DLP detects and prevents unauthorized transmission of sensitive data — classifying data, monitoring channels (email, web, USB, cloud), and blocking policy violations.
DLP placement: endpoint (monitor file operations, USB), network (inspect outbound traffic), cloud (CASB monitors SaaS apps). False positive challenge: legitimate sensitive data sharing must work. Start in monitor mode before enforcing. DLP is not a substitute for access control — it's a last line of defense.