Walk into any aerospace, defense, semiconductor or industrial design organization and you’ll find one file format everywhere: AutoCAD’s DWG. These drawings are the blueprints for missiles, fabs, turbines, containment domes and critical infrastructure. They’re also one of the biggest blind spots in most data security programs. Traditional DSPM and DLP tools see a DWG as a big opaque blob: “binary, probably sensitive, treat with caution.” That’s no longer good enough if you are operating under ITAR, EAR or handling multi‑billion‑dollar IP assets.

‍

This is why we built native DWG parsing into Sentra. We now read AutoCAD DWG files directly, with no AutoCAD license, no intermediate conversion and no third‑party libraries. For the first time, security and compliance teams can discover, classify and monitor the sensitive data hiding inside CAD drawings across cloud storage, file shares and engineering data lakes.

Why DWG Has Been Invisible to Security

As a CTO I’ve sat in many reviews where teams are confident they know where PII lives and where source code lives. When I ask, “What about your CAD drawings?” the room usually goes quiet.

‍

DWG is a proprietary binary format, engineered for performance and fidelity, not for generic content inspection. Security tools that rely on text extraction or simple file signatures can’t see anything meaningful inside it. On top of that, CAD is often considered “engineering’s problem.” Drawings live on legacy engineering servers, PLM systems, or “temporary” project shares that never get decommissioned. When those repositories are lifted and shifted to S3, Azure Blob or SharePoint, security inherits terabytes of DWG files with almost no insight into what they actually contain.

‍

Regulations add more pressure. ITAR and EAR talk about “technical data,” but the tooling most teams use for export‑control compliance was built around PDFs and Office documents, not native CAD formats. The result is predictable: either every DWG is treated as maximally toxic—which paralyzes engineering—or they’re collectively ignored, which is worse.

We wanted to break that stalemate by making DWG as transparent to security teams as a Word document.

What’s Really Inside a DWG File?

A DWG file is far more than geometry. It’s a container for rich metadata, text and structural elements that describe both the design and its context.

‍

Sentra’s parser now extracts several key categories of information:

‍

• Document properties such as author, “last saved by,” creation and modification timestamps, total editing time and revision counters. This tells you who touched a drawing and when.
• Title block attributes where engineering teams encode drawing numbers, project IDs, revision codes, department names, approvers and—crucially—export control markings like ECCN codes and ITAR statements.
• Text content from notes, MText blocks, labels and callouts. This is where you see manufacturing tolerances, material specifications, part numbers and phrases like “COMPANY CONFIDENTIAL” or “EXPORT CONTROLLED.”
• Layer names, which engineers often use to signal sensitivity or ownership:
  ITAR-CONTROLLED, PROPRIETARY, CLIENT-CONFIDENTIAL, CLASSIFIED-GEOMETRY, and so on.
• Application metadata such as the AutoCAD version, build and locale that created the file. That can help tie drawings back to specific offices or workstation groups.
• File dependencies and paths including fonts, external references (xrefs), plot configurations and linked drawings. These paths routinely expose server names, share names, usernames and department structures.

If you’re an attacker, that metadata is a reconnaissance goldmine. If you’re running security for a regulated engineering environment, it’s exactly the context you’ve been missing.

Why DWG Data Is Exceptionally Sensitive

Literal blueprints of your IP

In many organizations, DWGs are the most literal representation of intellectual property that exists. They encode the shape of a missile fin, the trace layout of a secure ASIC, or the reinforcement pattern of a containment vessel. A leaked drawing isn’t a description of the product—it is the product. Unlike a slide deck or a spec sheet, a DWG often contains everything a capable adversary needs to replicate or attack the system. That makes these files high‑value targets for nation‑state actors and sophisticated competitors.

Export control and regulatory risk

For companies operating under ITAR and EAR, DWGs are typically where export‑controlled “technical data” actually lives.

The ECCN code or ITAR statement is rarely in the filename or the folder name. It’s embedded in the title block attributes and in annotations on the page. A single file with those markings sitting in an uncontrolled S3 bucket, or shared via a public link, can trigger a regulatory violation with multi‑million‑dollar consequences and long‑term impact on your ability to win future contracts.

