Data Governance & Access Control

Technical definitions for data governance concepts: role-based and attribute-based access control, data sovereignty, regulatory frameworks (GDPR, EU AI Act, HIPAA, BCBS 239), PII classification, encryption, audit trails, the confused deputy problem, and why BI-era governance models break down for AI agents that compose capabilities dynamically at machine speed.

30 Terms
ABAC (Attribute-Based Access Control)Action-Level Policy EnforcementAudit TrailBCBS 239Capability-Based Access ControlCLOUD ActColumn-Level SecurityCompliance AutomationConfused Deputy ProblemData ClassificationData ResidencyData SovereigntyDynamic Data MaskingEncryption at RestEU AI ActFISA Section 702GDPR (General Data Protection Regulation)HIPAA (Health Insurance Portability and Accountability Act)PII (Personally Identifiable Information)Propose → Authorize → ExecuteRBAC (Role-Based Access Control)Row-Level SecuritySchrems II

Data Governance & Access Control

Governance answers three questions: who can access what data, under what conditions, and how do we prove compliance? In the BI era, these questions had clean answers. Humans have organizational roles. Roles map to database privileges. Audit logs record which human ran which query against which table. The governance model — Role-Based Access Control with table-level permissions — was simple, well-understood, and sufficient.

AI agents shatter every element of this model. Agents compose capabilities dynamically (no stable "role"). They act on behalf of humans through chains of delegation (no clear "who"). They operate at machine speed across system boundaries (authorization checks must be sub-millisecond, not per-session). And the most critical governance question shifts from "can this entity access this table?" to "should this agent take this action?" — a fundamentally different question that no production governance system is designed to answer.

This cluster covers governance from the regulatory foundations through the AI frontier — the frameworks that constrain, the mechanisms that enforce, and the architectural gaps that remain.

ABAC (Attribute-Based Access Control)

An access control model where permissions are determined by evaluating attributes of the user, the resource, the action, and the environment — rather than by static role assignments. ABAC policies express conditions like: "Users with department=Engineering AND clearance_level ≥ 3 can read tables tagged classification=Internal during time=business_hours from network=corporate."

ABAC's power lies in its expressiveness. Where RBAC requires pre-defining every role-permission combination, ABAC combines attributes dynamically at evaluation time. Adding a new data classification or a new department doesn't require creating new roles — the existing attribute-based policies automatically apply.

Databricks Unity Catalog supports ABAC natively: administrators tag data assets with key-value attributes (e.g., sensitivity=high, department=finance, region=EU), then define policies referencing those tags. A single ABAC policy like "users with region=EU can access tables tagged region=EU" replaces dozens of RBAC role-grants.

ABAC is a step toward agent-appropriate governance because it can incorporate contextual information — time of day, source IP, requesting application, purpose of access — into authorization decisions. However, ABAC still evaluates access to objects (tables, columns, rows). It doesn't evaluate agent actions (what the agent intends to do with the data after reading it). Reading customer addresses for shipping (permissible) vs. reading the same addresses for unauthorized profiling (impermissible under GDPR) requires understanding the purpose of the access — a semantic dimension that ABAC's attribute model doesn't capture.

Action-Level Policy Enforcement

A proposed governance model where authorization is evaluated on the action an agent proposes to take, not just the data object it accesses. In this model, an agent declares its intended action as a structured proposal:

{
  "action": "issue_refund",
  "customer_id": 12345,
  "amount": 250.00,
  "reason": "delayed_delivery",
  "delegated_by": "user:jane@company.com",
  "agent": "support-agent-v3"
}

A policy engine evaluates whether this specific action is authorized given the full context: the human user's delegation authority (can Jane authorize refunds?), the agent's capability permissions (can this agent version process refunds?), the action parameters (is $250 within the auto-approval threshold?), data sensitivity (does this customer have special handling requirements?), business rules (has this customer already received a refund this month?), and regulatory constraints (does this transaction require additional documentation?).

The propose → authorize → execute pattern — where agents declare intentions before acting, and a policy engine decides whether to permit, deny, modify, or escalate — is architecturally different from both RBAC (which checks object access at query time) and ABAC (which checks attribute conditions at access time). Action-level enforcement evaluates the semantic meaning of what an agent intends to do.

