The data loss prevention market is growing at a pace that few enterprise security categories can match. Analyst estimates for the global DLP market range from $3 billion to over $6 billion annually, with compound annual growth rates projected between 15% and 25% through 2028. Enterprise security budgets that were already significant are expanding further as AI-driven threats, regulatory pressure, and high-profile breaches make data protection a board-level priority.
This investment is real and, in many areas, producing results. But a closer look at where the money is flowing — and where data is actually leaking — reveals a significant mismatch.
What Is Driving the DLP Investment Surge
Several converging forces are driving the current wave of DLP investment:
Regulatory Expansion
New and strengthened regulations are mandating more rigorous data protection controls. In Europe, DORA (Digital Operational Resilience Act) came into force in January 2025, imposing binding ICT risk management requirements — including physical safeguards — on all financial entities. The EU AI Act introduces new data governance obligations. HIPAA is undergoing its most significant update since 2003. ISO 27001:2022 introduced new controls around data leakage prevention. Each regulatory update creates immediate compliance spending.
AI-Driven Threat Evolution
The emergence of large language models and AI coding assistants has created new data exfiltration vectors. Employees routinely share sensitive information with external AI tools — sometimes deliberately, often inadvertently. Organizations are investing in controls to manage what data reaches external AI services.
Hybrid and Remote Work Permanence
The normalization of hybrid and remote work has permanently expanded the data protection perimeter. Sensitive data that once existed only within a physically controlled office environment now flows through home offices, shared workspaces, and mobile devices. DLP investment is partly an attempt to extend enterprise controls into environments that were never designed for enterprise security.
High-Profile Breach Consequences
The financial and reputational consequences of data breaches continue to escalate. Average breach costs in financial services now exceed $6 million per incident. Board-level visibility into data protection has never been higher, and CISOs are under pressure to demonstrate that controls are comprehensive.
Where the Investment Is Going
The current wave of DLP investment is concentrated in several areas:
- Cloud DLP — extending data protection controls to cloud storage, SaaS applications, and cloud collaboration platforms
- AI-powered classification — using machine learning to improve data classification accuracy and reduce false positive alert rates
- CASB (Cloud Access Security Broker) — controlling what data employees share with cloud services, including AI tools
- Endpoint DLP — monitoring and controlling data at the device level, including file access, USB transfers, and print activity
- DSPM (Data Security Posture Management) — providing visibility into where sensitive data lives across the organization's data estate
These investments are genuinely valuable. Cloud DLP, in particular, addresses real and significant risks as organizations migrate data and workloads to cloud environments.
The Unaddressed Gap in DLP Spending
Despite the scale of DLP investment, one exfiltration vector receives almost no attention or budget allocation: visual data exposure at the screen level.
Screens — the physical displays on which sensitive data appears — are not covered by any of the DLP categories receiving significant investment. Cloud DLP does not protect screens. Endpoint DLP does not protect screens. AI classification does not protect screens. CASB does not protect screens.
This matters because screen-level data exfiltration is both common and completely invisible to every existing DLP control:
- A developer photographs their screen to share code with an AI tool
- A contractor photographs a financial dashboard during a meeting
- An employee's screen is visible to unauthorized colleagues in an open-plan office
- A remote worker leaves sensitive data on screen in a shared home environment
None of these events generate a DLP alert. None are captured in audit logs. None are addressed by the billions being invested in the DLP market. Every CISO reviewing their DLP coverage should ask: do we have a technical control that prevents phone cameras from capturing what's on our screens? For most organizations, the honest answer is no.
The Regulatory Pressure on Physical Safeguards
The regulatory frameworks driving DLP investment are increasingly explicit about physical and visual safeguards — not just digital controls.
DORA Article 6(2) requires financial entities to "protect all relevant physical components and infrastructures...to ensure that all information assets and ICT assets are adequately protected from risks including damage and unauthorised access or usage." The screen is a physical component. Unauthorized visual access is unauthorized access.
ISO 27001 Annex A 7.7 addresses clear screen and clear desk policy — but increasingly, auditors are asking for technical enforcement of these policies, not just documentation.
HIPAA 45 CFR § 164.310(c) requires physical safeguards for workstations accessing protected health information. In remote work environments, where physical safeguards like locked rooms are impossible, technical controls at the screen level are the only viable compliance path.
Organizations investing heavily in DLP to achieve regulatory compliance may find that their spending addresses digital channels thoroughly while leaving the physical screen exposure gap — which regulators are explicitly targeting — entirely unaddressed. Organizations currently passing DLP audits on digital controls may fail the next audit when physical safeguard enforcement is specifically tested.
The Emerging Screen DLP Category
Screen DLP is the emerging category that addresses this gap. Rather than monitoring digital data channels, Screen DLP monitors the physical environment around the screen using existing endpoint webcams and on-device AI processing.
As regulatory requirements tighten around physical safeguards, and as screen photography becomes a more documented and prevalent exfiltration vector, Screen DLP is moving from a novel concept to a necessary component of a comprehensive data protection strategy.
Organizations currently planning DLP budget allocation should consider whether their investment addresses the full spectrum of data exfiltration risks — including the screen-level gap that current spending largely ignores. Screen DLP software fills this gap without replacing existing infrastructure.