Series overview
1 July 2026 7 min read 34 min full series Series The data boundary decides how safe the architecture really is.

Part 2: Set the Data and Governance Boundary

How to set the data, legal, permission and audit boundaries around internal AI agents and apps.

Sources are listed at the end; recommendations are decision guidance, not legal, security or procurement advice.

06

The Data Question Is Bigger Than the App Question

There is another test that should sit alongside cost, sharing and UX: what data does this thing touch, and who owns the consequences?

This is where many AI projects become more serious than they first appear. A harmless-looking assistant can suddenly become risky if it connects to client files, HR data, financial records, project documents, contracts, CRM notes, source code, credentials, pricing models or internal methodologies. The issue is not just whether the model is "secure". The issue is whether the whole workflow respects the organisation's data rules.

Data questions before choosing the tool

  • Who owns the input? Internal, client and third-party data can carry different contractual rules.
  • Who owns the output? AI summaries, classifications and recommendations may become business records.
  • Can the user access the source? The agent should not become a shortcut around existing permissions.
  • Is data copied somewhere new? Indexes, embeddings, logs and exports can quietly create new data stores.

Governance signals that change the answer

  • Retention: chat histories, traces, uploaded files and generated outputs need lifetimes.
  • Deletion: removal needs to cover source files, derived outputs, vector stores and logs.
  • Audit: for client work, "the AI said so" is not good enough.
  • Boundaries: client, region, sector and confidentiality boundaries need explicit design.

This is a strong practical argument for staying inside governed productivity platforms where possible. If Microsoft 365, Google Workspace or another enterprise suite already holds the permissions, retention policies and audit controls, using AI inside that boundary may reduce risk. The assistant may inherit more of the organisation's existing governance model.

But that is only true if the implementation respects those boundaries. A poorly configured agent connected to too many sources can make oversharing worse. A broad connector can collapse useful security boundaries. A workflow that summarises "everything relevant" can accidentally surface information from the wrong client, wrong matter or wrong team.

If you build the app

You own the data boundary: classification, access control, client isolation, traceability, retention, deletion, logging discipline, human review and model governance.

This is why "we will just build a Streamlit app" can be misleading. A prototype can be simple. A governed internal AI application is rarely just simple.

The moment it touches meaningful business data, you may need SSO, role-based access control, row-level permissions, audit logs, encrypted storage, secrets management, data retention rules, monitoring, incident response and a clear owner. You also need to decide whether embeddings, cached prompts, model outputs and evaluation datasets count as governed data. Usually, they should.

Security Is Not Just Login

It is easy to reduce security to authentication: "users log in with Microsoft, so we are fine." That is not enough. Authentication tells you who the user is. It does not automatically tell you what they should be able to do, what data they should see, what actions the agent can take, or what should happen if the model is tricked.

RiskPermission bypass
What it looks like

The agent retrieves or summarises data the user should not be able to access.

Design response

Enforce source permissions, row-level access and tenant boundaries before retrieval.

RiskPrompt injection
What it looks like

A document, webpage or email contains instructions that manipulate the agent.

Design response

Treat retrieved content as untrusted, constrain tools and require review for sensitive actions.

RiskExcessive agency
What it looks like

The agent sends messages, updates records or changes files without proper approval.

Design response

Use least-privilege tools, approval gates, dry runs and audit logs for high-impact actions.

OWASP's LLM application guidance calls out prompt injection, sensitive information disclosure, insecure plugin design and excessive agency as core risks for LLM applications.8 NIST's AI Risk Management Framework is also useful here because it frames AI risk as something to govern, map, measure and manage across design, development, deployment and use.9

The Hidden Governance Object: Derived Data

One thing teams often miss is that AI systems create new data. Not just outputs. Derived data.

Embeddings, chunks, prompt histories, tool traces, evaluation sets, user feedback labels and generated drafts can all contain or reveal sensitive information. It is not enough to say, "the original document is in SharePoint." If the app copied chunks into a vector database, cached summaries in Postgres, wrote traces to an observability platform and stored feedback for evaluation, the governance surface has expanded.

That may still be worth it. But it needs to be intentional. In practice, the better architecture is often the smallest one that preserves the data boundary.

There is one final data question that is easy to miss: are we actually allowed to use this tool, with this data, for this client, in this way?

That sounds like a legal question, but it quickly becomes a product and architecture question. A company may be comfortable using Copilot or Claude for internal drafting. It may be less comfortable using the same tool with client-confidential files, regulated data, employee data, source code, pricing models or acquisition documents. The issue is not just whether the vendor is secure. The issue is whether the use case fits the organisation's contracts, client commitments, data processing terms, retention rules and regulatory obligations.

With a vendor-hosted agent, the organisation needs to understand the platform terms: where data is processed, whether prompts and outputs are stored, whether data is used for model training, what subprocessors are involved, what admin controls exist, what audit logs are available, and whether the tool fits existing client obligations.

With a custom app, the organisation gets more control, but also more responsibility. It must decide where the app is hosted, which model provider is used, what data is sent to the model, whether outputs are stored, how logs are handled, who can access traces, and how the app complies with contractual or regulatory requirements.

Commercial boundary checks

  • Client permission: does the client allow this tool, model provider or external processing route?
  • Processing location: do residency or cross-border transfer rules apply?
  • Retention: are prompts, outputs, logs, traces and embeddings retained as records?
  • Output ownership: will generated content become a client deliverable, firm IP or both?

When to slow down

  • The data is client-confidential, employee-related, regulated or commercially sensitive.
  • The output may influence advice, decisions, approvals or client-facing deliverables.
  • The workflow crosses client, region, sector or confidentiality boundaries.
  • The client has restricted AI use, external model APIs, document upload or reusable asset creation.

This is especially important in consulting. One client may allow Microsoft 365 Copilot but not external model APIs. Another may allow anonymised analysis but not document upload. Another may require data to stay in a specific region. Another may prohibit using its materials to build reusable firm assets.

That means the build-versus-buy decision is not only technical. It is also about the safest operating boundary. If the organisation already has Microsoft 365 governance, retention, audit and client-approved terms, it may be safer to keep the workflow inside Copilot. If the use case needs stricter client isolation, custom review flows, explicit audit history or a dedicated data boundary, a small custom app may be safer, but only if it is properly owned.

The ICO's AI guidance is useful background here because it frames AI through UK data protection principles and risk assessment, including guidance and tooling for assessing risks to rights and freedoms.10 The EU AI Act is also relevant context for organisations operating in or serving the EU because it uses a risk-based framework, with stricter obligations for high-risk systems and transparency duties for some AI use cases.11 This article is not legal advice; it is a decision prompt for spotting when legal, data protection or commercial review belongs in the workflow.

Boundary rule

The more sensitive the data, the more consequential the output, and the more client-specific the workflow, the more explicit the legal and commercial boundary needs to be.

Sometimes that means staying inside a governed platform. Sometimes it means building custom. Sometimes it means not using AI for that workflow at all.