buildinganai-drivekgkic: Data Risk: Provenance to Retention

When a “helpful connector” becomes a reportable incident

A product team rolls out an internal AI assistant to draft customer-support replies. To make it useful, they connect it to policy docs, a Zendesk-like ticketing system, and a shared drive of “helpful templates.” Within days, agents love it—until a customer screenshots a response that references an internal escalation code and includes a snippet that looks like someone else’s account notes. Security finds the root cause: a retrieval connector indexed more content than intended, and the system logs stored full prompts (including customer PII) for “debugging.”

Nothing about the model’s benchmarks would have caught this. This is data risk—what happens when data is collected, moved, transformed, retrieved, logged, shared, and retained in ways that create legal exposure, security vulnerability, or simple operational chaos.

This matters now because AI systems dramatically increase the surface area of data handling: more connectors, more copied text, more logging, more derived artifacts (summaries, embeddings, traces), and more stakeholders who can access outputs. If your organization wants AI at scale, you need governance that answers a basic question with evidence: Where did this data come from, what are we allowed to do with it, how does it flow through the system, and when does it get deleted?

Data risk, defined: provenance to retention (and why “prompt logs” are a governance decision)

In the prior risk lessons, you treated AI as a socio-technical system: models + data + tools + permissions + workflows. You also saw why incidents happen even when “the model is fine,” and why controls must be external (permissions, gates, monitoring) rather than prompt-only. Data risk is where that becomes very concrete: connectors, retrieval, and logging are usually the fastest path from a helpful prototype to a compliance problem.

Key terms you’ll use in governance discussions:

Data provenance: the origin and lineage of data—where it came from, who owns it, what terms apply, and how it has been transformed (including labeling, cleaning, summarization, and embedding).
Data lineage: the traceable path of data through systems and transformations. Provenance is the “where/rights”; lineage is the “how it moved/changed.”
Data minimization: collecting and processing only what you need for a defined purpose, and nothing more.
Purpose limitation: using data only for the purpose you communicated and justified (internally via governance, externally via notices/consent where applicable).
Retention & deletion: how long data (and derived artifacts) is stored, how it is disposed of, and how you prove it—especially across backups and vendor systems.
Derived data: artifacts created from the original data—summaries, labels, embeddings, evaluation datasets, conversation transcripts, and audit logs. Derived data can still be sensitive and still be regulated.

A helpful analogy: think of AI data like food in a professional kitchen. Provenance is your supplier and safety certification, lineage is what stations touched it and how it was prepared, and retention is how long leftovers stay in the fridge. The food can be excellent, but if you can’t prove sourcing, handling, and disposal, you’re still exposed.

The data lifecycle risks that repeatedly break AI deployments

1) Provenance: “Do we have the right to use this—and can we prove it later?”

Provenance failures are often invisible during pilots because things “work” while governance quietly accrues debt. Teams scrape internal wikis, copy/paste customer emails into prompts, or ingest shared drives without confirming ownership, licensing terms, or confidentiality classifications. The risk is not abstract: when content is retrieved into model context or stored in logs, you may have created a new processing activity that triggers contractual limits, privacy obligations, or audit expectations.

In AI systems, provenance also includes how data was created, not just where it was found. A policy document may be current, but a “helpful template” may contain outdated regulatory language. A knowledge base may include content written for internal audiences that is inappropriate for customers. If retrieval treats it all as equivalent “truth,” the system can generate confident but non-compliant instructions. Provenance governance therefore needs both rights and fitness for use.

Best practices keep this operational rather than philosophical. Start by declaring intended use and prohibited use (a theme from model governance) specifically for data: what sources are allowed for retrieval, which are banned, and what needs extra approvals. Then require lightweight, repeatable evidence: who owns the source, what classification it has (public/internal/confidential/regulated), and what terms apply (license, NDA, data-sharing agreement, internal policy). The goal isn’t bureaucracy—it’s to avoid a future incident where no one can answer, “Why was this document in the index?”

