cut it and in ChatGPT DLP.
Why bolt-on DLP struggles here
The usual answer is to add a separate DLP product next to the access layer. It helps, but the seams show. Legacy DLP grew up around files and classic channels: email attachments, USB, network egress. Its coverage of third-party AI request semantics, the actual structure of a prompt or a native client's API call, varies. And when it lives in a different enforcement point than the access control, the two don't share context. The DLP sees content without knowing the process or the account; the access layer sees the account without seeing the content.
That gap between 'who' and 'what' is exactly where modern leaks slip through. A decision that knows the account is personal but not that the upload is sensitive, or knows the content is sensitive but not that the process is a personal AI client, can't make the right call. You need both signals in the same decision.
What on-device enforcement adds
Fly Direct doesn't stop at deciding access. Because it runs at the operating system's networking layer, it inspects the request itself. Dopamine DLP intercepts file uploads and AI prompts, classifies the content with zero-retention APIs, and blocks PII, PCI, PHI, or IP before it leaves the endpoint. Three modes: Block, Monitor, Off. It's covered by US Patent no. 12,464,023. The details are in Meet Dopamine DLP.
The key word is 'before.' This is pre-transmission enforcement. The sensitive prompt or upload is stopped on the device, not flagged in a report after the provider already received it. That distinction is the whole game with data loss. Once the data reaches a third-party model or SaaS app, it's gone; you can't unsend it. A control that only tells you a leak happened is an incident report generator. A control that stops it before transmission is prevention.
Two jobs, one place
The elegant part is that access control and data protection can live in the same enforcement point. On the device, the same agent that decides whether a destination is allowed can also inspect what's about to be sent to it, and combine that with who the user is, which process made the request, and whether the account is a corporate tenant or a personal one. One decision, full context.
A broker that only gates access can't reach into content, so it needs a separate DLP product bolted alongside it, with the seam problem described above. On-device, it's one layer. The access decision and the data decision are made together, with the same signals, at the same point. That's simpler to operate and sharper in outcome.
Monitor first, then block
There's also a rollout benefit to inspecting at the endpoint. Because Dopamine DLP has a Monitor mode, teams can turn on inspection without blocking anything, watch what sensitive data is actually flowing to which tools, and tune policy against reality before enforcing. That turns the data-protection rollout from a risky big-bang into a measured sequence: see, tune, then block. Access-only architectures can't offer that, because they never see the content to begin with.
The honest scope
ZTNA does the access job it was designed for, and for private-app access that job matters. The argument here is that access control alone is an incomplete reading of zero trust in 2026. 'Never trust, always verify' has to include verifying what leaves, not just who enters.
For the web, SaaS, and AI plane, that verification belongs on the device, where the content is visible before it goes anywhere and can share context with the access decision. Our best shadow AI governance tools comparison puts the access-plus-data-protection model in context, and how to stop employees uploading sensitive files to AI shows the data side in practice.
Insider risk and compromised accounts
Access control has a blind spot that gets worse the more you lean on identity: the legitimately authenticated session. If credentials are phished or a session token is stolen, the attacker arrives as a verified user and sails through the gate. If an insider decides to take data, they're already inside, already trusted. In both cases the access decision is technically correct and the outcome is still a breach, because the risk lives in the action, not the login.
Content inspection at the endpoint is what covers these cases. It doesn't matter that a session is authenticated when the thing being uploaded is a customer database or a source repository. Watching what leaves, not just who entered, is how you address the authenticated-but-malicious and compromised-account scenarios that pure access control structurally cannot see. This is also the part of zero trust that boards and regulators increasingly ask about: not 'did you verify the user,' but 'can you show what left.'
Frequently asked questions
Doesn't ZTNA include DLP? ZTNA is fundamentally an access control. Some vendors pair it with a separate DLP product, but the access broker itself decides reachability, not content. On-device enforcement inspects content as part of the same decision.
What does 'pre-transmission' mean? The prompt or upload is inspected and blocked on the device before it reaches the AI provider or SaaS app, rather than caught in an audit log after the data already left.
What data types can on-device DLP catch? Dopamine DLP detects PII, PCI, PHI, and intellectual property in prompts and uploads, with Block, Monitor, and Off modes.
Why is bolt-on DLP weaker than integrated? A separate DLP product often lives in a different enforcement point than the access control, so the two don't share context. On-device, access and content decisions are made together with the same signals.
Can I roll out data protection without blocking users on day one? Yes. Monitor mode lets you observe what sensitive data is flowing and to which tools, tune policy, then switch to Block once it fits your environment.
Do most AI data leaks involve malicious intent? Usually not. They're employees trying to get work done through sanctioned tools. That's exactly why access control misses them and content inspection is required.
Watch the door and the briefcase
Add data protection to your zero trust, in the same place you enforce access. Book a 20-minute demo or start an instant trial with your corporate email.
Further reading: how to stop employees uploading sensitive files to AI and the CASB Neural product overview.


.jpeg)
.jpeg)
.jpg)