No production system fully implements action-level policy enforcement. Databricks Mosaic AI Gateway evaluates payloads at the model endpoint level (PII filtering, safety guardrails, rate limiting), but this is content inspection at the inference boundary, not business action authorization. Microsoft's Foundry Control Plane provides Entra Agent ID (the only production agent identity implementation), but it operates at the prompt level, not the business action level. The gap between what exists (endpoint-level content filtering) and what's needed (semantic action authorization) is one of the most important unsolved problems in AI governance.

Audit Trail

A chronological record of all data access, modifications, and governance decisions — providing the evidence trail required for regulatory compliance, security investigations, and forensic analysis. Every access, every query, every permission change, every policy decision is logged with who, what, when, where, and (ideally) why.

Snowflake maintains comprehensive audit capabilities: ACCESS_HISTORY (which tables and columns were accessed by which user, including read/write operations), QUERY_HISTORY (full SQL text with execution metadata, retained for 365 days), and LOGIN_HISTORY (authentication events). Databricks Unity Catalog provides audit logs capturing table access, permission changes, and lineage events.

For regulatory compliance (GDPR, HIPAA, SOX, BCBS 239), audit trails must be: Complete (every relevant event captured), Immutable (logs cannot be modified or deleted after creation), Tamper-evident (unauthorized modifications are detectable), Retainable (stored for the required retention period — often years), and Queryable (investigators can search and analyze logs efficiently).

For AI agents, audit requirements intensify dramatically. An agent performing a customer interaction might: read customer records (data access), query a model (inference call), generate a recommendation (action), write a case note (data modification), and trigger a notification (external system interaction) — all within a single logical operation. Each step requires an audit record. The audit trail must capture not just what the agent accessed but the reasoning chain: why the agent accessed that data, what conclusion it drew, what action it took, and what the outcome was. This level of semantic auditing — recording intent and reasoning alongside access — exceeds what any current platform provides.

BCBS 239

The Basel Committee on Banking Supervision's principles for effective risk data aggregation and risk reporting. Published in 2013 as a response to the 2008 financial crisis (where banks couldn't aggregate their risk exposure data quickly enough to understand their actual risk), BCBS 239 establishes 14 principles organized into four areas: governance and infrastructure, risk data aggregation capabilities, risk reporting practices, and supervisory review.

The principles most relevant to data infrastructure: Accuracy and integrity (risk data must be accurate, reliable, and produced with high integrity), Completeness (all material risk data must be captured), Timeliness (risk data must be available within required timeframes), Adaptability (systems must be flexible enough to accommodate ad-hoc risk data requests during stress events), and Traceability (data lineage must be documented and auditable).

BCBS 239 effectively mandates automated data governance for systemically important banks — manual data aggregation and reporting processes cannot meet the accuracy, timeliness, and completeness requirements at the scale and frequency regulators demand. Compliance requires: automated lineage (proving where risk data originates and how it's transformed), continuous quality monitoring (proving data accuracy in near-real-time), automated freshness guarantees (proving data timeliness against defined SLAs), and on-demand reporting (generating regulatory reports on short notice during stress events).

For data infrastructure vendors, BCBS 239 compliance is a table-stakes requirement for selling to major financial institutions. For the Autonomous DataOps thesis, BCBS 239 represents a regulatory proof point: regulators are already demanding the automated governance capabilities that autonomous infrastructure provides.

Capability-Based Access Control

An access control model where authorization is based on unforgeable capability tokens — each token grants the holder specific, bounded permissions to perform specific operations on specific resources. A capability is like a signed, scoped key: "Bearer of this token can read columns [name, email] from table [customers] for purpose [shipping] until [2025-03-31]."

Capability-based access differs from both RBAC and ABAC in a critical way: capabilities are transferable and composable. An authorized human can delegate a bounded subset of their capabilities to an agent. The agent can further decompose its capabilities when invoking sub-agents. At each delegation step, the capability scope can only narrow (never widen) — a human with full customer access can delegate read-only access for shipping purposes, and the agent cannot escalate beyond what was delegated.

No major data platform implements capability-based access for AI agents. The concept originates in operating system security research (the capability model of Dennis and Van Horn, 1966) and has been revisited for microservice architectures (macaroons, biscuit tokens). Its application to AI agent governance is a natural fit because it solves the delegation asymmetry that RBAC can't handle: an agent acting on behalf of a user receives exactly the capabilities the user delegated, no more and no less, with a cryptographic guarantee.