Common pitfalls and misconceptions show up predictably:

Pitfall: “It’s internal, so it’s safe.” Internal data can be highly regulated (HR, finance, customer PII) and may be accessible to far more people through an AI interface than before.
Pitfall: “The model doesn’t train on it, so it’s okay.” Even without training, you may be processing and exposing data through retrieval, caching, or logs.
Misconception: “If it’s in SharePoint/Drive, it’s approved.” Location is not permission; shared drives are often the least-governed source.
Misconception: “Provenance is a one-time check.” Sources change, docs get updated, and connectors expand—provenance needs ongoing ownership and review.

2) Access and retrieval: the connector is the new blast radius

Once you connect an LLM to tools and knowledge sources, data risk becomes a question of scope and least privilege—the same principle that protects you from misuse. Retrieval is powerful because it can pull in content that a user did not explicitly request and might not even know exists. That’s great for productivity and dangerous for confidentiality. If a connector indexes too broadly, the model can unintentionally include sensitive text in a draft, even if the user never asked for it.

A practical way to reason about this is: retrieval changes the default from “user sees only what they search” to “user sees what the system thinks is relevant.” That relevance function is probabilistic, and it can be gamed (prompt injection) or simply mistaken (wrong document version, wrong customer record, wrong region). Also, many deployments over-trust the model’s ability to “summarize safely.” Summaries can still leak secrets—sometimes more effectively, because they compress sensitive details into a shareable form.

Best practice is to treat retrieval and tool access as security boundaries, not convenience settings. Apply least privilege at three layers:

Data layer: connectors scope to approved collections, not whole drives. Sensitive repositories are blocked by default.
Identity layer: retrieval respects the user’s permissions; the assistant should never become a permission bypass.
Task layer: retrieval is constrained to the current workflow context (e.g., “this ticket,” “this customer,” “this policy set”), not the entire enterprise search space.

This is also where earlier lessons’ operational thinking matters: you need monitoring signals (unexpected doc IDs retrieved, spikes in sensitive-topic queries, unusual tool calls) and rollback ability (disable a connector, revert retrieval config). Teams often treat retrieval settings as “not code,” tweak them to improve answer quality, and accidentally expand access. That’s the data-risk version of drift: the model didn’t change, but the system behavior did.

Common pitfalls and misconceptions:

Pitfall: broad indexing “to make it helpful,” then relying on the prompt to prevent leaks. Prompts are not access control.
Pitfall: mixing environments (prod data used in dev testing) because it’s convenient for evaluation.
Misconception: “If it’s only agents using it, it’s low risk.” Internal users are a major source of accidental disclosure, especially under time pressure.
Misconception: “We’ll catch issues in QA.” Retrieval leaks can be rare and context-specific; you need structural controls, not only sampling.

3) Logging, traces, and evaluation data: observability vs. privacy is a deliberate trade-off

AI systems create a strong temptation: log everything so you can debug hallucinations, measure drift, and investigate incidents. And you do need evidence—earlier lessons emphasized that governance depends on logs, segmented metrics, and auditability. The catch is that AI logs can be some of your most sensitive datasets, because they often contain raw user text, customer details, and retrieved internal snippets in one place.

You should assume that prompts, outputs, and tool traces will eventually be accessed by someone beyond the original team: SRE during an outage, security during an investigation, compliance during an audit, or a vendor during support escalation. Therefore, “What do we log?” becomes a governance decision with risk appetite baked in. If you keep full transcripts forever, you’re maximizing debuggability and maximizing breach impact. If you keep almost nothing, you’ll struggle to detect drift, misuse, and data leaks—and you won’t have credible incident timelines.

Best practice is to design privacy-aware observability. That means:

Logging just enough to support monitoring and incident response (timestamps, model version, prompt template ID, retrieval doc IDs, tool-call metadata), while avoiding raw sensitive text by default.
Using redaction and tokenization for known sensitive fields (account numbers, SSNs, addresses) where feasible.
Tiered logging: short retention for detailed traces, longer retention for aggregated metrics.
Tight access controls and audit trails on who can view raw traces, with a documented escalation path for “break glass” access.

