EchoLeak and Indirect Prompt Injection: The Copilot Attack Surface Most Security Teams Are Missing

Most data security platforms treat their scanning infrastructure as a black box. They throw compute at a problem, and the bill either makes sense or it doesn't. At Sentra, we realize that our customers’ compute is precious, so we think about scanning the way we think about everything else: the performance and economics have to work at petabyte scale. Scanning has to be fast and work flexibility in your environment, on the hardware that's actually running.

‍

This post is about a meaningful improvement we shipped to production this week: a full replacement of our ML inference framework for Named Entity Recognition, the model that sits at the core of how Sentra identifies sensitive entities in unstructured data. The result is up to a 75% improvement in scanning performance and price/performance ratio on CPU instances, with no change in classification accuracy.

‍

The Problem: PyTorch + IPEX Was a Dead End

Sentra's ML Server uses a model called GLiNER for NER - Named Entity Recognition - which identifies sensitive entities (PII, PHI, financial data, credentials, and more) in unstructured files like PDFs, Word documents, email archives, and the 150+ other file formats we support.

‍

Until now, we ran inference through PyTorch, augmented by IPEX (Intel Extensions for PyTorch). IPEX gave us a meaningful 2–3x performance boost on Intel CPUs from Cascade Lake onwards. The problem: IPEX has been deprecated. The last version supports PyTorch 2.8 (August 2025), and PyTorch is now at 2.11. Staying on IPEX meant freezing our ML runtime, not an option.

‍

The deprecation also crystallized a broader architectural question: we were tightly coupled to Torch for inference. That coupling brings dependency overhead and limits our ability to optimize for the hardware customers actually run. It was time to rethink the whole stack.

‍

The Approach: Export to a Runtime-Agnostic Graph

The core idea is deceptively simple: instead of running GLiNER through Python and Torch at inference time, we export the model to an independent execution graph that contains both the computation logic and the model weights. This means inference can happen entirely without Python or Torch dependencies.

‍

Two standards define this kind of portable ML representation:

‍

ONNX (Open Neural Network Exchange) is the broadly supported IR for runtime-agnostic ML computation graphs. The ONNX CPU Execution Provider runs on any CPU and is our baseline for older hardware.

‍

OpenVINO (Intel's open-source inference toolkit) takes ONNX a step further — specifically optimized for Intel silicon and, critically, for CPUs with BF16 (16-bit brain floating point) vectorized math support. On newer CPUs - Intel Granite Rapids, Intel Emerald Rapids, AMD Turin - the difference is significant.

‍

The export process wasn't trivial. GLiNER has three layers with dynamic rank (a dynamic number of tensor dimensions) that neither ONNX nor OpenVINO handle cleanly out of the box. We patched those layers directly to produce a compilable graph. We also had to export in two steps - first to ONNX (to preserve high-level meaning of specific layers like LSTM), then to OpenVINO. The full export now runs in CI/CD as part of the ML models image build.

‍

The Results: Up to 75% Improvement in Performance and Price/Performance

We benchmarked across a representative test set of ~700 unstructured files - 100 PDFs, 100 DOCX files, and equivalents across other formats - simulating the full scanning pipeline from parsing to entity extraction, matching real production conditions.

The headline: 17% to 75% improvement in both wall-clock scan time and price/performance ratio. The higher gains land on older CPU generations, where the gap between legacy Torch inference and ONNX CPU EP is widest.

‍

On the latest CPU hardware - 5th-generation AMD Turin and Intel Granite Rapids - the optimized stack delivers scan costs under $0.16 per job. A GPU instance (G6 with L4) achieves a lower absolute scan time (9m 18s), but at $0.152/job, it no longer has a compelling price/performance advantage over the best CPU configurations. For most production workloads, modern CPUs with OpenVINO are the right answer.

Correctness: Validated Within One Percentage Point

A performance improvement that changes what you find is not an improvement - it's a different product. We validated the patched GLiNER against the reference model on 300 test cases:

Precision and recall for the patched model are within a single percentage point of the reference across all variants. At scale, scanning petabytes of unstructured data, that level of fidelity is what makes the classification trustworthy.

‍

Already in Production: Global Logistics Company

About a week and a half before the general release, we deployed the optimized ML Server to a major logistics enterprise's environment. The results matched benchmark expectations - meaningful scan acceleration with no change in the classification findings their security team relies on. That early production validation gave us confidence to push the release broadly.

