Specification · Version 1.0
The AI Governed Layer
Principles and Logical Architecture
This document defines the AI Governed Layer: the layer that sits between an organization's source systems and its AI. It resolves every source into one governed, canonical record — a golden record — per real-world entity, and serves that record to applications over a REST API and to agents over an MCP endpoint, with the caller's own permissions enforced on every request, at low latency, and fully audited. The specification states four principles; any platform that satisfies all four is an AI Governed Layer.
The great mismatch
For three decades, the enterprise data estate has been shaped around one kind of consumer: a person. A person reading a dashboard, an operator looking up a record, an overnight report landing in an inbox. Access controls were coarse because a person's needs were coarse; latency was forgiving because a person waits a few seconds without complaint; and when the data was wrong, a person in the loop usually caught it before it did harm.
That consumer is being displaced. The fastest-growing reader of enterprise data is no longer a person but an autonomous agent acting on a person's behalf, and the change in scale is not incremental. Gartner expects agentic AI to be embedded in a third of enterprise software by 2028, up from less than one percent in 2024.1 The protocol by which these agents reach tools and data, the Model Context Protocol, went from proposal to de-facto standard in roughly a year.2
An agent does not consume data the way a person does. It works in a loop — plan, retrieve, act, observe, repeat — and it grounds each step in freshly fetched data, the pattern the industry calls retrieval-augmented generation. A single task can issue dozens of reads; agents that call other agents multiply that again. A data estate built for a handful of human reads per analyst per day is being asked to serve constant, high-frequency, programmatic access — data as a live utility for machines, not a reporting surface for people.
And an agent is not merely a faster reader. It needs four things the human-era stack was never built to give it at once: one canonical answer, not five conflicting rows for the same customer; the end user's own permissions, because it acts on someone's behalf and must see exactly what that person may see; low latency, because it makes many calls per task; and a trail, because no person watched it act.
Where this breaks is governance. MIT's 2025 study of enterprise AI found that roughly 95% of generative-AI pilots never reach production — and that the binding constraint is not model quality but integration: getting trusted, governed data to the agent.3 The same Gartner forecast names "inadequate risk controls" among the top reasons agentic projects are cancelled.1 The demand, in other words, is not for data but for governed data — data that arrives carrying the asking user's own permissions.4 Today every application and every agent re-implements that governance independently, against whatever sources it can reach. That works at one app. At a hundred agents per organization it becomes a sprawl of independently-maintained, mutually-inconsistent, individually-bypassable access rules — precisely the conditions under which data leaks.
Why the familiar answers fail
Three architectures are reached for to put data in front of AI. Each is reasonable in isolation; none resolves the mismatch.
Federation and data virtualization
The first reflex is to leave data where it lives and query across sources at read time. The appeal is obvious — no copies, no migration. But federation queries sources; it does not resolve them. The same customer remains five rows with five spellings across five systems, and no quantity of query-time joining produces one trusted record. Governance fares no better: each source enforces its own access model, and there is no single point at which the end user's permission is evaluated consistently — every source would have to understand every user independently, which does not scale. And because the join is pushed to query time across systems the layer does not control, latency becomes unbounded and unpredictable — disqualifying for an agent that makes many calls per task.5
Retrieval over copies
The second reflex is to copy the data into a vector store and let the agent retrieve from it. This trades the federation problem for a worse one: an embedding is a static copy, made at index time, severed from the access control of its source. At retrieval time the copy no longer knows who may see what; a permission revoked yesterday remains embedded today, and more fundamentally an embedding has no per-request access control at all. The OWASP Top 10 for LLM Applications names this directly as a distinct risk class.6
Per-application access control
The third reflex is to let each application enforce its own rules. This is how most AI features ship, and it fails twice over at agent scale. It drifts — a hundred independently-maintained access models will never agree, and each disagreement is a gap. And it invites the confused deputy: an agent that holds its own broad credential can be talked into exercising it on an attacker's behalf, becoming a deputy with more authority than the user who invoked it. The Model Context Protocol's own security guidance documents this risk and forbids passing the agent's token straight through to downstream systems — yet most deployments still grant an agent the full tool surface rather than scoping access per call.7
The limits of federated governance
It is worth naming that the most influential decentralization paradigm, Data Mesh, anticipated exactly this tension and made federated computational governance one of its four principles.8 In practice that principle is widely reported as its hardest: policies are written and then ignored, with no shared point of enforcement.5 Decentralization distributes the data and, with it, the governance — which is the wrong default precisely when a hundred agents need one consistent answer. This specification is, deliberately, the counter-move.
