The Invisible AI Data Leak: What Your Engineers Ship to Cursor Every Day

A Series-B fintech with 240 engineers. Most pay for Cursor on the company card. A senior backend engineer debugging a flaky job at 02:14 Tuesday pulled the failing record out of staging, opened a Cursor chat, pasted the row in, and asked why the deserializer was choking. The row contained two real customer emails, a Stripe customer ID, and the dollar amount of a refund that had not posted yet.

The model answered. The fix shipped at 02:51. Nobody told security. Nobody had to. There is no log line for that prompt anywhere a manager can see it.

We watched this with permission as part of a design partner study. The engineer is good at his job. The fintech has a written AI usage policy. None of that mattered, because the policy is a PDF and the leak is a thirty-second muscle memory.

The leak surface moved

In April 2023, Samsung engineers pasted internal source code into ChatGPT through a browser. The world treated it as a one-time scandal. It was not. It was the prototype. That leak shape (proprietary content into a third-party model with no enterprise controls in the loop) is now the default workflow for the median software engineer, and the surface has moved off the browser.

Three years on, the surface is a desktop IDE. Cursor is in the dock. Claude Code is in the terminal. Copilot Chat lives inside VS Code. Windsurf has its own proxy. Each talks to its model over a private channel that classical DLP cannot decode. The Symantec and Nightfall agents your laptop fleet has been carrying since 2018 inspect HTTP and SMTP. They do not inspect a Cursor WebSocket carrying a chunk of your customer database.

Based on early HeimWall design partner data across three US engineering teams totaling 312 engineers, we observe a baseline that should be uncomfortable to read:

• 84% of engineers used at least one AI coding tool during a given work week
• The median user pasted recognizably-secret-shaped content (API keys, connection strings, tokens) into a chat at least 2.3 times per week
• 41% of those pastes went into tools the company had no admin contract with (personal-account Cursor, free-tier Claude Code, Copilot under a personal GitHub login)
• Time from "engineer pastes" to "engineer hits send" averaged 4.1 seconds, well below the threshold at which any human review can intervene

That last number broke the assumption underneath classical DLP. The "review queue" model assumes a human can adjudicate. At 4 seconds per leak event, you are not adjudicating; you are accounting after the fact, if at all.

Why native tool controls do not close this

Every major AI coding vendor now ships its own admin pane. Cursor has a workspace dashboard. Copilot has a compliance surface. Claude Code has enterprise logging. Windsurf has its own audit trail. These are real products. They are also, by construction, single-tool views.

If your team uses Cursor and Copilot and Claude Code (the fintech above uses all three) you have three dashboards, three policy languages, three retention windows. Nothing reconciles them. "Did our team have a bad week with secrets" has three different answers in three different portals, and your VP Engineering would have to log in to each and mentally diff. In practice the question goes unanswered.

Worse, native controls only see what flows through the native account. The fintech has Cursor seats for half the team; the rest use Cursor on a personal email because procurement has been open for six weeks. None of those personal-account sessions show up in the company's admin pane. The native dashboard underreports, and the underreporting is invisible.

Add regulation on top. California AB 1651 requires written disclosure of electronic monitoring. SEC cybersecurity disclosure rules expect tool-by-tool incident reporting. EU AI Act draft text covers workplace AI deployment. "We use Cursor and we trust our engineers" satisfies none. All require a measurable, auditable, cross-tool signal. That signal does not exist today.

Manager has zero signal today

Ask a VP of Engineering at a 500-person org three questions on the spot. How many of your engineers used an AI coding tool last week? What did they paste in that you would have flagged if you had seen it? Which engineer needs a five-minute coaching conversation on Friday? In every conversation we have had so far, the honest answer to all three is "I have no idea." The follow-up is "I assumed our DLP caught it." It does not.

The gap is not awareness. Every leader we talk to knows there is a leak surface. The gap is operational signal. They do not have a number to look at on Monday morning, a trend to watch over the quarter, or a list of three engineers worth a chat by Friday. What they have is a vague unease and a slide deck from the security vendor that says "AI-powered." The unease is correct. The slide deck is not a control plane.

What a usable signal looks like

This is the bar we set for ourselves when we designed HeimWall.

A usable signal is at the source, before the prompt leaves the laptop, and runs in under 50 milliseconds so the engineer never feels it. It is categorized, not captured: the manager learns "12 secret-shaped pastes in the data-platform squad this week" without reading a single prompt body. It is cross-tool by default, because "did our team leak this week" cannot have a different answer in Cursor's UI than in Copilot's. It is gated by an Investigation Mode with second-factor step-up, written justification, employee notification, and a 24-hour time-box, so when an incident requires reading specific content, the read is auditable rather than ambient. And it carries a non-dismissible contract clause that the resulting data is not for performance reviews. Engineers who believe the signal is being weaponized will route around it within a week.

That last point is a load-bearing wall, not a UX choice. The fintech engineer at 02:14 did not get a popup. What he got the next morning was a one-line note from his tech lead asking if the staging row contained real customer emails (it did) and whether they could add a redaction step to the seed script (they did). The signal moved up the chain because the data was categorized and surfaced in a Monday digest. Nobody read the prompt. Nobody had to.

That is the workflow we are building toward. Manager sees signal, not content. Tuesday's invisible leak becomes Friday's coaching moment.

Where this goes

We are shipping a macOS-first private beta in the coming weeks. US B2B engineering teams, 200 to 5,000 engineers, Apple Silicon plus Intel. Windows is on the sixteen-week horizon.

If you are a VP Engineering, Head of Security, or CISO quietly worried about exactly this problem, two things help us help you:

1. Join the waitlist at heimwall.ai. We reach out personally to the first cohort of design partners.
2. To talk SOC 2 progress, on-prem, or BYOK before public launch, email founders@heimwall.ai. The design partner program is open.

The leak is invisible only because nothing has been built to see it. We are building it.