‍

What This Means for Unstructured Data Security

The reason this matters beyond engineering is that unstructured data is where sensitive information actually lives in most organizations. Contract PDFs, employee records, medical notes, financial models, email archives, scanned documents, the files that contain the data regulators and attackers care about most are overwhelmingly unstructured.

‍

Scanning unstructured data at petabyte scale is computationally expensive. Every efficiency gain in the ML inference layer translates directly into faster time-to-classification, lower scanning cost, and the ability to run continuous classification rather than periodic batch jobs. A 40% improvement in price/performance on a 9-petabyte environment is not a marginal gain, it's a material change in what's economically feasible. This is compounded in environments in which compute is scarce or limited for various infrastructural reasons, but scanning speed is still a priority.. 

‍

This release applies to all file types Sentra supports for unstructured scanning: PDF, DOCX, XLSX, PPTX, email formats, images (via OCR), and the full range of specialized formats; DICOM, EDI, Tableau extracts, pickle/joblib, OneNote, Draw.io, and more. The NER layer that benefits from this optimization runs across all of them.

‍

If you want to go deeper on how Sentra classifies unstructured data across cloud, SaaS, and on-premises environments, explore the platform overview at sentra.io or schedule a demo.

‍

The quick take: The OpenLoop Health breach isn't just another data leak. It's a massive failure in multi-tenant security. A single intrusion into a shared provider exposed 716,000 patients across 120 downstream healthcare companies.

‍

One attack. One unauthorized session lasting less than 24 hours. Names, addresses, dates of birth, and medical records for 716,000 patients were exposed. A threat actor took this data from a company most patients had never heard of.

‍

HHS confirmed the incident in May 2026. It occurred on January 7-8. OpenLoop provides the white-label clinical and operational infrastructure for telehealth brands like Remedy Meds and Fridays.

One breach. One shared layer. 120 separate companies affected.

‍

What Happened: A Single Aggregation Point for 120 Downstream Brands

OpenLoop's business model is designed to be invisible. Healthcare companies use their platform to build virtual care programs. Patients interact with brands like JoinFridays, unaware that a shared backend aggregates their clinical data.

‍

That model creates significant operational efficiency. It also creates a significant data security problem.

‍

OpenLoop aggregates PHI from over 120 organizations. This data must be classified by sensitivity and mapped to specific clients. It requires strict access controls to isolate tenant data. Breach notification filings suggest the data was not segmented at the storage or access layers. It was aggregated, so the attacker took everything.

‍

The specific attack vector is not public. Forensic timelines show access on January 7 and exfiltration by January 8. The attacker moved quickly. There was no lateral movement required because the data was accessible and easy to take.

‍

Why This Keeps Happening: Third-Party Data Aggregators as Invisible Risk

Healthcare organizations spend significant resources securing their own systems. HIPAA compliance programs, annual risk assessments, penetration tests, vendor reviews. But those programs typically examine the primary vendor relationship, not the full stack.

‍

HHS reports that healthcare breaches exposed 167 million records in 2024. Third-party breaches account for a disproportionate share of these incidents. The Change Healthcare breach is the primary example of how one clearinghouse can impact nearly every U.S. insurer.

‍

OpenLoop is a smaller version with the same structural problem. When a third party aggregates sensitive data at scale, they become a high-value, single-point target. And because the data belongs to the third party's clients, not the third party itself, the classification and governance posture of that data often reflects neither the originating client's standards nor a sufficient security investment by the aggregator.

‍

Gartner calls this "shadow PHI." This is protected health information outside the governance perimeter of the responsible organization. It is stored by intermediaries without continuous, consistent data classification controls.

‍

The patients of Remedy Meds, MEDVi, and Fridays did not know OpenLoop existed. Their data did not show up in OpenLoop's public-facing privacy disclosures. And yet it was there, aggregated, accessible, and ultimately exfiltrated.

