Skip to content

13. Honest admission

Twelve chapters of discipline. None of them solve the problem entirely. This chapter lists the limits a thoughtful lead is transparent about — with their team, their stakeholders, and themselves — when telling the story of data-access governance for AI agents.

The discipline this module taught raises the floor. It does not provide a guarantee. The honest admissions below are the gaps where governance is bounded and where a lead should expect to make judgment calls rather than apply rules.

1 — A correctly-scoped call can still surface the wrong field to the user

The scope can be perfect (chapter 04); the audit can be clean (chapter 07); the PII filter can be exhaustive (chapter 05). And the agent can still phrase the response in a way that surfaces a field the user should not see — by misformatting, by combining innocent fields into an inference, by repeating something from earlier in the conversation. The discipline narrows the data the model sees; what the model does with it remains a model-behaviour problem, addressed by output guardrails (module 00_safety_guardrail_design) and evals (module 04_ai_product_evals).

2 — The context window persists what it has seen

Data fetched into the context influences every subsequent generation in the conversation. The session may end; the conversation memory may be deleted; but during the session, regulated data may have been used to inform a response that does not mention it directly. There is no clean undo for "the model used this to think about that, and the answer subtly leaked it." The discipline minimises what enters context; perfect cleanup after-the-fact is not feasible.

3 — PII detection has long tails

Pattern-driven detection catches what fits known patterns. Model-driven detection is better but slower. Neither catches everything: a fragment of an email split across two fields, a creative rendering of a phone number, a sensitive attribute hidden in a description. The discipline raises the floor; the long tail will leak occasionally. The mitigation is layered detection plus periodic review of audit content for leaks the pattern missed.

4 — Fine-tuning on personal data is structurally hard to undo

If a model was trained or fine-tuned on personal data and a data subject requests erasure, the model itself may need re-training to remove the influence. This is multi-week work and expensive. Most agent platforms avoid this by not training on personal data; the cases that do train face an irreducible problem under right-to-be-forgotten. The honest answer to a regulator: "we will retrain; here is the schedule," is sometimes acceptable; "we will not train on personal data" is the better default.

5 — Backup deletion has timing properties

Backups age out per their retention. A data subject's erasure request lands; the primary is deleted immediately; the backup persists for some window (typically 30-90 days). During that window, restoring the backup would reintroduce the data. Most regimes accept this with disclosure; the data subject is told "your data is removed from live stores; backups older than X days no longer contain it after Y date." Not every regulator accepts this for every data class. The disclosure is part of the response; perfect immediate erasure across backups is operationally rare.

6 — Cross-jurisdiction operations carry inherent risk

A tenant whose data must stay in jurisdiction X can be served only by infrastructure in X. Some operations are inconvenient at this constraint — engineers in jurisdiction Y cannot directly debug; aggregated reports across jurisdictions require careful anonymisation; provider choice is constrained. Each constraint trades convenience for compliance. A lead operating across jurisdictions should be transparent that the operational cost is real and that "we'll just figure it out" is not a sustainable answer.

7 — Audit log content can itself be sensitive

The audit log contains what was accessed, by whom, when. Even with redaction, the patterns can be revealing: "user X queried Y between 02:00 and 03:00 every night for a week" is itself information that, if exposed, has privacy implications for X. The audit's access control is its own governance layer; "the audit log is internal" is not always sufficient. Some platforms apply differential privacy to audit aggregates exposed to internal dashboards. The audit is not a place that solves privacy; it is a place that must be governed for privacy too.

8 — Leak detection is calibrated against past patterns

Anomaly detection works against baselines. A truly novel attack pattern that does not deviate sharply from any baseline can pass undetected. The mitigation is offline review (chapter 8's quarterly look), broad signal coverage, and timely improvement of the signals after each missed case. The detection does not catch every leak; it catches most shapes the platform has seen variations of.

9 — Insider threat is largely out of scope

The discipline defends against unintended access by authorised systems and inadvertent access by agents. An authorised insider deliberately misusing their access has limited barriers from this module — they have valid credentials, valid purpose, and valid scope. The defence is audit (detection after the fact), least-privilege (limiting damage), and broader security (background checks, behaviour monitoring, role separation). This module is part of a defence-in-depth posture; it is not a stand-alone answer to insider threat.

10 — Regulators ask questions the discipline did not anticipate

A regulator may ask, "do you have continuous evidence that no employee read any aadhaar number outside of a registered purpose?" The discipline can produce evidence for registered purposes; ad-hoc queries by humans (separate from agent operations) are a separate code path with its own governance. The audit captures what it captures; questions about what is not captured produce honest acknowledgment and a remediation. The first novel regulatory question often reveals a gap; the response is to extend the discipline, not to defend the partial answer.

11 — The discipline is contractual as well as technical

Many of the rules in this module come from contracts and statutes that the platform commits to. Those rules change. New regulation lands (DPDP 2023 in India, GDPR amendments in EU, similar elsewhere globally). New contractual obligations are negotiated with each new enterprise customer. The discipline must evolve alongside. A lead's annual review of "are our rules still current" is part of the discipline; technical correctness against last year's rules is partial correctness.

12 — A perfectly governed platform can still be breached

Through compromise at a lower layer (storage breach, network compromise), through a provider's failure, through a zero-day vulnerability. The discipline reduces the likelihood and bounds the blast; it does not eliminate. A platform with full chapter-12 checklist green can have a breach. The response (chapter 11) is what matters in that moment; the prior discipline is what makes the response defensible.

What this module does not teach

Listed once:

  • Network and infrastructure security (general security engineering)
  • Authentication mechanisms (OAuth, OIDC, mTLS — covered in general security)
  • Cryptographic primitives (encryption at rest, in transit — general)
  • Model-behaviour safety (covered in 00_safety_guardrail_design)
  • Prompt injection defence (covered in 01_prompt_injection_security)
  • Insider-threat detection beyond access patterns (covered in general security and HR)
  • Regulatory specifics for any one jurisdiction (consult counsel)

This module is the layer of data governance specific to AI agent platforms. The neighbours fill in the rest.

How to use this module after reading it

A realistic path:

  1. Audit the platform against the chapter-12 checklist. Identify the top three reds.
  2. Stand up the audit and the classification (items 1 and 10). These are the substrate for everything else.
  3. Implement per-call purpose and scope (items 2-4). The largest reduction in leak risk.
  4. Build the PII redaction at write time (item 5). Prevents the audit-as-leak-surface pattern.
  5. Establish retention and erasure workflows (items 7-9, 14-15). Required by regulation for most platforms.
  6. Wire leak detection (item 12) and incident response (item 19). The continuous-operation pieces.
  7. Re-read this honest-admission chapter every quarter. New gaps surface as the platform evolves.

Closing

Data access governance is not a feature you can ship. It is the operating posture of every read, write, and exposure on the platform. The discipline this module taught — classify, bind, scope, redact, retain, audit, detect, erase, segregate, respond — gives the posture a defensible shape.

It is not a guarantee. It is a calibrated framework within which the team can operate the platform, answer regulators, respond to incidents, and serve the data subjects whose trust the platform depends on.

That is what production-grade governance looks like.

Bridge. This module's discipline governs which data the agent can reach. The next module, ../../04_ai_product_evals/01_dataset_golden_set_operations, is the discipline of the curated data the team itself uses to evaluate model behaviour. Golden sets are the workbench; this governance is the security posture around them. → ../../04_ai_product_evals/01_dataset_golden_set_operations/00-eli5.md