Part 1 — For the Business

Ch. 5 — Data Rights and Minimisation

Why agents that fetch broad context "because it might be useful" are a liability — and what GDPR, HIPAA, and PCI-DSS all say about it.

Across GDPR, HIPAA, and PCI-DSS, the same instruction appears in different words: access only what you need, for the specific task, at the time you need it. Agents violate this by default.

An agent with broad tool access and a large context window will pull in far more data than any individual task requires. Not because it was designed to be reckless. Because doing so is easier than scoping access precisely.

A customer service agent given read access to the full CRM will use it. A clinical agent with access to complete patient records will load them. A billing agent connected to the full payment stack will query it. The convenience is real. So is the liability.

Platform Agentic

Compliance, governance, and accountability for teams building agentic AI systems.

Access the book — sign in with Google·LinkedIn