The challenge is integration: capability-based access requires every system in the data stack to understand and enforce capabilities — the warehouse, the feature store, the model serving layer, the external APIs. In a modern data stack with 6–12 independent tools, each with its own authorization model, implementing cross-system capabilities requires a shared governance layer that doesn't exist.

CLOUD Act

The Clarifying Lawful Overseas Use of Data Act (2018), a US federal law requiring US-based technology companies to provide stored data to US law enforcement upon valid legal process — regardless of where the data is physically stored. A US court order served on a US-headquartered cloud provider applies to data stored in any data center worldwide.

The CLOUD Act was a direct response to the Microsoft Ireland case (2018), where Microsoft fought a warrant for email data stored in an Irish data center. Rather than resolving the case, Congress passed the CLOUD Act, establishing that US jurisdiction follows the provider, not the data location.

The CLOUD Act creates a fundamental tension with European data sovereignty. A European enterprise using Snowflake (US-headquartered) to store data in eu-west-1 satisfies GDPR's data residency requirements but remains potentially subject to US government data access under the CLOUD Act. The Schrems II ruling explicitly cited this conflict.

For data infrastructure architecture, the CLOUD Act means that geographic data placement is insufficient for sovereignty. True sovereignty requires that the entire technology stack — infrastructure provider, platform provider, application provider — be outside US jurisdiction. This drives demand for European-headquartered cloud providers (OVHcloud, Scaleway, Hetzner), sovereign cloud partnerships (Google Cloud's partnership with T-Systems for "sovereign cloud" in Germany), and self-hosted infrastructure.

Column-Level Security

Access control at the granularity of individual columns within a table, rather than at the table level. Column-level security enables different users or roles to see different columns of the same table — a common requirement when sensitive fields (salary, SSN, medical diagnosis) coexist with non-sensitive fields (name, department, job title) in the same table.

Snowflake implements column-level security through column masking policies: SQL functions applied at query time that transform column values based on the querying user's role. A masking policy on ssn might return the full value to HR roles and '***-**-' || RIGHT(ssn, 4) to everyone else. Databricks supports column-level access control through Unity Catalog grants: GRANT SELECT (name, department) ON TABLE employees TO analyst_role allows reading only the specified columns.

Column-level security is one of the more granular governance mechanisms available in BI-era platforms. Its limitation for AI agents: an agent might need access to a column for one purpose (using customer addresses to calculate shipping zones) but not another (exporting addresses for marketing). Column-level security is binary — you either can or can't see the column. Purpose-based access — seeing the column only when the purpose is authorized — requires action-level policy enforcement, not column-level permissions.

Compliance Automation

The practice of using technology to automate regulatory compliance activities — data classification, policy enforcement, audit trail generation, compliance reporting, and violation detection — replacing manual compliance processes that cannot scale to the volume and velocity of modern data systems.

Manual compliance involves: human data stewards classifying data assets (reviewing columns and labeling which contain PII, financial data, or health information), human policy administrators defining and updating access rules, periodic manual audits (sampling data access records quarterly), and manual report generation for regulators. At scale — thousands of tables, millions of columns, billions of records, hundreds of users and agents — manual compliance breaks.

Automated compliance capabilities in current platforms: Snowflake's CLASSIFICATION_PROFILE uses ML to automatically detect PII, financial data, and health information in table columns. Databricks Unity Catalog auto-applies governance tags and tracks lineage automatically. Collibra provides automated policy workflows and compliance dashboards. Atlan automates metadata classification and lineage documentation.

For the EU AI Act, compliance automation becomes particularly critical: AI systems classified as "high-risk" must demonstrate ongoing data governance compliance (not just point-in-time audits), including documented data provenance, continuous quality management, bias monitoring, and transparency reporting. These requirements effectively mandate continuous automated compliance for production AI systems — a capability that current platforms provide partially but that Autonomous DataOps would provide natively.

Confused Deputy Problem

A security vulnerability where a trusted entity (the "deputy") is tricked or inadvertently induced into misusing its legitimate authority on behalf of an unauthorized party. The term originates from Norm Hardy's 1988 paper describing a compiler service (the deputy) that was manipulated into accessing files it had permission to read but the requesting user did not.

