[AI Gateway] Document DLP interaction with caching (#30906)

ethulia · web-flow · commit 71837eb26823 · 2026-05-18T23:36:54.000Z
diff --git a/src/content/docs/ai-gateway/features/dlp/index.mdx b/src/content/docs/ai-gateway/features/dlp/index.mdx
@@ -55,6 +55,20 @@ Because of this buffering:
 - **Request-only DLP scanning** (where the **Check** setting is set to **Request**) does not buffer the response and has no impact on streaming latency.
 - If you need low-latency streaming for certain requests while still using DLP on the same gateway, consider setting the DLP policy **Check** to **Request** only, or use separate gateways for latency-sensitive and DLP-scanned traffic.
 
+### Interaction with caching
+
+DLP scanning runs after a cache miss, when AI Gateway forwards the request to the provider and receives a response. The following table describes how each DLP outcome affects caching:
+
+| DLP outcome | Response cached | Behavior |
+| --- | --- | --- |
+| Pass (no findings) | Yes | The response is cached normally according to your gateway cache settings. |
+| Flag | Yes | The response is cached normally. DLP findings are attached to the `cf-aig-dlp` response header and recorded in logs, but the original response is returned to the client. |
+| Block | No | The provider response is discarded and replaced with a DLP error response (status `400`). |
+
+**Cache hits skip DLP scanning.** When a subsequent identical request matches a cached response, AI Gateway serves it directly from cache without re-running DLP. This is safe because only responses that already passed DLP (or were flagged, not blocked) are cached. However, if you update your DLP policies after a response has been cached, the cached response is not re-evaluated. It continues to be served until the cache TTL expires.
+
+If you need DLP policy changes to take effect immediately, you can bypass the cache for new requests using the `cf-aig-skip-cache` header. For more information, refer to [Caching](/ai-gateway/features/caching/).
+
 ### Per-request DLP controls
 
 DLP policies are configured at the gateway level and apply uniformly to all requests passing through that gateway. There is no per-request header to select specific DLP profiles or to bypass DLP scanning for individual requests.