‍

Because Sentra parses DWGs directly, we can programmatically answer questions like:

‍

• “Show me every DWG in our cloud environment that contains an ITAR statement or ECCN code.”
• “Where exactly are those files stored, and who can access them?”

That’s impossible to do reliably if you treat DWGs as opaque binary blobs.

Supply‑chain exposure

Drawings don’t stay within a single company. They flow between primes, subcontractors, design houses, manufacturers and integration partners. Each stop along that chain leaves traces: author names, revision histories, local file paths, department identifiers. When you ingest a partner’s DWG, you’re often ingesting their sensitive operational metadata as well as your own IP. That creates both an obligation to protect it and an opportunity for attackers to learn about everyone involved in your programs.

People and infrastructure reconnaissance

From an attacker’s perspective, seemingly benign fields like “Last saved by,” or dependency paths like \\ENGSERVER03\Projects\F35-Wing\Stress\ are a treasure map. They reveal usernames, project names, server names and network topology.

From a defender’s perspective, that same metadata is invaluable for incident response and insider‑risk investigations—if you can see it.

How Security Teams Are Already Using DWG Parsing

Let me make this more concrete with a few patterns we’re seeing in early deployments.

Discovering export‑controlled drawings in cloud storage

An aerospace manufacturer had migrated years of engineering history from on‑premises file servers into S3 and Azure Blob. They knew “there’s a lot of CAD in there,” but they couldn’t distinguish a generic fixture drawing from a file that actually carried ITAR or EAR restrictions.

‍

With Sentra scanning those buckets, they can now automatically identify DWGs whose title blocks or annotations contain ITAR statements, ECCN codes or proprietary markings. That means they can focus remediation and access reviews on the subset of drawings that are actually regulated, instead of blanket‑treating every DWG the same way.

Engineers get fewer unnecessary reviews. Security gets a precise map of where controlled technical data lives in cloud storage.

Monitoring technical data exfiltration via collaboration platforms

Another customer, an energy company, shares drawings with EPC contractors through SharePoint, OneDrive and Box. Hundreds of DWGs move every week. Previously, they had no idea whether the files shared externally described generic mounting brackets or detailed layouts of protected infrastructure.

‍

By parsing DWGs inline as they pass through those platforms, Sentra can now flag drawings whose contents match sensitive keywords, export‑control markings, or proprietary statements. Security teams see alerts like “DWG with ITAR language shared with external account” rather than “some DWG went out,” which is what most tools can tell you today.

Building a defensible ITAR audit trail

A defense contractor we work with has to periodically prove to auditors that all ITAR‑controlled technical data is stored and processed only in approved regions and systems. Historically they relied on manual attestations from engineering teams and small sample reviews.

‍

Now they scan every DWG in scope with Sentra. We generate an inventory of all drawings that contain ITAR or EAR markings, map each file to its exact storage location and access control set, and surface any out‑of‑policy placements. When an auditor asks “Show us where your ITAR technical data is,” they can answer with data, not with a slide deck.

How Our DWG Parser Works

From an engineering standpoint, we wanted a solution that was:

• Native: no dependence on AutoCAD or closed‑source SDKs.
• Wide‑ranging: support for virtually all real‑world DWG files.
• Predictable: deterministic behavior at petabyte scale.

We implemented a parser that reads the binary DWG format directly, supporting AutoCAD versions from 2000 through 2024 (formats AC1015 through AC1032). There’s no AutoCAD installation required anywhere in the environment. We don’t convert files to DXF, PDF or images. We don’t send data to external services.

All parsing happens where Sentra runs—inside the customer’s cloud accounts or VPCs—so sensitive technical data never leaves their control.

Closing the Gap Between “Stored” and “Understood”

DWG support is part of a broader direction for Sentra. As more specialized workloads move to the cloud—EDA, PLM, simulation, scientific computing -the number of proprietary and domain‑specific file formats in your environment explodes.

‍

Most security tools weren’t built for that world. They know how to read emails and office documents. They can fingerprint code repositories. But they look at a DWG, a GDSII, or a proprietary simulation output and shrug.

‍

The reality is simple:

You cannot secure data you don’t understand.

