Destination Allowlists
Destination allowlists are MITRITY's data loss prevention (DLP) layer for AI agents. They control where an agent can send data — restricting outbound connections to a set of approved domains, URLs, and endpoints. Any attempt to send data to an unapproved destination is blocked and logged as a DLP event.
Overview
AI agents with network access can potentially exfiltrate sensitive data to external services. Destination allowlists prevent this by maintaining a per-agent list of approved destinations. The gateway inspects every outbound request and:
- Extracts the destination URL from the agent's request
- Checks the URL against the agent's allowlist
- If the destination matches an approved pattern: the request proceeds (subject to policy evaluation)
- If the destination does not match: the request is blocked and a DLP event is created
Agent ──request──► Gateway ──check allowlist──► Approved? ──Yes──► Forward request
│ No
▼
Block + DLP event
How Allowlists Work
Per-Agent Configuration
Each agent has its own destination allowlist. This ensures that a CRM agent can access api.salesforce.com while a data analytics agent cannot, even though they share the same tenant.
Domain Pattern Matching
Allowlist entries use domain patterns with optional path matching:
| Pattern | Matches | Does Not Match |
|---|---|---|
api.salesforce.com | https://api.salesforce.com/v1/contacts | https://evil.salesforce.com.attacker.com |
*.amazonaws.com | https://s3.amazonaws.com/bucket, https://sqs.amazonaws.com/queue | https://amazonaws.com.evil.com |
api.internal.com/v1/* | https://api.internal.com/v1/users, https://api.internal.com/v1/data | https://api.internal.com/v2/users |
*.google.com | https://storage.google.com, https://sheets.google.com | https://google.com.evil.com |
Protocol Handling
Allowlist patterns match regardless of protocol (HTTP or HTTPS). However, MITRITY logs a security warning if an agent attempts to send data over unencrypted HTTP.
Port Handling
By default, patterns match the standard ports (80 for HTTP, 443 for HTTPS). To allow non-standard ports, include the port in the pattern:
api.internal.com:8080
*.internal.com:3000
DLP Event Types
When the gateway detects a DLP-relevant event, it creates a DLP event with one of the following types:
| Event Type | Description | Severity |
|---|---|---|
unauthorized_destination | Agent attempted to access a destination not on the allowlist | High |
sensitive_exfil | Agent sent data matching a sensitivity tag to any destination | Critical |
volume_anomaly | Agent's outbound data volume exceeds the baseline by a significant factor | Medium |
accumulation | Agent has been gradually accumulating data from internal sources, suggesting staging for exfiltration | Medium |
Unauthorized Destination
The most common DLP event. The agent attempted to send data to a domain or URL not on its allowlist.
{
"id": "dlp_evt_8k2m",
"type": "unauthorized_destination",
"severity": "high",
"agent_id": "agt_sales-bot",
"agent_name": "sales-bot",
"action_type": "http.post",
"destination": "https://pastebin.com/api/upload",
"payload_size_bytes": 45200,
"blocked": true,
"timestamp": "2026-03-01T14:30:00Z"
}
Sensitive Exfiltration
The agent sent data containing fields matching a sensitivity tag (e.g., PII, credentials, financial data) to any destination — even an approved one. This event is generated regardless of allowlist status.
{
"id": "dlp_evt_9j3n",
"type": "sensitive_exfil",
"severity": "critical",
"agent_id": "agt_data-bot",
"agent_name": "data-bot",
"action_type": "http.post",
"destination": "https://api.analytics.com/ingest",
"sensitivity_tags": ["pii", "email_address", "phone_number"],
"matched_fields": ["contact.email", "contact.phone"],
"payload_size_bytes": 128400,
"blocked": false,
"timestamp": "2026-03-01T15:00:00Z"
}
Volume Anomaly
The agent's outbound data volume significantly exceeds its historical baseline. This may indicate data exfiltration or a malfunctioning agent.
{
"id": "dlp_evt_7p4q",
"type": "volume_anomaly",
"severity": "medium",
"agent_id": "agt_export-bot",
"agent_name": "export-bot",
"baseline_bytes_per_hour": 52000,
"current_bytes_per_hour": 4800000,
"anomaly_factor": 92.3,
"window": "1h",
"timestamp": "2026-03-01T16:00:00Z"
}
Accumulation
The agent has been gradually reading data from internal sources without corresponding outbound activity, suggesting it may be staging data for a future bulk exfiltration.