‍

What Would Have Changed the Outcome

1. Identify Inventory Gaps: Continuous discovery would have surfaced the concentration of multi-tenant PHI in shared stores. This identifies which datasets belong to which clients and confirms if they are appropriately segmented.
2. Flag Co-mingled PHI: Sentra's classification layer flags co-mingled regulated records. This is a critical posture signal that warrants immediate remediation rather than being buried in a report.
3. Analyze Identity and Access: Continuous analysis shows which service accounts and API keys have read access. Least privilege enforcement would have significantly reduced the blast radius of compromised credentials.
4. Map Data Lineage: Lineage mapping provides real-time answers about compromise impact. Security teams need to know exactly how many records are reachable on demand.
5. Consistent Data Labeling: Universal classification tagging, across disparate sensitive data stores, applied automatically enables effective remediation actions to ensure data privacy.

‍

These controls detect and address exposure risk before a breach. While they may not stop every initial access vector, they materially reduce the blast radius with proactive risk management. Visible governance turns a massive incident into a contained event.

‍

What to Do Now

If your organization relies on third-party platforms that aggregate or process sensitive data on your behalf, four things are worth doing this week:

‍

1. Map your data supply chain. Identify every third-party or SaaS vendor that receives, processes, or stores PHI, PII, or regulated data on your behalf. This includes infrastructure providers, not just application vendors.

‍

2. Ask your BAA partners about their data classification posture. A Business Associate Agreement establishes legal accountability. It does not guarantee that your patients' data is classified, segmented, and access-controlled inside the partner's environment. Ask specifically: can they show you where your data lives, who can access it, and how it is isolated from other clients' data?

‍

3. Audit your own aggregation points. Most organizations have internal equivalents of the OpenLoop problem; data lakes, data warehouses, or shared analytics environments where sensitive data from multiple business units or customer segments has been aggregated without consistent classification or access segmentation. Run an inventory.

‍

4. Review your incident response scope. The OpenLoop breach required notifications in Texas, California, Rhode Island, and other states. If a third party was breached and your customers' data was in scope, your incident response obligations may be triggered even without direct access to your own systems. Know your notification posture.

Longer term, consider Data Security Posture Management (DSPM), which is the discipline of continuously discovering, classifying, and governing sensitive data across a distributed data estate — exactly the kind of visibility that a multi-tenant health infrastructure provider needs to avoid what happened here.

‍

Sentra maps sensitive data exposures across your entire environment. This includes all third-party integrations. Start with a data estate inventory. Request a demo.

‍

Most organizations I talk to have the same answer when I ask what their AI sees: "We're not entirely sure."

‍

That's not a technology problem. It's a data governance problem - and it's the most consequential unsolved problem in enterprise security right now.

‍

AI doesn't discriminate. Copilot, cloud-based agents, internal LLMs, can access everything their users can access, and synthesize it in seconds. Years of overpermissioned, unclassified data that security teams have been meaning to clean up is now directly in the path of AI systems that move faster than any previous tool your organization has deployed.

‍

The good news is some organizations have actually solved this. At the Gartner Security & Risk Management Summit this June, three of them are sharing exactly how.

‍

The AI Data Readiness Problem Is Bigger Than Most Teams Realize

Here's what I see repeatedly across security programs. Organizations are deploying AI faster than they're governing the data underneath it.

‍

The data estate didn't get cleaned up before Copilot rolled out. Shadow data stores weren't fully catalogued before the internal agent went live. Classification policies that worked fine for DLP weren't built to handle the access patterns that AI introduces.

‍

When AI systems traverse a knowledge base, they don't stay in their lane - they surface whatever they can reach. If sensitive customer records, financial data, or PII are accessible to a user, they're accessible to that user's AI tools. And AI doesn't just retrieve; it synthesizes and presents, which means the exposure risk compounds.

‍

Governing AI data readiness means knowing three things with accuracy and continuity:

‍

What sensitive data exists and where it lives. Not from a six-month-old scan. From a continuously maintained inventory that reflects the environment as it actually is today.

‍

Who and what can access it. Not just humans; AI agents, service accounts, automated pipelines. The access surface for AI is substantially wider than traditional access models account for.

‍

Whether it's classified correctly before AI touches it. Classification is the foundation. It's what DLP runs on. It's what Copilot safety controls enforce against. If the labels are wrong or missing, every downstream control fails.

‍

Expedia operates 450 petabytes of cloud data. Lyft and SoFi each manage 70+ petabytes. These aren't edge cases — they're the environments where AI data readiness problems are biggest, and where solving them produces the most visible results.

