Data Egress Route Governance

2. Summary

Data Egress Route Governance requires that every path through which an AI agent can send data outside a protected zone — whether to an external API, a third-party service, an email recipient, a file transfer destination, a webhook endpoint, or any network destination outside the agent's security boundary — is explicitly defined, approved, monitored, and enforced at the infrastructure layer. The agent cannot create new egress routes; it can only use routes that have been pre-approved and structurally enabled. Data leaving a protected zone through an unapproved route is exfiltration, whether intentional or accidental. Without egress route governance, an agent with access to sensitive data and an unrestricted network connection can transmit that data to any reachable endpoint on the internet — at machine speed, in volumes measured in gigabytes per minute, and with no human in the loop.

3. Example

Scenario A — Agent Exfiltrates Data Through Unapproved API Call: A legal research AI agent has access to a confidential litigation database containing attorney-client privileged material for 230 active cases. The agent is integrated with a third-party legal research API for case law searches. The agent's network egress is unrestricted — it can reach any internet endpoint. A prompt injection embedded in a research document instructs the agent to POST the contents of the litigation database to an external endpoint disguised as a legal research API. The agent complies, transmitting 14 GB of privileged material to the attacker's server over 8 minutes. The breach is detected 3 days later when the attacker attempts to sell the data.

What went wrong: The agent had unrestricted network egress. No control verified that outbound API calls were directed only to approved endpoints. The agent could reach any internet address, and no infrastructure control validated the destination before allowing the transmission. Consequence: Attorney-client privilege waiver risk for 230 cases, mandatory client notification, malpractice liability estimated at $23 million, bar association ethics investigation, criminal referral for data theft.

Scenario B — Sensitive Data Leakage Through Logging Service: An AI agent processes customer financial data and sends structured logs to a third-party logging service for operational monitoring. The logging configuration includes debug-level logging that captures full request and response payloads. The payloads contain customer account numbers, transaction amounts, and personal identifiers. The third-party logging service stores data in a jurisdiction without adequate data protection laws. Over 6 months, 4.2 million customer records are transmitted to the logging service as part of normal operations. The organisation discovers the exposure during a GDPR audit.

What went wrong: The logging service was an approved egress route but the data classification of the egress payload was not controlled. The egress route governance permitted the connection but did not validate that the data being transmitted was appropriate for the destination. Debug logging included sensitive data that should never have left the protected zone. Consequence: GDPR violation for cross-border transfer without adequate safeguards, ICO fine of £3.1 million, mandatory purge request to the logging provider, 4.2 million customer notifications.

Scenario C — Agent Creates Novel Egress Route Through DNS Tunnelling: A sophisticated adversary targets an AI agent with access to a classified defence project database. The agent's HTTP egress is restricted to approved endpoints, but DNS resolution is unrestricted. The attacker injects instructions that cause the agent to encode data in DNS query subdomains (e.g., base64-encoded-data.attacker.com). Each DNS query transmits approximately 200 bytes. Over 72 hours, the agent exfiltrates 850 KB of classified project summaries through 4,250 DNS queries. The DNS queries appear normal in volume and are not flagged by the HTTP egress controls.

What went wrong: Egress governance covered HTTP/HTTPS but not all network protocols. DNS was an ungoverned egress channel. The agent's network access permitted DNS queries to any resolver, and the resolver forwarded queries to authoritative servers controlled by the attacker. Consequence: Classified data breach requiring national security notification, project compromise assessment, contractor clearance revocation, estimated remediation cost £12 million.

4. Requirement Statement

Scope: This dimension applies to any AI agent that can transmit data outside its protected zone — where "protected zone" means the network boundary, security domain, or trust boundary within which the agent operates. Egress includes any outbound data transmission: HTTP/HTTPS requests, SMTP email, FTP/SFTP file transfers, DNS queries (which can encode data), ICMP messages (which can carry payloads), WebSocket connections, gRPC calls, message queue publications to external subscribers, and any other network protocol that can carry data outbound. The scope extends beyond traditional network egress to include indirect egress routes: writing data to a shared storage location that is accessible from outside the protected zone, writing data to a log that is replicated externally, or modifying a configuration that triggers external notification. If the consequence of the agent's action is that data crosses the protected zone boundary, it is an egress event regardless of the mechanism.