Understanding means being able to answer, at scale, not only “Where is this file?” but “What is inside this file, and how sensitive is it?”

‍

For organizations in aerospace, defense, energy, manufacturing and other technical industries, DWG files are often where your most tightly regulated and most commercially valuable data lives. Being able to automatically discover and classify that content is not a nice‑to‑have. It’s a compliance requirement that has been hiding in plain sight.

‍

If you want to see what’s actually hiding in your own drawings, the easiest next step is to run a focused assessment: pick a few representative buckets or repositories, let Sentra scan the DWGs in place, and look at the inventory of export‑controlled and proprietary designs that surfaces.

‍

My experience is that once you see those results, you’ll never look at “just another CAD file” the same way again.

<blogcta-big>

‍
‍

RSAC 2026 is shaping up to be one of the most important RSA Conferences to date, especially for security teams navigating AI adoption, Copilot readiness, and large-scale data governance. At RSA Conference 2026 in San Francisco, Sentra is bringing together security leaders from major enterprises across financial services and global consumer industries to discuss how modern enterprises are preparing their data for AI, strengthening governance, and rethinking DLP in an AI-driven world.

If you’re attending RSAC 2026, here’s where to find us, and why it matters.

CISO AI Copilot Readiness Roundtables at RSAC 2026

March 23–26 | W Hotel | Steps from Moscone

‍

AI assistants like Microsoft Copilot and Google Gemini are transforming how employees access enterprise data. What once required manual searches across drives, mailboxes, and SaaS applications can now be surfaced instantly.

That shift is powerful, but it also forces CISOs to confront a difficult question: is our data actually AI-ready?

During RSAC 2026, Sentra is hosting closed-door CISO AI Copilot Readiness Roundtables, bringing together security leaders from major enterprises across financial services and global consumer industries. These sessions are intentionally intimate and designed for candid peer discussion rather than vendor presentations.

‍

No slides. No marketing decks. Just real-world insights on what’s working, and what isn’t - as organizations operationalize AI securely. Register for a roundtable.

AI Data Readiness for 70+ PB: Lessons from a Leading Financial Platform at RSAC 2026

March 24 | 7:45 AM – 9:00 AM

‍

Preparing data for AI at scale is not theoretical, especially when you're dealing with more than 70 petabytes of data.

In this RSAC 2026 session, a former Director of Product Security from a leading digital financial platform will share how their organization approached AI data readiness using Sentra. The session will explore how large financial institutions can gain visibility into massive data environments, reduce exposure risk, and enable Copilot and machine learning adoption without compromising governance.

‍

If you're managing AI adoption in a complex, high-scale environment, this session offers practical lessons grounded in real-world enterprise execution. Register for the session.

Continuous Compliance with AI Visibility: Lessons from a Major Mortgage Institution at RSAC 2026

March 25 | 12:00 PM – 1:00 PM

‍

For a $500B U.S. mortgage institution, compliance is not a one-time event, it’s a continuous obligation.

In this RSA Conference 2026 session, a CISO from one of the largest mortgage lenders in the United States will share how their organization uses Sentra to gain visibility into sensitive data, automate Jira masking workflows, and transform compliance from a reactive burden into a proactive advantage.

‍

As regulatory expectations increase around AI systems and data governance, continuous compliance becomes a strategic capability rather than just an audit checkbox. Register for the session.

‍

A Global Enterprise Blueprint for Modern DLP Compliance at RSAC 2026

Global enterprises face an even more complex challenge: governing data consistently across Azure, Snowflake, Microsoft 365, and Purview, while preparing for AI and Copilot integration. At RSAC 2026, data security leaders from one of the world’s largest consumer brands will share how they built a governance framework that integrates large data catalogs with modern DLP controls. The session explores how traditional policy-based DLP can evolve into a model that combines deep data intelligence with enforcement aligned to business context.

‍

For organizations operating across regions and platforms, this blueprint offers a practical path forward. Register for the session.

Visit Sentra at Booth #N4607 at RSA Conference 2026

If you’re walking the floor at RSAC 2026, stop by Booth N4607 to explore how Sentra enables AI-ready data security.