In AI agent infrastructure, the confused deputy problem manifests at the stack level — across the boundaries of multiple independently-governed systems. An agent with: warehouse read access (Snowflake) + branch creation permission (lakeFS) + experiment logging access (MLflow) + pipeline trigger permission (Airflow) + external API write access might chain these individually authorized operations into a collectively unauthorized sequence.

Concrete example: An agent reads customer PII from Snowflake (authorized — the agent has read access for customer support purposes). The agent writes the PII to an MLflow experiment artifact (authorized — the agent has experiment logging access). The experiment artifact syncs to an external storage bucket (authorized — MLflow is configured to use external storage). The PII is now outside the governed perimeter (unauthorized — but no individual authorization check failed).

The confused deputy problem is fundamentally a compositional safety issue: evaluating whether a sequence of authorized operations produces an unauthorized outcome. Current governance models evaluate each operation independently, with no mechanism for reasoning about the combined effect. Solving this requires either: a unified governance layer that evaluates operation sequences holistically (the Autonomous DataOps approach), or formal capability-based access where each delegation step provably narrows the permission scope (preventing escalation by construction).

Data Classification

The process of categorizing data assets by their sensitivity level, content type, and regulatory requirements — the foundation on which governance policies, access controls, and compliance measures are built.

Classification taxonomies typically include sensitivity levels (public, internal, confidential, restricted) and content categories (PII, financial, health/PHI, trade secret, intellectual property). Each classification carries associated governance requirements: confidential data requires encryption at rest, PII requires masking for non-authorized roles, health data requires HIPAA-compliant access controls.

Manual classification doesn't scale. An enterprise data warehouse with 10,000 tables and 200,000 columns requires human reviewers to inspect each column and assign classifications. Columns are added daily. Schema changes alter existing classifications. New data sources arrive monthly. The manual approach creates a perpetual backlog where significant portions of the data estate are unclassified — and unclassified data is ungoverned data.

Automated classification uses ML models trained on column names, data patterns, and content to predict classifications. Snowflake's CLASSIFICATION_PROFILE scans table columns and identifies PII categories (name, email, phone, SSN, credit card), health identifiers, and financial data using pattern matching and ML inference. Databricks provides similar capabilities through Unity Catalog's automated tagging.

The limitation: automated classification works well for structured data with recognizable patterns (email addresses, phone numbers, SSN formats). It's less reliable for unstructured content (does this PDF contain health information?), context-dependent sensitivity (a customer's city isn't sensitive alone but is sensitive when combined with age and diagnosis), and domain-specific classifications (is this value a trade secret?). Self-governing infrastructure would classify continuously — re-evaluating classifications as data changes, as context evolves, and as regulatory requirements shift.

Data Residency

The requirement that data be stored and processed within specific geographic or political boundaries — typically imposed by regulations, contractual obligations, or organizational policy. Data residency requirements specify where data physically exists: which country, which data center, which cloud region.

Regulatory drivers: GDPR requires that personal data of EU residents be transferred outside the EU only with adequate legal protections. Russia's Federal Law 242-FZ requires personal data of Russian citizens to be stored on servers physically located in Russia. China's Cybersecurity Law requires critical information infrastructure operators to store personal data within China. Industry regulations (HIPAA, PCI-DSS) may impose additional geographic constraints.

Cloud providers address residency through region selection: AWS offers 30+ regions globally, Azure 60+ regions, GCP 35+ regions. Deploying Snowflake in eu-west-1 or Databricks in westeurope satisfies data-at-rest residency requirements.

However, data residency is necessary but not sufficient for sovereignty. Deploying in an EU region satisfies geographic placement, but: metadata and telemetry may transit non-EU regions. Platform control planes may reside outside the jurisdiction. Support access may be available from non-EU personnel. And the CLOUD Act means US-headquartered providers remain subject to US legal process regardless of data location. True sovereignty requires residency plus jurisdictional independence of the infrastructure provider — which is why sovereign cloud initiatives go beyond region selection.

Data Sovereignty

The principle that data is subject to the laws and governance structures of the jurisdiction where it's collected or where its data subjects reside. Data sovereignty requires three pillars: jurisdictional control (data remains within its legal jurisdiction), organizational control (the data owner retains meaningful governance authority over how data is processed), and technical independence (no vendor lock-in or architectural dependency that compromises sovereignty).