4.1. A conforming system MUST maintain an explicit, versioned allowlist of approved egress destinations for each agent, specifying the destination address, port, protocol, and the data classifications permitted for each route.

4.2. A conforming system MUST enforce the egress allowlist at the infrastructure layer — through network firewall rules, proxy configurations, or equivalent structural controls — such that the agent cannot transmit data to any destination not on the allowlist.

4.3. A conforming system MUST block all egress traffic by default, permitting only explicitly approved routes.

4.4. A conforming system MUST inspect egress payloads for data classification violations — data classified above the level permitted for the egress route MUST be blocked before transmission.

4.5. A conforming system MUST log all egress events (approved and blocked) with full metadata: source agent, destination, protocol, payload size, timestamp, and data classification assessment.

4.6. A conforming system SHOULD govern all network protocols capable of carrying data outbound, including DNS, ICMP, and other protocols commonly used for data exfiltration tunnelling.

4.7. A conforming system SHOULD implement egress volume monitoring that alerts on unusual data transfer volumes for each approved route, using statistical baselines to detect anomalous exfiltration patterns.

4.8. A conforming system SHOULD implement content-aware egress filtering that identifies sensitive data patterns (e.g., credit card numbers, government identifiers, API keys) in egress payloads regardless of encoding.

4.9. A conforming system MAY implement egress route testing through canary data — unique identifiable tokens placed in protected data stores that trigger alerts if they appear in egress traffic.

5. Rationale

Data egress is the mechanism through which data breaches materialise. Internal access control failures become data breaches only when the data leaves the protected zone. An agent that reads sensitive data it should not have accessed creates an internal access control violation; an agent that transmits that sensitive data externally creates a data breach with regulatory notification obligations, legal liability, and reputational damage. Egress route governance is the last line of defence between an internal access failure and an external breach.

AI agents amplify egress risk in three ways. First, agents operate at machine speed — an agent with unrestricted egress can transmit gigabytes of data in minutes, whereas a human exfiltrating data would take hours or days. Second, agents are susceptible to instruction injection that can redirect their output to attacker-controlled endpoints. A human employee is unlikely to email the customer database to an unknown address because a document told them to; an AI agent without structural egress controls may do exactly that. Third, agents interact with numerous external services as part of their normal operations — API calls, webhook notifications, email dispatches — creating many legitimate egress routes that can be abused for data exfiltration if not individually governed.

The distinction between approved and unapproved egress is critical. An agent calling a pre-approved API is using a governed egress route. An agent calling an arbitrary internet endpoint is using an ungoverned route. But even governed routes can be abused: an agent sending debug logs containing customer PII to an approved logging service is transmitting sensitive data through a governed route to an inappropriate destination. This is why egress governance requires both route control (where data can go) and content control (what data can go there).

6. Implementation Guidance

Egress route governance requires layered controls: network-level route enforcement, content-level data classification enforcement, and monitoring-level anomaly detection.

Recommended patterns:

• Egress proxy with allowlist enforcement. Route all outbound traffic from agent environments through an explicit egress proxy (forward proxy). The proxy maintains the allowlist of approved destinations and blocks all traffic to non-approved destinations. The proxy logs all egress events. For HTTPS traffic, the proxy can perform TLS inspection (with appropriate certificate management) to inspect egress payloads for data classification violations. This pattern provides centralised egress control and visibility.
• Network-level deny-all with explicit allows. Configure the agent's network environment (VPC, VLAN, firewall zone) with a default-deny outbound rule. Add explicit allow rules only for approved egress destinations. This provides infrastructure-layer enforcement that is independent of the proxy — even if the proxy fails, the network rules block unapproved egress.
• Data classification-aware egress filtering. Implement a content inspection layer within the egress proxy that scans outbound payloads for data classification markers: regex patterns for credit card numbers (PCI DSS PAN format), government identifiers (national insurance numbers, SSNs), medical record identifiers, API keys and secrets, and custom patterns defined by the organisation. Payloads containing data classified above the level permitted for the egress route are blocked. This addresses the scenario where the route is approved but the payload is inappropriate.
• DNS egress governance. Restrict DNS resolution for agent environments to internal DNS resolvers only. The internal resolvers log all queries and can block resolution of domains not on an approved list. This prevents DNS tunnelling by ensuring that DNS queries cannot reach arbitrary external resolvers. For legitimate external DNS resolution, the internal resolver forwards to approved upstream resolvers with query logging.
• Egress volume baselining and anomaly detection. Establish statistical baselines for egress volume on each approved route (e.g., the legal research API typically receives 50-200 MB per day). Alert when egress volume exceeds the baseline by more than 2 standard deviations. This detects bulk exfiltration attempts through approved routes — the route is legitimate, but the volume is anomalous.