These are not hypothetical failures. In 2025, a crafted email silently exfiltrated data from Microsoft 365 Copilot with no user action and no alert — the EchoLeak vulnerability;9 a poisoned web-form field turned Salesforce Agentforce's own access into an exfiltration channel — ForcedLeak, scored critical.10 The pattern is identical and instructive: an agent exercising access it should never have been allowed to use on that request. The 2026 Verizon Data Breach Investigations Report singles out machine and service-account identities as the ones most likely to be exploited as agentic AI spreads; security analysts reading it reach a sharper conclusion — for agentic AI, identity is the control plane.11
Core principles and logical architecture
An AI Governed Layer resolves every source into one governed, canonical record per real-world entity, and serves it to applications and to AI through governed surfaces, with the caller's own permissions enforced on every request, at low latency, and fully audited.
The specification rests on four principles. They are intended to be collectively necessary and sufficient: remove any one and the mismatch reopens. Principle 1 establishes a single truth; Principle 2 decides who may see it; Principle 3 delivers it fast to the new consumer; Principle 4 makes the whole thing accountable. Each principle below is stated, argued, and followed by its logical implication — the demand it places on the shape of a conforming system.
Principle 1 — One canonical entity, not federated copies
An AI Governed Layer produces a single golden record for each real-world entity, by resolving and merging its representations across every source, and retains a crosswalk from that record back to each contributing source.
Resolution is the function federation skips and retrieval freezes. It is the work of deciding that the Acme Corp in the billing system, the ACME CORPORATION in the CRM, and the Acme in a partner feed are one entity, and of choosing, attribute by attribute, which value survives into the golden record. Done once, in the layer, it gives every consumer the same answer. Done nowhere — or independently by each consumer — it guarantees they disagree.
The crosswalk is what keeps resolution honest. A golden record that cannot say where each of its values came from is an assertion, not a record; lineage back to source is what lets a steward — or an investigator — trust it, and what lets the layer reverse a merge that later proves wrong.
Logical implication
Entity resolution is a first-class, standing function of the layer, not a pipeline a consumer runs. The golden record is materialized and maintained as sources change, so that a read is a lookup, not a recomputation.
Principle 2 — Identity is the control plane
Governance lives inside the layer and is enforced server-side, on every request, on the caller's own identity — across record-level isolation, role-based access, attribute-based (context-aware) access, and field-level masking. There is no per-application re-implementation and no shared broker credential; an agent acting on a user's behalf carries that user's identity, and the same checks run.
This is the principle the incidents above violate. Each of them is, at root, an agent acting with authority that was never the invoking user's to lend. The remedy is not a better prompt or a stricter gateway bolted on afterward; it is to make the decision in one place, on the one piece of information that survives every hop — the identity of the person on whose behalf the work is done.4
Placing the four enforcement layers in the layer rather than in each consumer is what makes the guarantee hold. Record-level isolation keeps one tenant's data structurally unreachable from another's. Role-based access grants each identity only the operations it is entitled to. Attribute-based rules narrow that by context — this steward, but only her region; this researcher, but only her cohort. Field-level masking removes individual values from a response before it leaves the layer, so that an agent permitted to read a record is still not permitted to read the one field it has no business seeing. Because all four run on the caller's identity, an agent can never see, or do, anything its user could not — and the audit records that it was the user who asked, because, through the agent, they did.
Logical implication
The layer authenticates the end user — not the application, not the agent — and evaluates all four enforcement layers on every request. The agent is never a privileged principal; it is a conduit for the user's identity.
Principle 3 — A dedicated, low-latency surface for AI
The layer serves the golden record through a surface purpose-built for agents — an MCP endpoint — alongside the surface built for applications — a REST API — with identical governance behind both, and at low latency.
Applications and agents consume differently. An application requests a known resource and renders it; an agent explores, composing many small calls into a task, and is sensitive to the latency of each. Serving both well means offering each the shape it expects — a conventional API for applications, a protocol agents already speak for agents — without letting the second become a back door around the governance of the first. The discipline of the specification is that the two surfaces are the same governance, differently shaped: whatever the application is denied, the agent is denied identically, because both resolve to the same per-request, identity-bound check of Principle 2.
Low latency is not a performance nicety here; it is what makes Principle 1 worthwhile. Because the golden record is resolved and materialized in the layer, a read does not fan out across source systems at query time — it is answered from the layer itself. This is the concrete reason federation cannot serve agents and the layer can.
Logical implication
The layer exposes at least two governed surfaces over the same materialized golden record, one conventional and one agent-native, and is sized for the read pattern of many agents issuing many calls.
Principle 4 — Governed, audited, and explainable by construction
Every access — human or agent — is recorded in an append-only audit the platform itself will not let be rewritten; masked values are returned as masks and never reconstructed; every value on the golden record traces to the source that contributed it; answers are grounded and honest, and consequential actions are previewed for a human before they happen.
