How are you guys actually securing Claude / AI code tools? (E5/Purview shop)
Your developers are pasting sensitive code into Claude right now. Do you know where it's going?
A thread in r/sysadmin is surfacing what most IT teams haven't formalized yet: AI coding tools like Claude, Copilot, and Cursor are live in developer workflows, and the security posture around them is mostly vibes. No DLP. No data classification. No Conditional Access scoping. Just a browser tab and a copy-paste.
If you're an E5 or Purview shop, you actually have the controls to address this. Purview Information Protection can flag or block sensitive data leaving via browser-based AI tools. Defender for Cloud Apps lets you scope which AI endpoints are sanctioned versus shadow. Conditional Access can restrict access to approved tools based on device compliance. The capability is there. Most teams just haven't wired it up for AI workflows specifically.
The gap isn't tooling. It's that nobody has sat down and mapped "developer uses AI assistant" as a data exfiltration scenario worth modeling. Until they do, your E5 investment isn't covering the actual risk surface.
This is exactly the kind of conversation the team at C Spire Business navigates with clients across the Southeast right now.
If your org allows AI coding tools, have you run a Defender for Cloud Apps discovery report to see what's actually in use? That number might surprise you.
Source: reddit.com/r/sysadmin ↗
According to the 2024 Cyberhaven Research report, 11% of what employees paste into Claude and other AI tools contains confidential data, and that figure jumps significantly among engineering and developer roles who are more likely to share source code, API keys, and internal architecture details.