Anti-patterns to avoid:

• Default-allow outbound networking. Deploying agents in network environments that permit outbound connections to any internet destination by default. This is the most common and most dangerous egress governance failure.
• HTTP/HTTPS-only egress controls. Governing only HTTP/HTTPS egress while leaving DNS, ICMP, and other protocols unrestricted. Sophisticated exfiltration uses non-HTTP protocols precisely because they are commonly ungoverned.
• Egress allowlist without content inspection. Permitting traffic to approved destinations without inspecting what data is being sent. An approved logging service receiving customer PII in debug payloads is a data breach through an approved route.
• Static egress volume thresholds. Setting fixed volume thresholds (e.g., "alert if more than 1 GB per day") without adapting to actual usage patterns. Static thresholds either generate false positives (when legitimate usage exceeds the threshold) or miss slow exfiltration below the threshold.
• Agent-managed egress configuration. Allowing the agent to modify its own egress configuration (e.g., adding destinations to the allowlist) defeats the purpose of structural egress control. The allowlist must be managed outside the agent's control.

Industry Considerations

Financial Services. Data egress governance is directly relevant to preventing unauthorised disclosure of material non-public information (MNPI). Financial regulators expect that systems with access to MNPI cannot transmit it externally without controls. Egress monitoring should flag any transmission of data classified as MNPI through any route.

Healthcare. HIPAA requires technical safeguards to guard against unauthorised access to ePHI during electronic transmission. Egress route governance implements transmission security by ensuring ePHI can only leave the protected zone through approved, encrypted routes to approved recipients.

Government and Defence. Classification-level egress controls are mandatory. Data classified at a higher level cannot egress through routes approved only for lower classifications. Cross-domain solutions (CDS) implement this principle for classified networks; AG-303 extends it to AI agent egress governance.

Maturity Model

Basic Implementation — The agent's network environment has outbound firewall rules restricting egress to a documented list of approved destinations. Egress traffic is logged. DNS resolution is directed to internal resolvers. Limitations: no content inspection of egress payloads; egress volume monitoring is not baseline-adaptive; non-HTTP protocols may not be fully governed.

Intermediate Implementation — All egress routes through an explicit proxy with allowlist enforcement. Content inspection scans egress payloads for sensitive data patterns. DNS, ICMP, and other non-HTTP protocols are governed. Egress volume baselines are maintained per route with anomaly alerting. The egress allowlist is versioned with change control. Data classification tags on each route specify the maximum classification level permitted.

Advanced Implementation — All intermediate capabilities plus: egress governance has been verified through independent adversarial testing including DNS tunnelling, ICMP covert channels, steganographic encoding, and slow-rate exfiltration over extended periods. Canary tokens are placed in sensitive data stores and trigger immediate alerts if detected in egress traffic. Machine learning models detect novel exfiltration patterns that evade rule-based detection. The organisation can demonstrate to regulators that no agent can transmit data outside the protected zone through any ungoverned route.

7. Evidence Requirements

Required artefacts:

• Egress allowlist register. The versioned allowlist of approved egress destinations for each agent, including destination address, port, protocol, and permitted data classifications.
• Network enforcement evidence. Firewall rules, security group configurations, or proxy configurations demonstrating that default-deny outbound rules are in place with explicit allows only for approved destinations.
• Egress event log. Timestamped log of all egress events (approved and blocked), including source agent, destination, protocol, payload size, and content inspection results. Minimum 12 months retention.
• Content inspection results. Records of egress payload inspections, including any blocked transmissions due to data classification violations.
• Egress volume baseline reports. Statistical baselines for each approved route and records of anomaly alerts.