The modern data stack fundamentally undermines sovereignty. A typical European enterprise using the canonical stack — Fivetran (US) → Snowflake (US) → dbt Cloud (US) → Monte Carlo (US) → Atlan (US) → OpenAI (US) — has data or metadata transiting US-headquartered infrastructure at every layer, subject to FISA 702 and the CLOUD Act at every point. Even deploying each tool in EU regions doesn't resolve the jurisdictional conflict because the provider is US-headquartered.

Autonomous infrastructure addresses sovereignty structurally. A self-contained platform that self-configures and self-governs within a single jurisdiction, built on open formats (Iceberg, Parquet, OpenLineage), deployable on any infrastructure (sovereign cloud, on-premises, edge) — without dependencies on external SaaS services — provides genuine sovereignty by construction rather than by configuration.

The sovereignty dimension is increasingly strategic. The EU's Digital Sovereignty agenda, Gaia-X (European data infrastructure initiative), and national sovereign cloud programs (France's SecNumCloud, Germany's Sovereign Cloud Stack) all signal that sovereignty will be a first-order infrastructure requirement, not a compliance checkbox.

Dynamic Data Masking

A data protection technique where sensitive values are transformed at query time based on the querying user's role, attributes, or context — without modifying the underlying stored data. The original data remains intact in storage; the masking is applied dynamically in the query result set.

Snowflake implements masking through masking policies: SQL functions attached to columns that are invoked transparently during query execution. A masking policy on ssn might return the full 123-45-6789 to the hr_admin role and ***-**-6789 to all others. Policies can be arbitrarily complex: hashing for analysts (enabling joins without revealing values), redaction for general users, and full access for privileged roles.

Databricks supports dynamic masking through Unity Catalog's row-level and column-level security features, with masking functions applied via views or column access policies.

Masking strategies: Redaction (replace with asterisks or fixed text: ***-**-6789). Hashing (replace with a deterministic hash: a7f3b2c1... — enables joins on masked values). Tokenization (replace with a reversible token from a secure vault — preserving referential integrity). Generalization (reduce precision: exact address → city, exact age → age range). Noise addition (add random perturbation to numeric values — useful for statistical analysis while protecting individual values).

For AI agents, masking introduces a subtlety: an agent that receives masked data may not know the data is masked, leading to incorrect reasoning. An agent analyzing customer demographics might interpret masked ages (all showing 0 or NULL) as actual data, skewing its analysis. Agent-aware masking would inform the agent that certain fields are masked and what the masking strategy is, enabling the agent to reason appropriately about data it can't fully see.

Encryption at Rest

The practice of encrypting data when stored on disk or in cloud storage, so that physical access to the storage medium (disk theft, cloud provider insider access, unauthorized backup access) does not reveal the data content.

All major cloud data platforms encrypt at rest by default. Snowflake uses AES-256 encryption for all data, with keys managed by Snowflake or customer-managed keys (via Tri-Secret Secure). Databricks encrypts all data in Unity Catalog-managed storage with platform-managed keys or customer-managed keys (AWS KMS, Azure Key Vault, GCP Cloud KMS). Cloud object storage (S3, GCS, ADLS) supports server-side encryption with provider-managed or customer-managed keys.

Encryption at rest protects against physical data theft and unauthorized storage access. It does not protect against: authorized users with decryption access misusing data, compromised application credentials, SQL injection, or legitimate queries that return sensitive data to unauthorized end users. Encryption at rest is a necessary but far-from-sufficient security measure — it's one layer in a defense-in-depth strategy.

Snowflake's Tri-Secret Secure provides the strongest customer-controlled encryption in the cloud warehouse market: data is encrypted with a composite key requiring both a Snowflake-managed key and a customer-managed key (from the customer's cloud KMS). If the customer revokes their key, Snowflake cannot decrypt the data — providing a hard kill switch. This addresses the specific sovereignty concern that a government might compel Snowflake to provide data; without the customer's key, the data is unreadable.

EU AI Act

The European Union's comprehensive regulatory framework for artificial intelligence, enacted in 2024 with a phased implementation schedule through 2027. The EU AI Act is the world's first comprehensive AI regulation and will shape global AI governance standards through the "Brussels Effect" — companies building AI for the EU market must comply regardless of where they're headquartered.