‍

What You'll Hear at Gartner SRM 2026

Sentra is at Gartner SRM all week — June 1 through 3 at National Harbor — and we've built the week around the practitioners who've done this work, not around slides about why it matters.

‍

Here's what's on the calendar.

Wednesday, June 3: Gartner Solution Provider Session

From Data Risk to AI Ready: The Lyft & Expedia Playbook 11:15–11:45 AM | Gartner Solution Provider Stage | Maryland C Ballroom

‍

Hear from the Lyft CISO and Expedia on how they tackled the AI data readiness challenge in 100+ petabyte environments - classifying, governing, and securing the data sprawl already in the path of their AI initiatives. As AI proliferates across the enterprise, the data underneath it becomes the greatest unmanaged risk. In this session, experts share the decisions, tradeoffs, and tools that built their foundation - and what it made possible at scale. Walk away knowing the data readiness essentials so your AI initiative succeeds.

If you're at Gartner SRM this is the one solution provider session you won’t want to miss on Wednesday.

Use the Garter Agenda App to register for:
From Data Risk to AI Ready: The Lyft & Expedia Playbook
11:15–11:45 AM, Wednesday June 11,2026

‍

Monday–Wednesday Morning Roundtables

Invite-Only Breakfast Sessions | Sentra Meeting Suite

‍

These small-group sessions are the intimate version of the stage conversation — tailored to the specific attendee group, with real back-and-forth on what's working and what isn't.

‍

Monday, June 1 | 8:00–8:45 AM (Breakfast) Lyft CISO Chaim Sanders on how Lyft built continuous data readiness and governance in a 70+ petabyte environment. How they classified at scale, where they found the unexpected exposure, and what they'd do differently.

‍

Tuesday, June 2 | 8:00–8:45 AM (Breakfast) Expedia Distinguished Architect Payam Chychi on governing a 450-petabyte environment — the sprawl problem, the AI data access challenge, and the architecture decisions that made classification actionable.

‍

Wednesday, June 3 | 8:00–8:45 AM (Breakfast) SoFi Sr. Manager of Product Security Engineering Zach Schulze on making 70+ PB of cloud data AI-ready — including how they combined Sentra DSPM with Wiz CSPM to reduce noise and govern safely.

‍

Seats are limited and these sessions fill fast. Register at the Gartner SRM 2026 event page →

‍

Tuesday, June 2: CISO Executive Dinner

7:30–9:30 PM | Grace's Mandarin | National Harbor

‍

An invitation-only dinner with a small group of security leaders, including the Lyft CISO and security teams from Expedia and SoFi. Small tables. No presentations. The kind of conversation that only happens when the right people are in the right room.

‍

If you'd like to be considered for an invitation, reach out directly via the event page or connect with your Sentra contact.

‍

Monday–Wednesday: Executive 1:1 Briefings

8:00 AM–5:00 PM | Sentra Private Meeting Suite

‍

For security leaders who want to apply the Lyft, SoFi, and Expedia learnings to their own environment — what AI readiness actually means given your data estate, your AI initiatives, and where your exposure lives. Sessions are led by Sentra's head of product or customer implementations. No slides. Just the right conversation.

‍

Book a 1:1 briefing →

‍

All Week: Live Demos at Booth #222

See how Sentra discovers, classifies, and secures the data already in the path of your AI. The demo is built around your questions — bring the hard ones. The team onsite has worked with some of the largest data environments in the world.

‍

Book a demo at the booth →

‍

Why This Matters Right Now

Gartner SRM is the right venue for this conversation, and 2026 is the right year to have it.

‍

AI deployment accelerated faster than most security teams anticipated. The governance frameworks, classification foundations, and access controls that data-driven AI requires were, in many cases, not in place when the rollout happened. Now those teams are working backward — trying to understand what their AI can actually reach, and whether the data feeding it is classified accurately enough to trust.

‍

The organizations presenting at our events this week tackled this problem at a scale that most enterprises haven't reached yet. What they learned applies regardless of environment size: classification has to happen before AI touches the data, not after. The inventory has to reflect reality continuously, not periodically. And governing AI access requires a fundamentally different approach than governing human access.

‍

If you're at Gartner SRM and this is the problem your organization is working on, the sessions above are worth your time.

‍

See the full schedule and register at sentra.io/gartner-srm-2026 →

‍