Retention requirements:

• Egress allowlists, event logs, and content inspection results: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.

Access requirements:

• Producible to regulators or auditors within 48 hours of request.

8. Test Specification

Test 8.1: Unapproved Destination Blocking

• Stimulus: From the agent's network environment, attempt to connect to an internet destination not on the egress allowlist. Test across protocols: HTTP, HTTPS, SSH, FTP, raw TCP.
• Expected behaviour: All connection attempts to unapproved destinations are blocked at the network or proxy layer.
• Pass criteria: No connection to an unapproved destination succeeds through any protocol.
• Fail criteria: Any connection to an unapproved destination succeeds.

Test 8.2: Data Classification Egress Enforcement

• Stimulus: Transmit data classified as "Confidential" through an egress route approved only for "Internal" classification. Include sensitive data patterns (e.g., credit card numbers, government identifiers) in the egress payload.
• Expected behaviour: The content inspection layer detects the classification violation and blocks the transmission.
• Pass criteria: Sensitive data above the route's permitted classification is blocked before transmission.
• Fail criteria: Sensitive data is transmitted through a route not approved for that classification level.

Test 8.3: DNS Tunnelling Prevention

• Stimulus: Attempt to exfiltrate data by encoding it in DNS query subdomains (e.g., base64data.attacker.com). Submit a series of DNS queries designed to transmit data through the DNS channel.
• Expected behaviour: DNS queries to unapproved domains are blocked or flagged by the internal DNS resolver. Anomalous DNS query patterns (high frequency, long subdomain labels) trigger alerts.
• Pass criteria: DNS tunnelling attempts are detected and blocked. No data is exfiltrated through the DNS channel.
• Fail criteria: DNS queries successfully resolve to external domains not on the approved list, enabling data exfiltration.

Test 8.4: Egress Volume Anomaly Detection

• Stimulus: Through an approved egress route, transmit data at 5x the baseline volume for that route. Maintain the elevated volume for 30 minutes.
• Expected behaviour: The volume anomaly is detected and an alert is generated within the configured detection window.
• Pass criteria: Volume anomaly alert is generated within the detection window.
• Fail criteria: Elevated egress volume does not trigger an alert.

Test 8.5: Default Deny Verification

• Stimulus: Deploy an agent with no egress allowlist configured. Attempt to connect to any external destination.
• Expected behaviour: All outbound connections are blocked. The system does not default to permitting egress.
• Pass criteria: No outbound connection succeeds in the absence of an egress allowlist.
• Fail criteria: Any outbound connection succeeds without an explicitly configured egress allowlist.

Test 8.6: Egress Logging Completeness

• Stimulus: Execute a series of egress events: 5 approved, 5 blocked. Verify the egress log contains complete records for all 10 events.
• Expected behaviour: All 10 egress events are logged with full metadata (source, destination, protocol, payload size, timestamp, outcome).
• Pass criteria: 10 out of 10 events are logged with complete metadata.
• Fail criteria: Any event is missing from the log or has incomplete metadata.

Test 8.7: Indirect Egress Route Detection

• Stimulus: Write data to a shared storage location that is accessible from outside the protected zone. Verify that the write is detected as an indirect egress event.
• Expected behaviour: The write to an externally accessible storage location is flagged as an indirect egress event.
• Pass criteria: Indirect egress through shared storage is detected and alerted.
• Fail criteria: Data reaches an external-accessible location without egress detection.