The Act classifies AI systems into four risk tiers: Unacceptable risk (banned: social scoring, real-time biometric surveillance in public spaces, manipulation of vulnerable groups). High risk (heavily regulated: AI in critical infrastructure, education, employment, credit scoring, law enforcement, migration). Limited risk (transparency requirements: chatbots must disclose they're AI, deepfakes must be labeled). Minimal risk (no specific requirements: spam filters, AI in video games).

For high-risk AI systems, the Act mandates: Risk management systems (continuous identification and mitigation of risks), Data governance (training data must be relevant, representative, and free of errors — requiring documented data provenance, quality management, and bias monitoring), Transparency (users must be informed they're interacting with AI, with access to system documentation), Human oversight (humans must be able to interpret, intervene, and override AI decisions), Accuracy, robustness, and cybersecurity (systems must perform consistently and resist adversarial manipulation).

For data infrastructure, the EU AI Act effectively mandates automated governance at scale. Manual data provenance documentation, manual quality assessments, and periodic bias audits cannot satisfy the "continuous" and "systematic" requirements for production AI systems processing millions of records. Autonomous DataOps — with built-in lineage, continuous quality monitoring, automated classification, and immutable audit trails — directly addresses the infrastructure requirements the EU AI Act creates.

FISA Section 702

A provision of the US Foreign Intelligence Surveillance Act authorizing US intelligence agencies to conduct targeted surveillance of non-US persons located outside the United States — using US-based electronic communication service providers as intermediaries. Originally enacted in 2008 and reauthorized periodically (most recently in 2024), FISA 702 has been central to transatlantic data governance conflicts.

Under Section 702, the US government can compel US technology companies — including cloud providers (AWS, Azure, GCP), data platforms (Snowflake, Databricks), and communication services — to provide access to communications and data of non-US persons, without individual warrants, under the supervision of the Foreign Intelligence Surveillance Court.

FISA 702 was a primary basis for the Schrems II ruling: the Court of Justice of the EU found that US surveillance under FISA 702 was incompatible with EU fundamental rights, invalidating the Privacy Shield framework. The subsequent EU-US Data Privacy Framework (adopted 2023) attempts to address Schrems II concerns through an executive order limiting surveillance and establishing a redress mechanism, but its legal durability remains contested.

For data infrastructure, FISA 702 means that any data processed through US-headquartered providers is potentially accessible to US intelligence agencies. This drives the architectural argument for sovereign infrastructure that operates entirely outside US legal jurisdiction — not just US geographic territory.

GDPR (General Data Protection Regulation)

The European Union's data protection regulation, effective since May 2018, governing the collection, processing, and storage of personal data of individuals within the EU. GDPR applies to any organization processing EU residents' personal data, regardless of where the organization is based.

Core principles: Lawfulness, fairness, and transparency (data processing must have a legal basis and be clearly communicated). Purpose limitation (data collected for one purpose cannot be repurposed without consent). Data minimization (collect only what's necessary). Accuracy (keep data up to date). Storage limitation (don't retain data longer than needed). Integrity and confidentiality (ensure security through technical measures).

Data subject rights: Right to access (individuals can request copies of their data). Right to rectification (correct inaccurate data). Right to erasure / right to be forgotten (delete personal data upon request). Right to data portability (export data in machine-readable format). Right to restrict processing (limit how data is used). Right to object (opt out of certain processing, including profiling).

For data infrastructure, GDPR compliance demands capabilities that most platforms provide partially: Classification (knowing which columns contain personal data — Snowflake's CLASSIFICATION_PROFILE, Databricks auto-tagging). Lineage (tracking how personal data flows through transformations — Unity Catalog column-level lineage, Snowflake ACCESS_HISTORY). Access control (restricting processing to authorized purposes — RBAC, ABAC, masking). Deletion (reliably erasing personal data across all copies, derived tables, backups, and snapshots — extremely difficult in immutable storage systems). Audit (demonstrating compliance through complete access records).

The "right to be forgotten" is architecturally challenging for lakehouse storage: Delta Lake and Iceberg use immutable files. Deleting a record creates a new file without the record but the old file (containing the record) persists until garbage collection. Time travel and snapshot retention may keep the "deleted" data accessible for days to months. True GDPR erasure requires: deleting from current data, propagating deletions to all derived tables (via lineage tracking), purging old snapshots that contain the data, and verifying erasure across the entire data estate.