A common pitfall is assuming derived data is safe. Embeddings, summaries, and evaluation datasets can still encode sensitive information or recreate it in context. Another pitfall is ad-hoc evaluation: teams export real customer conversations into spreadsheets to test prompts, creating uncontrolled copies outside retention policies. A frequent misconception is, “We need raw logs to be responsible.” Responsibility is matching observability to risk: you can often diagnose drift and misuse with metadata and sampled, approved traces rather than full capture of everything.

4) Retention and deletion: “Can we actually erase it everywhere?”

Retention is where governance becomes real, because it forces you to confront the full footprint: application databases, vector indexes, caches, analytics warehouses, vendor logs, backups, and incident artifacts. AI amplifies retention risk by creating more copies in more places—especially when teams iterate quickly. A single customer email can end up as: a prompt transcript, a retrieved document, an embedding in a vector store, an evaluation example, and a ticket attachment.

The first principle is define retention by data type and purpose, not by system. “Keep logs for 90 days” is not sufficient if some logs contain regulated data and others do not. You need categories (customer PII, internal confidential, public docs, model outputs, tool traces) and retention rules for each, plus clear ownership for approving exceptions. The second principle is make deletion operational: implement deletion workflows and test them. If your deletion depends on manual tickets across five teams, you don’t have a deletion capability—you have a hope.

Best practice includes documenting where data lives and how long it persists, including vendor boundaries. If a vendor stores prompts for abuse monitoring or service improvement, that is still part of your retention story, and it must align with your policies and contracts. This is also a business continuity issue: keeping everything “just in case” increases breach impact and eDiscovery cost, while deleting too aggressively can undermine audits and incident response. The right answer is rarely “keep forever” or “delete immediately”—it’s a governed middle with evidence.

Common pitfalls and misconceptions:

Pitfall: forgetting backups and replicas. Deletion that doesn’t address backups is often not deletion in practice.
Pitfall: ignoring vector stores. Teams treat indexes as “just infrastructure,” but they may contain sensitive derived data.
Misconception: “Retention is compliance’s problem.” Retention is a system design problem with real engineering work.
Misconception: “We’ll decide retention after launch.” By then, data has already spread; retrofitting deletion is expensive and unreliable.

How the lifecycle hangs together (and where controls attach)

AI data risk is easiest to govern when you map lifecycle stages to concrete controls and owners, instead of treating “data governance” as a vague umbrella.

Lifecycle stage	What can go wrong	Evidence you should be able to show	Controls that actually work
Provenance	Using data you don’t have rights to use; outdated or unfit content drives unsafe outputs	Source owner, classification, permitted uses, and change history for indexed content	Approved source lists, classification gates before indexing, ownership and review cadence
Access & retrieval	Connector scopes too broadly; retrieval bypasses permissions; sensitive text is pulled into context	Retrieval scope config, permission model, retrieval logs (doc IDs), access audit trails	Least privilege connectors, permission-respecting retrieval, task-scoped retrieval, rapid connector disable/rollback
Logging & traces	Prompts/outputs store PII; logs become a high-value breach target; uncontrolled exports for evaluation	Log schema, redaction approach, access logs, retention settings, sampling policy	Privacy-aware observability, tiered logging, restricted raw trace access, approved evaluation datasets
Retention & deletion	Data persists in indexes/backups/vendors; cannot fulfill deletion obligations; excessive retention increases incident impact	Data inventory across systems, tested deletion paths, vendor retention terms, backup deletion strategy	Data-type retention policy, automated deletion workflows, periodic deletion tests, contractual alignment with vendors

[[flowchart-placeholder]]

Two real-world deployments, walked through end-to-end

Example 1: Regulated customer-support drafting assistant (retrieval + logs)

The organization deploys an assistant that drafts replies for agents, using retrieval over policy docs and CRM notes. The intended use is “drafting help,” but under high volume agents start sending drafts with minimal edits, making the assistant’s data handling effectively customer-facing. The main data risks cluster around provenance and retrieval scope—because the assistant will confidently incorporate whatever it can access.