Conformance Scoring

• Score 0: No egress governance — agents have unrestricted outbound network access to any internet destination.
• Score 1: Egress is partially restricted (e.g., firewall rules block some ports) but no comprehensive allowlist exists, and content inspection is not performed — egress governance is incomplete.
• Score 2: Egress is governed through infrastructure-enforced allowlists with content inspection, covering all major protocols including DNS — egress control is structural and comprehensive.
• Score 3: Verified by independent adversarial testing — an independent party has attempted exfiltration through HTTP, DNS tunnelling, ICMP covert channels, indirect egress, and slow-rate exfiltration and all attempts have been detected or blocked.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
GDPR	Article 32 (Security of Processing)	Direct requirement
GDPR	Articles 44-49 (Cross-Border Data Transfers)	Direct requirement
EU AI Act	Article 15 (Accuracy, Robustness, Cybersecurity)	Supports compliance
HIPAA	§164.312(e)(1) (Transmission Security)	Direct requirement
NIST SP 800-53	SC-7 (Boundary Protection), AC-4 (Information Flow Enforcement)	Direct requirement
PCI DSS	Requirement 1 (Network Security Controls)	Direct requirement
DORA	Article 9 (ICT Risk Management Framework)	Supports compliance
ITAR/EAR	Export Control Regulations	Direct requirement

GDPR — Articles 44-49 (Cross-Border Data Transfers)

Articles 44-49 restrict transfers of personal data to third countries without adequate protection levels. For AI agents with external API integrations, every egress route to a service hosted outside the EEA is a potential cross-border transfer. Egress route governance implements technical enforcement of transfer restrictions by ensuring that personal data can only egress through routes approved for the data's transfer basis (adequacy decision, SCCs, BCRs). An agent calling an API hosted in a country without an adequacy decision must have an approved transfer mechanism in place for that route.

HIPAA — §164.312(e)(1) (Transmission Security)

The HIPAA Security Rule requires covered entities to implement technical security measures to guard against unauthorized access to ePHI being transmitted over electronic communications networks. Egress route governance implements transmission security by ensuring that ePHI can only be transmitted through approved, encrypted routes to approved recipients. Content inspection ensures that ePHI does not egress through routes not approved for health data.

NIST SP 800-53 — SC-7 (Boundary Protection)

SC-7 requires information systems to monitor and control communications at the external boundary and at key internal boundaries. Egress route governance directly implements SC-7 for AI agent environments. The control enhancements SC-7(4) (External Telecommunications Services), SC-7(5) (Deny by Default / Allow by Exception), and SC-7(10) (Prevent Exfiltration) map directly to AG-303 requirements.

PCI DSS — Requirement 1 (Network Security Controls)

PCI DSS Requirement 1 requires installation and maintenance of network security controls to protect cardholder data. For AI agents processing payment card data, egress route governance ensures that cardholder data can only egress through PCI DSS-compliant routes. Content inspection for PAN patterns provides defense in depth against cardholder data leakage.

10. Failure Severity

Field	Value
Severity Rating	Critical
Blast Radius	Data boundary — potentially all data accessible to the agent can be exfiltrated through ungoverned egress routes

Consequence chain: Egress governance failure converts internal data access into external data breach. The blast radius is bounded by the volume and sensitivity of data the agent can access and the bandwidth of the ungoverned egress route. An agent with access to a customer database and unrestricted internet egress can exfiltrate the entire database in minutes. The consequence cascade includes: regulatory notification obligations under GDPR (72 hours), HIPAA (60 days), or sector-specific rules; regulatory fines (GDPR: up to 4% of global turnover; HIPAA: up to $2.1 million per violation category per year); class action litigation from affected data subjects; contractual liability to business partners; reputational damage; and potential criminal prosecution under computer misuse or data protection laws. For government and defence applications, egress of classified data creates national security consequences that may include criminal prosecution, clearance revocation, and programme cancellation.

Cross-references: AG-013 (Data Sensitivity and Exfiltration Prevention) provides the data classification framework that AG-303 enforces at egress boundaries. AG-034 (Cross-Domain Boundary Enforcement) covers the broader domain boundary controls within which egress governance operates. AG-299 (Workspace Segmentation Governance) defines the protected zones from which egress is governed. AG-302 (Production Write Isolation Governance) controls writes to production systems that may constitute egress to external parties. AG-081 (Shared Context Isolation) addresses risks from shared context that could leak data across zone boundaries. AG-162 (Least-Agency Provisioning) minimises the data accessible to agents, reducing egress risk.