Data types and on-device detection
Data-typed policies act on what is actually in a prompt — not just on the fact that someone used an AI tool. That requires detection, and Shield's detection runs where the data is: on the device.
The data types
When building a policy you select the data types it covers:
- PII (personal data) — email addresses, phone numbers, national and tax IDs. (IBAN and card numbers are covered by Financial data.)
- Financial data — IBAN, credit and debit card numbers, BIC/SWIFT, routing numbers.
- Source code — code blocks, function and class definitions, script syntax.
- Secrets / credentials — API keys, access tokens, JWTs, private keys.
- PHI (health data) and Contracts — on the roadmap; shown in the picker as coming soon.
An All data types option exists for broad policies.
On-device detection
Detection runs locally in the browser, via Shield Web. The content of a prompt or paste is never sent to a server to classify it — only the resulting category labels (for example pii, secrets) travel with the audit event, never the values themselves. That is what makes data-typed enforcement compatible with the consent guarantees.
Admins control this under Settings → Governance → On-device content detection (recommended, and on by default). With detection off, data-typed policies match all content — which over-warns — so leave it on unless you have a specific reason not to.
How it plays with enforcement
Combine data types with enforcement modes for precise rules: transform PII before it reaches a chat window, block secrets outright, warn on source code. Your organization's starter policies are exactly such combinations.
Was this article helpful?
Related articles
Create a policy
Build a policy from the five layers — tools, data types, actions, context, enforcement — and activate it for your organization in minutes.
Read articleEnforcement modes explained
Observe, Warn, Justify, Transform, Block — what each mode does, what your team experiences, and when to use which.
Read articleConsent and what data Shield Web collects
Nothing is collected before you consent. Shield records which AI services you use and what kind of action happened — never your prompts or the sensitive values themselves.
Read articleApply policy presets and bundles
Deploy compliance-ready policies from the preset library — EU AI Act, GDPR, DIFC, Korea AI Basic Act, US AI in Employment, and ISO 42001/NIST bundles.
Read articleStill stuck?
Send us the details — we answer within one business day.