Step-by-step, a strong approach starts with provenance and scoping. The team defines approved retrieval sources: current policy documents, product FAQs, and a curated knowledge base with clear owners. They explicitly exclude shared drives and historical “template folders” unless reviewed, because those often contain outdated language and accidental PII. Then they configure retrieval to be case-scoped for CRM notes: the assistant can only retrieve notes attached to the current ticket/customer, not “similar customers,” unless a business owner signs off on that secondary use. This aligns with purpose limitation: the agent is resolving this customer’s issue.

Next comes logging discipline to balance drift monitoring with privacy risk. Instead of defaulting to full transcript logging, they store: model version, prompt template ID, retrieval doc IDs, refusal/override indicators, and tool-call metadata. For a small, approved sample of tickets (or only during incidents), they allow deeper traces with redaction and strict access controls. The impact is practical: QA and ops can still track signals like override rates, complaint spikes, and sudden changes after a model update, while reducing the chance that logs become a shadow database of customer PII.

Limitations remain. Tight retrieval scoping can reduce helpfulness when agents face unusual edge cases, and limited raw logs can slow certain investigations. Governance makes this a deliberate trade-off: high-risk categories (fraud, hardship, disputes) get stronger scoping and retention limits, while low-risk categories may permit more helpful retrieval and slightly richer diagnostics. The key is that the decision is explicit, documented, and enforceable—not left to whoever configures the connector.

Example 2: Retail promotion and pricing recommendations (batch decisions + derived data)

A retailer runs a model that recommends daily promotions by region using sales history, inventory, competitor feeds, and loyalty segmentation. Even with human “approval,” the scale pushes teams toward rubber-stamping batches—so data issues can propagate quickly into financial harm and reputational backlash. Here, data risk is less about customer PII and more about provenance, lineage, and retention of derived decision artifacts.

The lifecycle approach begins with provenance and lineage for external feeds. Competitor pricing and demographic proxies can come with licensing terms and usage restrictions, and feeds can quietly change schema or coverage. The team documents feed ownership, contract constraints, and acceptable use (e.g., “inform recommendations,” not “store and redistribute”). They also track lineage into the decision pipeline: which feed versions and transformations influenced each recommendation. This becomes crucial when a region sees abnormal discounting—governance needs more than “the model said so”; it needs traceability to inputs and transformations.

Next, they manage derived data retention carefully. Pricing recommendations, approval records, and audit logs are business-critical and often need longer retention for finance and audit. But they avoid storing unnecessary raw inputs (like full competitor scrape snapshots) beyond what contracts allow, and they separate operational retention (short-lived diagnostics) from audit retention (long-lived decision summaries). They also control access: the ability to change constraints, alter training datasets, or push recommendations live is tightly permissioned, mirroring the “least privilege” mindset from misuse controls.

Limitations are real. Strong lineage tracking adds engineering overhead, and stricter retention can reduce retrospective analysis for model improvement. The payoff is resilience: when something goes wrong—margin erosion, regional outliers, or a complaint storm—the organization can isolate cause (feed change, transformation bug, segmentation shift) and respond quickly without turning the incident into a months-long forensic exercise.

Closing: make data governable, not mysterious

Data risk becomes manageable when you treat the AI data lifecycle as a set of design choices with owners, evidence, and controls—not as an after-the-fact compliance checklist.

Key takeaways:

Provenance is permissions + fitness: you need to know both whether you’re allowed to use data and whether it’s appropriate for the task.
Connectors and retrieval define blast radius: least privilege and task-scoped retrieval prevent “helpfulness” from becoming leakage.
Observability is a trade-off you must design: logs enable drift/misuse detection, but raw traces can become your most sensitive dataset.
Retention must be operational: if you can’t delete across indexes, backups, and vendors, you don’t control the risk.

Next, we'll build on this by exploring Third-Party Risk & Incident Response [25 minutes].