{
"id": "dlp_evt_5r2s",
"type": "accumulation",
"severity": "medium",
"agent_id": "agt_research-bot",
"agent_name": "research-bot",
"accumulated_reads": 847,
"accumulated_bytes": 12400000,
"outbound_requests": 3,
"observation_window": "24h",
"timestamp": "2026-03-01T17:00:00Z"
}
Sensitivity Tags
Sensitivity tags identify data types that require special handling. MITRITY uses these tags to detect sensitive data in agent payloads and generate sensitive_exfil DLP events.
Built-In Tags
| Tag | Description | Detection Method |
|---|---|---|
pii | Personally identifiable information | Pattern matching (names, addresses, national IDs) |
email_address | Email addresses | Regex pattern matching |
phone_number | Phone numbers | Regex pattern matching (international formats) |
credit_card | Credit card numbers | Luhn algorithm + pattern matching |
ssn | Social Security Numbers (US) | Pattern matching with checksum validation |
api_key | API keys and tokens | Pattern matching (common prefixes: sk_, pk_, Bearer, etc.) |
password | Passwords and secrets | Field name matching (password, secret, token, credential) |
financial | Financial amounts, account numbers | Pattern matching |
health | Protected health information (PHI) | Field name and pattern matching |
Custom Tags
Create custom sensitivity tags for organization-specific data types:
{
"tag": "internal_project_code",
"description": "Internal project code names",
"detection": {
"field_names": ["project_code", "codename"],
"patterns": ["^PRJ-[A-Z]{3}-\\d{4}$"]
}
}
Configure custom tags in Settings > DLP > Sensitivity Tags.
Managing Allowlists
Via the Dashboard
- Navigate to Agents > [Agent Name] > Destinations.
- The current allowlist is displayed with all approved patterns.
- Click Add Destination to add a new pattern.
- Click the trash icon to remove a pattern.
- Changes take effect immediately.
Add a Destination via API
curl -X POST https://api.mitrity.com/api/v1/agents/agt_sales-bot/destinations \
-H "Authorization: Bearer mk_live_your-api-key" \
-H "Content-Type: application/json" \
-d '{
"pattern": "api.salesforce.com",
"description": "Salesforce CRM API",
"sensitivity_policy": "block_pii"
}'
Response:
{
"data": {
"id": "dest_4k2m",
"agent_id": "agt_sales-bot",
"pattern": "api.salesforce.com",
"description": "Salesforce CRM API",
"sensitivity_policy": "block_pii",
"created_at": "2026-03-01T10:00:00Z"
},
"meta": {
"request_id": "req_dest001",
"timestamp": "2026-03-01T10:00:00Z"
}
}
Destination Fields
| Field | Type | Required | Description |
|---|---|---|---|
pattern | string | Yes | Domain pattern (supports wildcards). |
description | string | No | Human-readable description. |
sensitivity_policy | enum | No | How to handle sensitive data sent to this destination: allow (no check), warn (log event), block_pii (block if PII detected). Default: warn. |
List Destinations
curl https://api.mitrity.com/api/v1/agents/agt_sales-bot/destinations \
-H "Authorization: Bearer mk_live_your-api-key"
Response:
{
"data": [
{
"id": "dest_4k2m",
"agent_id": "agt_sales-bot",
"pattern": "api.salesforce.com",
"description": "Salesforce CRM API",
"sensitivity_policy": "block_pii",
"created_at": "2026-03-01T10:00:00Z"
},
{
"id": "dest_5n3p",
"agent_id": "agt_sales-bot",
"pattern": "*.sendgrid.com",
"description": "SendGrid email service",
"sensitivity_policy": "warn",
"created_at": "2026-03-01T10:05:00Z"
}
],
"meta": {
"request_id": "req_dest002",
"timestamp": "2026-03-01T10:10:00Z",
"next_cursor": null,
"total": 2
}
}
Remove a Destination
curl -X DELETE https://api.mitrity.com/api/v1/agents/agt_sales-bot/destinations/dest_4k2m \
-H "Authorization: Bearer mk_live_your-api-key"
After removal, any agent action targeting the removed destination will be blocked.
DLP Event Management
Viewing DLP Events
DLP events appear in the dashboard at Security > DLP Events and are also included in the standard audit log.