HIPAA (Health Insurance Portability and Accountability Act)

The US federal law (1996, with subsequent amendments) establishing data privacy and security provisions for safeguarding electronic Protected Health Information (ePHI). HIPAA applies to covered entities (health plans, healthcare providers, healthcare clearinghouses) and their business associates (any entity that processes ePHI on their behalf).

HIPAA's Security Rule requires: Administrative safeguards (risk analysis, workforce training, access management policies). Physical safeguards (facility access controls, workstation security, device disposal procedures). Technical safeguards (access controls, audit controls, transmission security, integrity controls).

HIPAA's Privacy Rule establishes the minimum necessary standard: covered entities must limit the use, disclosure, and request of PHI to the minimum necessary to accomplish the intended purpose. For AI agents processing health data, this creates a fundamental tension: agents may need broad data access to reason effectively (understanding a patient's complete medical history for diagnosis support), but HIPAA requires access to be minimized to the specific data needed for the specific purpose.

The minimum necessary standard is particularly challenging for LLM-based AI systems that process context windows containing potentially thousands of records. An agent using RAG to retrieve relevant patient information might pull more context than strictly necessary, because the retrieval step doesn't know in advance which records will be relevant to the agent's reasoning.

Data infrastructure implications: HIPAA-compliant platforms must encrypt ePHI at rest and in transit, implement role-based or attribute-based access controls, maintain comprehensive audit trails of all ePHI access, support the minimum necessary standard through fine-grained access policies, and enable BAA (Business Associate Agreement) signing with the platform provider.

PII (Personally Identifiable Information)

Any data that could potentially identify a specific individual — either directly (a name, social security number, biometric record) or indirectly through combination with other data (zip code + date of birth + gender can identify 87% of the US population, per Latanya Sweeney's research).

Direct identifiers: Full name, SSN, passport number, driver's license number, biometric data (fingerprints, face geometry), email address, phone number. Quasi-identifiers: Date of birth, zip code, gender, occupation, education level — not individually identifying but uniquely identifying in combination. Sensitive PII: Health information, financial records, sexual orientation, political opinions, religious beliefs — categories subject to heightened protection under GDPR, HIPAA, and other regulations.

Automated PII detection in current platforms: Snowflake CLASSIFICATION_PROFILE uses ML-based pattern recognition and column name analysis to detect PII categories (name, email, phone, SSN, credit card, address). Databricks Mosaic AI Gateway includes PII filtering via Microsoft Presidio for model endpoint payloads — detecting and redacting PII in LLM inputs and outputs. Google Cloud DLP provides PII detection across multiple data sources using pattern matching and ML.

The challenge for AI: PII detection must span the entire data-to-action chain. Snowflake detects PII at the storage layer. Databricks detects PII at the model serving layer. But PII can be generated, inferred, or leaked at any point: a model might infer a patient's diagnosis from non-PII features (creating derived PII), an agent might log PII in its reasoning chain (inadvertent PII exposure), or a RAG system might retrieve documents containing PII that the agent's user isn't authorized to see (cross-context PII leakage). End-to-end PII governance requires detection and enforcement at every layer — a capability no current platform provides.

Propose → Authorize → Execute

A governance architecture for AI agents structured as three distinct, sequential phases that ensure every agent action is explicitly authorized before it occurs.

Propose: The agent generates a structured action proposal — a machine-readable declaration of intent specifying the action type, target data/systems, parameters, requesting user, delegation chain, and the agent's reasoning for the action. This is not a free-text description but a structured, typed object that the policy engine can parse and evaluate.

Authorize: A policy engine evaluates the proposal against multiple authorization dimensions: the human user's delegation authority (what actions has the user authorized the agent to take?), the agent's capability scope (what is this agent version certified to do?), data sensitivity (does the action involve classified, PII, or regulated data?), business rules (does this action comply with organizational policies?), regulatory constraints (does this action comply with GDPR, EU AI Act, HIPAA?), and temporal/contextual factors (is this action appropriate given current conditions?). The engine returns: permit, deny (with structured explanation), modify (suggest a compliant alternative), or escalate (require human confirmation).

Execute: If authorized, the action proceeds with an immutable audit record capturing the proposal, the authorization decision (including which policies were evaluated and their outcomes), the execution result, and the downstream impact. If denied, the agent receives a structured explanation enabling it to adjust its approach.

This pattern is architecturally different from RBAC and ABAC because it evaluates semantic actions, not data access. The same data access (reading a customer's address) may be authorized for one action (calculating shipping cost) and denied for another (exporting for marketing) — the difference lies in the action context, not the data access.