Last modified: Friday, 6 March 2026, 6:05 PM

Operating Model for AI at Scale

AI Operating Model Patterns

Quiz: AI Operating Model Patterns

Roles &amp; Decision Rights

Quiz: Roles &amp; Decision Rights

Ways of Working (Product/Platform/Squads)

Quiz: Ways of Working (Product/Platform/Squads)

Portfolio &amp; Funding for AI Outcomes

Quiz: Portfolio &amp; Funding for AI Outcomes

AI Strategy to Execution Roadmap

Outcomes and Metrics from AI Ambition

Quiz: Outcomes and Metrics from AI Ambition

Prioritisation: Value, Feasibility, Risk

Quiz: Prioritisation: Value, Feasibility, Risk

Roadmap Design: Horizons and Dependencies

Quiz: Roadmap Design: Horizons and Dependencies

Executive Alignment and Change Impacts

Quiz: Executive Alignment and Change Impacts

AI Use Case Lifecycle Governance

Intake Standards &amp; Evidence Bar

Quiz: Intake Standards &amp; Evidence Bar

Stage Gates: Discover to Deploy

Quiz: Stage Gates: Discover to Deploy

Lifecycle Documentation Expectations

Quiz: Lifecycle Documentation Expectations

KPIs, Ownership &amp; Accountability

Quiz: KPIs, Ownership &amp; Accountability

AI Risk Management for Deployment

Risk Categories for AI Deployment

Quiz: Risk Categories for AI Deployment

Model Risk: Bias, Drift, Misuse

Quiz: Model Risk: Bias, Drift, Misuse

Data Risk: Provenance to Retention

Quiz: Data Risk: Provenance to Retention

Third-Party Risk &amp; Incident Response

Quiz: Third-Party Risk &amp; Incident Response

AI Governance, Controls, and Assurance

Governance Frameworks &amp; Committees

Quiz: Governance Frameworks &amp; Committees

Control Design: Prevent/Detect/Correct

Quiz: Control Design: Prevent/Detect/Correct

Monitoring, Auditability &amp; Evidence

Quiz: Monitoring, Auditability &amp; Evidence

Regulatory &amp; Board Oversight Alignment

Quiz: Regulatory &amp; Board Oversight Alignment

Final Review

Course Synthesis: End-to-End View

Quiz: Course Synthesis: End-to-End View

Integration Exercise: Strategy-to-Control Map

Quiz: Integration Exercise: Strategy-to-Control Map

Practical Takeaways &amp; Next Steps Plan

Quiz: Practical Takeaways &amp; Next Steps Plan

When a “helpful connector” becomes a reportable incident

Data risk, defined: provenance to retention (and why “prompt logs” are a governance decision)

The data lifecycle risks that repeatedly break AI deployments

1) Provenance: “Do we have the right to use this—and can we prove it later?”

2) Access and retrieval: the connector is the new blast radius

3) Logging, traces, and evaluation data: observability vs. privacy is a deliberate trade-off

4) Retention and deletion: “Can we actually erase it everywhere?”

How the lifecycle hangs together (and where controls attach)

Two real-world deployments, walked through end-to-end

Example 1: Regulated customer-support drafting assistant (retrieval + logs)

Example 2: Retail promotion and pricing recommendations (batch decisions + derived data)

Closing: make data governable, not mysterious

Roles & Decision Rights

Quiz: Roles & Decision Rights

Portfolio & Funding for AI Outcomes

Quiz: Portfolio & Funding for AI Outcomes

Intake Standards & Evidence Bar

Quiz: Intake Standards & Evidence Bar

KPIs, Ownership & Accountability

Quiz: KPIs, Ownership & Accountability

Third-Party Risk & Incident Response

Quiz: Third-Party Risk & Incident Response

Governance Frameworks & Committees

Quiz: Governance Frameworks & Committees

Monitoring, Auditability & Evidence

Quiz: Monitoring, Auditability & Evidence

Regulatory & Board Oversight Alignment

Quiz: Regulatory & Board Oversight Alignment

Practical Takeaways & Next Steps Plan

Quiz: Practical Takeaways & Next Steps Plan