List DLP Events via API
curl "https://api.mitrity.com/api/v1/dlp-events?agent_id=agt_sales-bot&type=unauthorized_destination&limit=25" \
-H "Authorization: Bearer mk_live_your-api-key"
Response:
{
"data": [
{
"id": "dlp_evt_8k2m",
"type": "unauthorized_destination",
"severity": "high",
"agent_id": "agt_sales-bot",
"agent_name": "sales-bot",
"action_type": "http.post",
"destination": "https://pastebin.com/api/upload",
"payload_size_bytes": 45200,
"blocked": true,
"timestamp": "2026-03-01T14:30:00Z"
}
],
"meta": {
"request_id": "req_dlp001",
"timestamp": "2026-03-01T15:00:00Z",
"next_cursor": null,
"total": 1
}
}
Get a Single DLP Event
curl https://api.mitrity.com/api/v1/dlp-events/dlp_evt_8k2m \
-H "Authorization: Bearer mk_live_your-api-key"
The detailed view includes the full payload inspection results, matched sensitivity tags, and the agent's historical DLP event count.
DLP Event Filters
| Filter | Description | Example |
|---|---|---|
agent_id | Filter by agent | agt_sales-bot |
type | Filter by event type | unauthorized_destination |
severity | Filter by severity | critical, high, medium |
blocked | Filter by whether the action was blocked | true, false |
start_date | Events after this timestamp | 2026-03-01T00:00:00Z |
end_date | Events before this timestamp | 2026-03-08T00:00:00Z |
DLP Summary
Get a summary of DLP events for your tenant:
curl https://api.mitrity.com/api/v1/dlp-events/summary?days=30 \
-H "Authorization: Bearer mk_live_your-api-key"
Response:
{
"data": {
"total_events": 47,
"by_type": {
"unauthorized_destination": 32,
"sensitive_exfil": 8,
"volume_anomaly": 5,
"accumulation": 2
},
"by_severity": {
"critical": 8,
"high": 32,
"medium": 7
},
"top_agents": [
{ "agent_id": "agt_data-bot", "agent_name": "data-bot", "event_count": 21 },
{ "agent_id": "agt_research-bot", "agent_name": "research-bot", "event_count": 14 }
],
"top_blocked_destinations": [
{ "destination": "pastebin.com", "count": 12 },
{ "destination": "transfer.sh", "count": 8 }
]
},
"meta": {
"request_id": "req_dlp002",
"timestamp": "2026-03-01T16:00:00Z"
}
}
Configuring DLP Thresholds
Fine-tune DLP detection parameters in Settings > DLP > Thresholds:
| Setting | Default | Description |
|---|---|---|
volume_anomaly_factor | 10x | Factor above baseline that triggers a volume anomaly event |
volume_baseline_window | 7 days | Time window for calculating the volume baseline |
accumulation_threshold_reads | 500 | Number of internal reads without corresponding outbound activity |
accumulation_observation_window | 24h | Time window for observing accumulation patterns |
sensitivity_scan_enabled | true | Whether to scan payloads for sensitive data |
sensitivity_scan_max_payload | 10 MB | Maximum payload size to scan (larger payloads are logged but not scanned) |
Best Practices
Start with a Restrictive Allowlist
Begin with a minimal allowlist — only the destinations the agent absolutely needs. Add more as legitimate use cases are identified.
Use Specific Patterns
Prefer api.salesforce.com over *.salesforce.com. Broad wildcard patterns increase the risk of allowing unintended subdomains.
Enable PII Blocking on External Destinations
Set sensitivity_policy: "block_pii" on destinations where PII should never be sent (analytics services, logging platforms, third-party APIs that do not handle PII).
Monitor Volume Anomalies
A sudden spike in outbound data volume often precedes data exfiltration. Set the volume_anomaly_factor to a level that catches genuine anomalies without generating noise.
Review DLP Events Weekly
Schedule a weekly review of DLP events. Unauthorized destination events may indicate agent misconfiguration (legitimate destinations that need to be added) or genuine exfiltration attempts.
Combine with Tool Permissions
Destination allowlists complement agent permissions. Permissions control which tools an agent can use; allowlists control where agents can send data. Use both for defense in depth.
Related Documentation
- Tool Catalog — Define and manage the tool catalog
- Agent Permissions — Per-agent tool permission assignment
- Injection Detection — Detect prompt injection attacks
- Compliance Reports — DLP events in compliance reports
- API Overview — Full API reference