Our team will be showcasing how organizations can:

‍

• Eliminate risk from AI agents and ML model adoption
  
• Discover unknown sensitive data exposures
  
• Add AI-powered intelligence to improve DLP precision
  

Rather than simply layering new policies on top of old systems, we’ll demonstrate how DSPM and DLP can work together in a unified architecture. Book a Demo at Booth N4607.

Executive Briefings at RSAC 2026

For security leaders looking to go deeper, Sentra is offering private briefings during RSA Conference 2026. These sessions provide the opportunity to discuss real-world data security challenges, proven best practices, and lessons learned from enterprise deployments.

‍

Each discussion is tailored to your environment, whether your focus is AI readiness, exposure reduction, or continuous compliance. Schedule a Personal Briefing.

Special Events During RSAC 2026

The Women in Security Documentary

March 24 & 25 | AMC Metreon 16

‍

Just steps from Moscone Center, join us for a special screening celebrating women redefining leadership in cybersecurity. The red carpet begins at 4:00 PM, with the screening starting at 4:45 PM.

Register Now

Sentra + Defensive Networks RSA Dinner

March 25 | 7:00 PM | The Tavern, San Francisco

‍

We’re hosting an intimate, relationship-centered dinner for security leaders navigating today’s most pressing AI and data security challenges. Designed for meaningful dialogue and peer exchange, this event offers space for authentic conversation beyond the conference floor.

Why AI Data Security Defines RSAC 2026

The defining theme of RSA Conference 2026 is clear: AI has changed the security equation. AI systems do not create new data, but they dramatically increase its discoverability, accessibility, and movement. That reality exposes gaps between visibility and enforcement that many organizations have tolerated for years. To secure AI adoption, organizations need more than isolated tools. They need continuous data intelligence, context-aware enforcement, and feedback between the two. That is the architecture Sentra is bringing to RSAC 2026.

See You at RSA Conference 2026

If you’re attending RSAC 2026 in San Francisco, we’d love to connect.

‍

📍 Booth N4607
📅 March 23–26, 2026
📍 Moscone Center

‍

Join us to explore how AI-ready data security becomes practical, measurable, and operational- not just theoretical.

<blogcta-big>

‍

The recent Microsoft Copilot Chat incident, in which enterprise users reportedly saw AI-generated summaries that included confidential content from Drafts and Sent Items despite sensitivity labels and DLP policies, has reignited a critical conversation about AI assistant security.

Microsoft clarified that Copilot did not bypass underlying access controls. But that explanation only addresses part of the problem. The real issue isn’t whether Microsoft Copilot broke security controls. It's that Copilot inherits user permissions, and can apply its extensive abilities to uncover data the user may have long forgotten (or never properly secured in the first place).

Copilot didn’t create new risks, it surfaced existing exposure - instantly, at scale, and in a way that made it visible. For organizations deploying Microsoft Copilot, that distinction matters.

Why the Microsoft Copilot Incident Matters More Than It Appears

Microsoft Copilot operates within the permissions of the signed-in user. On paper, that sounds safe. In reality, it means Copilot can access everything the user can access - across years of accumulated data.

In a typical Microsoft 365 environment, that includes:

• Emails stretching back years
• Linked SharePoint Online documents
• OneDrive folders shared broadly across teams
• External guest-accessible sites
• Archived projects no one has reviewed in years

When Copilot summarizes a mailbox, it can follow embedded links into SharePoint and OneDrive. If those linked files contain overshared financials, HR investigations, contracts, or regulated data, Copilot can surface insights from them in seconds.

Previously, this data exposure existed quietly in the background. AI assistants remove friction:

• No need to manually search multiple systems
• No need to remember file locations
• No need to understand organizational silos

A single natural-language prompt can traverse it all.

That is the shift. And that is the risk.

AI Assistants Change the Data Risk Model

Traditional enterprise security assumes that risk is constrained by human effort. Data may technically be accessible, but if it requires time, institutional knowledge, or manual searching, exposure is limited.

AI assistants like Microsoft Copilot eliminate those barriers.

Instead of asking, “Who has access to this file?” organizations must now ask:

“What can an AI assistant synthesize from everything a user can access?”