The first three principles decide what is true, who may see it, and how it is delivered. The fourth makes the system answerable for all of it. Accountability cannot be an add-on, because the agents it governs act without a person watching; it must be a property of the layer that holds whether or not anyone is looking. An append-only audit gives an investigator the one thing an incident demands — who saw what, and when — in a form that cannot be quietly edited after the fact. Lineage extends the same accountability to the data itself. Masking performed server-side, and never reversed, means a value the caller may not see does not merely go unshown — it never leaves the layer. And grounding — answering from real data, declining to fabricate, surfacing what is masked rather than guessing past it — keeps an agent's output as trustworthy as its access.
This is also where the specification meets regulation. The EU AI Act's obligations for record-keeping and human oversight become applicable to high-risk systems on 2 August 2026;12 a layer that satisfies this principle satisfies them not by bolting on a compliance module but because it cannot operate any other way.
Logical implication
Audit, lineage, masking, and grounding are properties of the layer's read and write paths, not of its consumers — present on every access, by construction.
The principles summarized, and the logical architecture
The four principles describe one shape. Sources, of any number and quality, feed the layer. Inside, resolution (Principle 1) reduces them to one golden record per entity; governance (Principle 2) wraps every read in a per-request, identity-bound check; and the result is served through two governed surfaces (Principle 3) — a REST API for applications, an MCP endpoint for agents. Beneath the whole flow runs an append-only audit and lineage trail (Principle 4). No principle is optional: drop resolution and consumers disagree; drop the per-request identity check and the incidents above return; drop the agent surface or its low latency and the agents route around the layer; drop the audit and the system cannot answer for itself.
Figure 1. The logical architecture of an AI Governed Layer.
A specification, not a product
The AI Governed Layer is a paradigm, not a tool. This document states what must be true — the four principles and the architecture they imply — not how to build it or what to build it on. Conformance is measured against the principles: an implementation conforms if it produces a golden record per entity, enforces governance in the layer on the caller's identity on every request, serves both an application surface and a dedicated agent surface with identical governance at low latency, and audits every access while masking server-side and tracing every value to source. This is the same separation of standard from implementation that lets Data Mesh, the Twelve-Factor App, the Reactive Manifesto, and OpenTelemetry each define a discipline independent of the tools that realize it.
The window is not open indefinitely. The agents are arriving now, the failure modes are already in the vulnerability databases, and the regulatory obligations land in 2026. The choice is to place a layer matching this specification in front of the data before the agent population grows — or to learn, one incident at a time, that a hundred agents each re-implementing access control was never a strategy.
Notes
- Gartner, "Gartner Predicts Over 40% of Agentic AI Projects Will Be Canceled by End of 2027" (25 June 2025). The same release projects agentic AI in 33% of enterprise software by 2028, up from under 1% in 2024. gartner.com ↩
- Anthropic, "Introducing the Model Context Protocol." modelcontextprotocol.io ↩
- MIT NANDA, reported by Fortune, "MIT report: 95% of generative AI pilots at companies are failing" (18 August 2025) — the study attributes the failure rate to integration and workflow, not model quality. fortune.com ↩
- On identity-bound, least-privilege access for AI agents acting on a user’s behalf, see Okta, "How to implement least privilege for AI agents," and the OAuth 2.0 on-behalf-of pattern (RFC 6749). okta.com ↩
- On federation/data-virtualization limits and the difficulty of federated governance: Jenny Kwan, "Data Mesh: Why It’s Not Working (and How to Fix It)" (2025) — "federated governance was the hardest wall everyone ran into"; and Hannes Rollin, "Six Reasons Why Data Mesh Will Fail." jennykwan.org ↩
- OWASP Top 10 for LLM Applications (2025) — LLM08, Vector and Embedding Weaknesses. genai.owasp.org ↩
- Model Context Protocol, "Security Best Practices" — documents the confused-deputy problem and forbids passing the inbound token straight through to downstream systems. modelcontextprotocol.io ↩
- Zhamak Dehghani, "Data Mesh Principles and Logical Architecture," martinfowler.com (3 December 2020) — the principle of federated computational governance. martinfowler.com ↩
- EchoLeak — CVE-2025-32711, a zero-click data-exfiltration vulnerability in Microsoft 365 Copilot (disclosed by Aim Security, June 2025; CVSS 9.3 per Microsoft’s CNA assessment). nvd.nist.gov ↩
- ForcedLeak — an indirect prompt-injection vulnerability chain in Salesforce Agentforce, CVSS 9.4 (Noma Security, September 2025). noma.security ↩
- The Verizon 2026 Data Breach Investigations Report singles out machine and service-account identities as the ones most likely to be leveraged "in our potential agentic AI future"; the "identity is the control plane" framing is Token Security’s analysis of that report. token.security ↩
- EU AI Act, Articles 12 (record-keeping) and 14 (human oversight) — the high-risk-system obligations become applicable on 2 August 2026. Accountability through logging and lineage is likewise central to the NIST AI Risk Management Framework. artificialintelligenceact.eu ↩