DataDog · drichards-87 · Jun 15, 2026
@@ -33,11 +33,21 @@ Agent Observability integrates with [Sensitive Data Scanner][3], which helps pre
 
 By proactively scanning for sensitive data, Agent Observability ensures that conversations remain secure and compliant with data protection regulations. This additional layer of security reinforces Datadog's commitment to maintaining the confidentiality and integration of user interactions with LLMs.
 
+Sensitive Data Scanner scanning for Agent Observability uses a managed scanning group that Datadog creates automatically when you first open the [Agent Observability Settings page][4]. You cannot create additional scanning groups or delete the managed group.
+
+You can customize the rules in the managed group:
+
+- Add predefined rules from the [Scanning Rule Library][5].
+- Disable rules you do not need.
+- Add custom rules to detect additional sensitive data patterns.
+
 ## Further reading
 
 {{< partial name="whats-next/whats-next.html" >}}
 
 [1]: /account_management/rbac/data_access
 [2]: /llm_observability/instrumentation/sdk/#span-processing
 [3]: /security/sensitive_data_scanner/
+[4]: https://app.datadoghq.com/sensitive-data-scanner/configuration/llm-spans
+[5]: /security/sensitive_data_scanner/scanning_rules/library_rules/
 
@@ -15,7 +15,7 @@ further_reading:
 Set up Sensitive Data Scanner to scan your:
 
 - Telemetry data, so you can identify sensitive data in your logs, APM spans, RUM events, and events from Event Management. See [Set Up for Telemetry Data][1] for instructions.
-- Agent Observability data, so you can identify sensitive data in LLM traces, prompts, and completions. Navigate to the [Agent Observability Settings page][3] to configure scanning.
+- Agent Observability data, so you can identify sensitive data in LLM traces, prompts, and completions. Configure scanning on the [Agent Observability Settings page][3]. See [Agent Observability Data Security and RBAC][5] for details.
 - Cloud storage data, so you can identify sensitive data in your Amazon S3 buckets. See [Set Up for Cloud Storage][2] for instructions.
 - Code repositories, so you can detect exposed secrets in source code. See [Secret Scanning][4] for instructions.
 
@@ -27,3 +27,4 @@ Set up Sensitive Data Scanner to scan your:
 [2]: /security/sensitive_data_scanner/setup/cloud_storage/
 [3]: https://app.datadoghq.com/sensitive-data-scanner/configuration/llm-spans
 [4]: /security/code_security/secret_scanning/
+[5]: /llm_observability/data_security_and_rbac/
@@ -53,6 +53,19 @@ This document goes through the following:
 - [How to control access to logs wth sensitive data](#control-access-to-logs-with-sensitive-data)
 - [How to redact sensitive data in tags](#redact-sensitive-data-in-tags)
 
+## Supported actions by data source
+
+The action you can apply to matched sensitive data depends on the data source. The following table shows which actions Sensitive Data Scanner supports for each telemetry data source:
+
+| Action           | Logs | APM | RUM | Events |
+|------------------|------|-----|-----|--------|
+| Redact           | Yes  | Yes | Yes | Yes    |
+| Partially redact | Yes  | Yes | Yes | Yes    |
+| Hash             | Yes  | Yes | Yes | Yes    |
+| Mask             | Yes  | No  | No  | No     |
+
+**Note**: Sensitive Data Scanner does not redact sensitive data in cloud storage resources. For cloud storage, Sensitive Data Scanner performs detection only. See [Set Up Sensitive Data Scanner for Cloud Storage][17] for more information.
+
 ## Setup
 
 ### Permissions
@@ -375,4 +388,5 @@ To turn off Sensitive Data Scanner entirely, set the toggle to **off** for each
 [13]: /observability_pipelines/processors/sensitive_data_scanner/
 [14]: /observability_pipelines/configuration/set_up_pipelines/
 [15]: /security/sensitive_data_scanner/scanning_rules/library_rules/
-[16]: /logs/log_configuration/archives/?tab=awss3#datadog-tags
+[16]: /logs/log_configuration/archives/?tab=awss3#datadog-tags
+[17]: /security/sensitive_data_scanner/setup/cloud_storage/