This is a fundamentally different security model.

The Microsoft Copilot Chat incident demonstrated that even when sensitivity labels and DLP policies are in place, unexpected AI-generated outputs can undermine confidence. The concern is not only regulatory exposure, its reputational, operational, and executive trust in AI initiatives.

Why Sensitivity Labels and DLP Are Not Sufficient for Copilot Security

Many organizations rely on Microsoft Purview, sensitivity labels, and Data Loss Prevention (DLP) policies to control how information is handled in Microsoft 365.

Those tools are essential, but they are not enough on their own.

In real-world environments:

• Labels are inconsistently applied
• Legacy data predates modern classification policies
• SharePoint sites remain broadly accessible long after projects end
• OneDrive folders accumulate stale and redundant files
• Linked documents inherit exposure from misconfigured parent sites

AI assistants operate on access reality, not policy intention. If sensitive data is accessible (even unintentionally) Copilot can surface it. The Copilot Chat incident did not reveal a failure of AI. It revealed a failure of data posture alignment.

Microsoft Copilot Requires AI Data Readiness

Before enabling Copilot broadly across Microsoft 365, organizations need what can be described as AI Data Readiness.

AI Data Readiness means achieving continuous visibility into:

• Where sensitive data lives
• How it is shared internally and externally
• Which SharePoint and OneDrive assets are overshared
• Whether classification matches actual content
• What historical data remains unnecessarily accessible
  
  

Without this foundation, Copilot becomes a force multiplier for hidden exposure.

With it, Copilot becomes a productivity accelerator.

DSPM: The Missing Layer in Secure Microsoft Copilot Deployment

Data Security Posture Management (DSPM) provides the continuous, data-centric visibility required for secure AI adoption.

Rather than focusing solely on permissions or labels, DSPM answers deeper questions:

• What sensitive and regulated data exists across Microsoft 365?
• Where is it exposed?
• What is its purpose? 
• Who can access it?
• How does it move?
• Is it properly classified and governed?

Sentra’s DSPM-driven approach continuously discovers and classifies sensitive data across SharePoint Online, OneDrive, cloud storage, and SaaS platforms. Using AI-enhanced classification, it differentiates routine collaboration documents from high-risk assets such as HR investigations, financial statements, intellectual property, and regulated PII or PHI.

This creates a unified, context-rich map of enterprise data exposure, the exact context Copilot relies on when generating responses.

From Visibility to Remediation

Once visibility exists, security teams can act with precision.

Instead of broadly restricting Copilot access, which reduces productivity, organizations can surgically reduce risk by:

• Identifying overexposed SharePoint sites containing sensitive data
• Detecting OneDrive folders shared with large groups or external guests
• Removing stale, redundant, and “ghost” data
• Reconciling missing or misaligned sensitivity labels
• Aligning MPIP and DLP controls with actual content reality

The result is not AI avoidance. It is controlled AI expansion.

The Strategic Shift: Treat Copilot Security as a Data Problem

The Microsoft Copilot Chat incident should not trigger panic. It should trigger maturity.

AI assistants reflect the state of your data. If your Microsoft 365 environment contains overshared, misclassified, or stale sensitive information, AI will surface it.

Organizations that succeed with Microsoft Copilot will be those that:

• Audit their Microsoft 365 data exposure continuously
• Reduce unnecessary access before enabling AI at scale
• Align labels, policies, and actual content
• Limit AI blast radius through data posture improvements
• Treat AI adoption as a data governance transformation

The conversation should move from “Is Copilot safe?” to:

“Is our data posture ready for Copilot?”

When DSPM underpins AI adoption, Copilot shifts from potential liability to competitive advantage.

Final Thought: AI Assistants Don’t Create Risk - They Reveal It

The Microsoft Copilot incident is not an isolated anomaly. It is an early indicator of how AI assistants will reshape enterprise security assumptions. Copilot can only summarize what users already have access to. If access is overly broad, outdated, or misconfigured, AI will expose that reality faster than any audit ever could.

Organizations that invest in AI Data Readiness today will not only prevent future incidents, they will accelerate secure AI transformation across Microsoft 365.

<blogcta-big>