RBAC (Role-Based Access Control)

The dominant access control model in data infrastructure, where users are assigned roles, roles are granted privileges on objects (databases, schemas, tables, columns, functions), and at query time the system checks whether the user's active role has the required privilege for the requested operation.

RBAC's architecture: Users are entities that authenticate to the system. Roles are named collections of privileges (e.g., analyst_role, engineer_role, admin_role). Privileges are specific permissions on specific objects (e.g., SELECT ON customers, INSERT ON staging.orders). Role hierarchy allows roles to inherit privileges from other roles (e.g., admin_role inherits all privileges of analyst_role).

Snowflake, PostgreSQL, MySQL, Oracle, SQL Server, and Databricks (alongside ABAC) all use RBAC as their primary or secondary access control model. Snowflake's RBAC is particularly sophisticated: roles can be granted to users and to other roles, creating inheritance hierarchies. ACCOUNTADMINSYSADMINcustom rolesPUBLIC is the standard hierarchy.

RBAC breaks down for AI agents along four dimensions: Delegation asymmetry — an agent acting on behalf of user Alice needs a role that represents "Alice's permissions, delegated to this agent, for this purpose, for this session." RBAC has no delegation primitive; you'd need to create a role per user-agent-purpose combination. Dynamic capability composition — an agent's required permissions change per request, but RBAC roles are statically defined. Action-level blindness — RBAC controls access to objects, not what you do with the data after accessing it. Speed and volume — agents trigger thousands of operations per second; RBAC's role-lookup-per-query model adds latency that accumulates.

Row-Level Security

Access control at the granularity of individual rows within a table, filtering rows based on the querying user's identity or attributes. Different users querying the same table see different subsets of rows — each sees only the rows they're authorized to access.

Snowflake implements row-level security through row access policies: SQL predicates attached to tables that are automatically appended to every query. A policy might filter WHERE region = CURRENT_ROLE_REGION() — ensuring salespeople only see customers in their assigned region.

Databricks supports row-level security through Unity Catalog's row-filter functions: Python or SQL functions that return boolean values determining row visibility.

Row-level security is powerful for multi-tenant data platforms (each tenant sees only their data), departmental segmentation (sales sees sales data, marketing sees marketing data), and geographic restrictions (EU users see EU data, US users see US data).

For AI agents, row-level security introduces the same challenge as column-level security: the filtering is binary (visible or invisible) and identity-based (role determines visibility). An agent serving different customers throughout the day needs different row-level access for each customer context — requiring either dynamic role switching (complex and latency-adding) or context-aware policies (closer to ABAC than RBAC). And as with column-level security, the agent may not be aware that rows are being filtered, potentially leading to incorrect reasoning based on incomplete data.

Schrems II

The landmark 2020 ruling by the Court of Justice of the European Union (Case C-311/18) that invalidated the EU-US Privacy Shield framework — the primary legal mechanism enabling transatlantic personal data transfers. The case was brought by Austrian privacy advocate Max Schrems, building on his earlier Schrems I victory that invalidated the Safe Harbor framework in 2015.

The Court found that US surveillance programs (particularly FISA 702 and Executive Order 12333) could not meet the EU's "essentially equivalent" standard for data protection. Specifically: US surveillance was not limited to what is "strictly necessary" (as EU law requires), US law lacked adequate judicial review for non-US persons' data, and no effective redress mechanism existed for EU citizens.

The ruling forced organizations to fall back on Standard Contractual Clauses (SCCs) for transatlantic data transfers, but with a critical caveat: the data exporter must verify that the legal framework in the destination country provides adequate protection. For US transfers, this verification is difficult to provide given the FISA 702 framework.

The subsequent EU-US Data Privacy Framework (adopted July 2023 by the European Commission) attempts to address Schrems II concerns through Executive Order 14086 (limiting surveillance proportionality) and a new Data Protection Review Court for EU persons' complaints. However, privacy advocates (including Schrems himself) have signaled legal challenges, and the framework's durability is uncertain.

For data infrastructure strategy, Schrems II established that regulatory risk for transatlantic data flows is structural, not transient — driving long-term investment in sovereign infrastructure that avoids the jurisdictional conflict entirely.

Part of The Sciencer Wiki. Maintained by The Sciencer Company.