Auditing and fully governing the history of conversations conducted through corporate messaging channels — such as WhatsApp, Slack, Microsoft Teams, and Telegram — is becoming increasingly essential every year. According to Gartner, 25% of all enterprise generative AI applications will experience at least five minor security incidents per year by 2028.
To present a new perspective on compliance, Deborah Wanzo, CEO of Tuvis, delivered a presentation at the International Compliance Congress addressing the core vulnerability faced by regulated institutions and large enterprises: off-channel risk.
In a country like Brazil, where, according to Forbes Brazil, WhatsApp has become the primary communication tool for colleagues, suppliers, and clients, managing these channels — often used informally and personally within organizations — is no longer merely an internal policy matter. It has become essential for regulatory compliance and corporate governance.
In this article, we will explain how companies can implement active monitoring of messages exchanged through platforms such as WhatsApp, Teams, Slack, Telegram, and others, based on the insights presented by Deborah during the 13th Compliance Congress.
The Visibility Challenge: Productivity vs. Compliance
Approximately 70% of Brazilian companies already use messaging channels in their sales and customer relationship strategies. However, the widespread adoption of these tools exposes a critical conflict between employee productivity and corporate security protocols.
Although these applications provide convenience and agility, they also create significant security and compliance risks. According to research, by the end of 2025, more than 206 million Brazilians will have experienced data leaks related to WhatsApp. This highlights vulnerabilities caused by the lack of corporate governance and full visibility into employee communications, reinforcing the need for robust systems capable of ensuring data security.
In addition, studies show that 69% of employees admit to bypassing security policies to increase productivity, close deals faster, and build closer relationships with clients through the use of new technologies and artificial intelligence tools. However, many of these tools are not regulated or approved by companies, creating potential risks for confidential information leaks.
The reasons employees seek external tools and AI solutions vary. These include improving productivity, increasing agility, boosting sales, and building stronger customer relationships. The result is the growing phenomenon known as Shadow IT — and its evolution, Shadow AI — where tools are adopted without approval or oversight from IT and Security departments, placing sensitive corporate data at significant risk and increasing the need for effective monitoring and governance solutions.
The direct consequence is corporate blindness, where 72% of companies lack visibility into the sharing of sensitive data across these channels.
This silent risk comes at a high cost. Globally, failures to monitor off-channel communications have already resulted in more than R$40 million in fines related to data leaks, with penalties potentially reaching much higher amounts depending on the severity of the violation. Financial losses are further amplified by reputational damage and the termination of client contracts.
To avoid fines and reputational harm, organizations must adopt a new mindset, transitioning from Reactive Compliance to Active Compliance.
The Necessary Transition: From Reactive to Active Compliance
The reactive model relies exclusively on passive data archiving and retrospective investigations into incidents that have already occurred. The active approach, on the other hand, transforms the Compliance function entirely:
From Investigation to Prevention
The focus shifts from investigating past incidents and their causes to preventing policy violations before they happen.
From Passive Security to Predictive Surveillance
This transformation materializes through the concept of Surveillance.
Surveillance is the continuous and technical monitoring of data, transactions, and infrastructure to detect anomalies, fraud, or cyber threats in real time. It represents predictive vigilance capable of anticipating risks before they evolve into legal or financial incidents.
The Inevitability of Technology: Contextual AI and Data Governance
Monitoring millions of messages across multiple channels , such as WhatsApp, Teams, and Slack , to maintain active compliance is impossible without specialized technology. The solution goes far beyond simply archiving conversations or searching for isolated keywords, which often generate false positives due to the lack of contextual understanding.
The technology required for Active Compliance must:
Implement Intelligent Archiving
Ensuring governance and privacy while automatically capturing all interactions for regulatory compliance purposes.
Use Agentic Artificial Intelligence
Rather than functioning solely as a search tool, AI must interpret the context of conversations. It should not merely detect keywords, but understand the nuances of communication to accurately identify policy violations.
Integrate Real-Time DLP (Data Loss Protection)
A robust monitoring platform must be capable of analyzing content and even blocking the transmission of messages, documents, or images that violate internal policies. Ideally, proactive DLP tools should prevent incidents before they occur.
The Value of Information Ownership
At its core, Active Compliance restores ownership and responsibility over information to the organization, regardless of the communication channel being used.
Technology partners specialized in extracting value from corporate communications demonstrate the effectiveness of this approach.
Tuvis prevented more than 3 million incidents and data leaks in a single year.
This prevention is critical considering that the average cost of a data incident can reach US$3.8 million, including fines, fraud, and reputational damage. Adopting solutions that ensure compliance with rigorous global standards such as LGPD, GDPR, SOC 2 Type II, and MiFID II transforms Compliance from the “Department of No” into a strategic pillar that guarantees both security and productivity within messaging environments.
Tuvis is a complete security and compliance platform that enables companies and users to achieve total protection against data leaks through proactive security and strict compliance certifications.
Through Tuvis’ advanced DLP capabilities, organizations can:
- Block the sharing of sensitive and personal data (such as tax IDs, AWS credentials, or credit card numbers).
- Analyze and block sensitive content in documents (PDFs) and images.
- Prevent harassment cases by notifying account managers immediately when inappropriate messages are blocked.
- Block and prevent incidents before they occur.
Agende sua demonstração com um especialista e garanta a tranquilidade que só uma auditoria e governança completas podem trazer a sua empresa.
Schedule your demonstration with a specialist and ensure the peace of mind that only complete auditing and governance solutions can provide for your organization.
Agenda tu demostración con un especialista y garantiza la tranquilidad que solo una auditoría y gobernanza completas pueden brindar a tu empresa.
