1. About This Specialization

An Agent Data Leakage Prevention Engineer builds the defenses that stop autonomous LLM agents from leaking the secrets, internal documents, and personal data they are trusted to handle. Within AI security, if a red teamer proves weaknesses by attacking, this specialization stands on the opposite side. You design guardrails, isolate context, and put DLP (data leakage prevention) on everything an agent emits.

The scale of the problem became concrete with MosaicLeaks, a benchmark ServiceNow released in June 2026. Measuring 1,001 multi-hop research chains where deep-research agents combine local enterprise documents with web retrieval, the base model (Qwen3-4B) leaked private information through its external query logs alone in 34.0% of cases. The next finding is the alarming one: tuning purely for task performance via reinforcement learning raised accuracy from 48.7% to 59.3% — but pushed leakage up to 51.7%. Teaching the agent to do better made it leak more. ServiceNow’s Privacy-Aware Deep Research (PA-DR) method held accuracy at 58.7% while cutting leakage to 9.9%. Closing exactly that gap is what this role exists to do.

The same shift shows up in OWASP’s 2025 LLM Top 10, which moved Sensitive Information Disclosure (LLM02) from sixth to second place and split out Excessive Agency (LLM06) and System Prompt Leakage (LLM07) as their own categories. The moment an agent can send emails, query databases, and call APIs, the surface area for leakage explodes. Someone has to seal it.

2. Core Skill Set

Technical:

• Indirect prompt injection defense: detecting and neutralizing malicious instructions hidden in tool outputs and web-retrieval results (validated against AgentDojo’s 97 tasks and 629 security test cases)
• Context isolation: building a boundary between private documents and outbound queries so the agent does not even leak what it is investigating (intent leakage)
• Output DLP: real-time scanning, masking, and blocking of API keys, tokens, PII, source code, and internal documents in agent responses and tool calls
• Guardrail engineering: bidirectional input/output filters, runtime policy engines, tool-call allowlists
• Least-privilege design: scoped tokens and human-in-the-loop approval gates that reduce excessive agency
• Evaluation pipelines: regression-testing defenses with metrics like Benign Utility, Utility under Attack, and Targeted Attack Success Rate

Soft skills:

• The defensive flip of an adversarial mindset: imagine where an attacker would exfiltrate data first, then weigh cost against utility from the defender’s side
• Trade-off judgment: drive leakage to zero and the agent becomes useless. As MosaicLeaks shows, utility and privacy are two targets you must hit at once
• Regulatory translation: turning GDPR and EU AI Act requirements into runtime guardrail rules

3. Career Path

You can transition into this specialization from traditional security engineering, AI/ML engineering, or agent systems development. The common entry bar is an understanding of LLM tool-calling internals plus Python automation skills.

4. Recommended Resources & Tools

Benchmarks and frameworks

• MosaicLeaks (ServiceNow) — a public benchmark that measures mosaic-style leakage from deep-research agents across 1,001 chains. The starting point for proving a defense works in numbers
• AgentDojo — a dynamic environment that evaluates indirect prompt injection attacks and defenses across four domains: workspace, Slack, travel, and banking
• OWASP Top 10 for LLM Applications 2025 — the standard threat taxonomy defining LLM01 Prompt Injection, LLM02 Sensitive Information Disclosure, LLM06 Excessive Agency, and LLM07 System Prompt Leakage

Guardrail and DLP tooling

• NVIDIA NeMo Guardrails / Guardrails AI — define input/output filters and policy rails as code
• Microsoft Presidio — open-source PII detection and anonymization. A first line of output DLP
• LLM observability stacks (LangSmith, Langfuse, etc.) — trace every tool call and external query to audit leakage paths after the fact

Foundational reading

• The OWASP GenAI Security Project’s LLM02 and LLM06 mitigation guides
• The AgentDojo and MosaicLeaks papers (comparing defense paradigms)

6. Career Outlook

Common job titles

• Agent Security Engineer
• LLM Guardrails Engineer
• AI Safety Engineer (Data Leakage)
• Senior AI Security Engineer (Agent Defense)

Where you fit in a team

This engineer usually sits on the boundary between the security team and the AI platform team. As the agent builders push utility, you measure and stop what those outputs can leak. The core lesson from MosaicLeaks — optimize for task performance alone and leakage actually rises — is the single fact that justifies this role. You design human-in-the-loop approval gates with product teams and translate regulatory requirements into runtime rules with data governance teams.

Interview focus

Expect interviewers to ask about:

• How you would detect and block indirect prompt injection hidden in tool outputs
• How you would prevent intent leakage, where an agent’s external queries reveal what it is investigating
• How you would measure the trade-off of reducing leakage without killing utility
• Least-privilege and scoped-token design to reduce excessive agency
• Post-hoc audit and detection strategy for when a guardrail is bypassed

Why now

2026 is the year agents moved from experiment to production. The more tools and private context an agent handles, the more leakage becomes not a possibility but a measurable rate. MosaicLeaks’ 34%, OWASP’s promotion of Sensitive Information Disclosure — the numbers point the same way. The seat for the person who seals the gap is filling fast.