Digital background depicting innovative technologies in (AI) artificial systems, neural interfaces and internet machine learning technologiesgettyWhen you talk to people who have responsibility for today’s systems, one thing that often comes up is data governance.Yes, parts of the world have new laws, like Europe’s General Data Protection Regulation or GDPR, not to mention the AI Act, but there’s still quite a big gray area in how companies, people and agents are going to treat personal information, in a world where we tried so hard to get guardrails on pre-AI systems.Simply speaking, much of our levee on private data is becoming obsolete. AI has new ways of ferreting out information, new attack vectors for black hats, new and scary bugbears of automation gone rogue. Just look at Mythos, a model that has essentially been put into a cage called Project Glasswing, because business and government leaders correctly surmised that it would be too dangerous to let this thing out unfettered into the world.With that in mind, I wanted to showcase some comments I heard in a panel at the Imagination in Action event at MIT in April (which I help put on) and how professionals are thinking about this issue. We had the esteemed Nina Gregory of NPR fame interviewing Moinul Khan of Aurascape and Sunil Ratan of Precognitive. In an initial discussion of data governance, Ratan weighed in on its importance, given that one of the company’s services is an AI entity he called a “guardian angel” for seniors who might need to coordinate a lot of doctor visits, home care, etc.‘We're not just integrating historical data, but current, live data about somebody as they're being monitored,” he said. “You can integrate all of that into what amounts to a living profile of an individual. We translate that into meaning, and that drives meaningful, coordinated, and cohesive action. This ends up saving society a lot of money, because a lot of money we're spending on healthcare and social services is because people fall through the cracks; then there's a disconnect, they have a crisis, and now we spend all this money to get them out of the crisis.”Ratan called for governance of AI data at two levels.“One is at the corporate level, to avoid what I call the ‘Facebook problem,’ where you put this thing out there in the world without any rules, and stuff happens,” he said. “The second place where we need to have governance is at the community level. I'm all for us being regulated under HIPAA, but at the end of the day, we're not going to be effective if people don't trust us. But people are corruptible. So, how do you deal with that?”MORE FOR YOUBlind SpotsKhan addressed how to deal with a range of security and governance “blind spots,” citing his experience working with firms like Palo Alto Networks, Zscaler, Netscope, and Juniper.“When you talk about the security blind spots, I would put them in two different buckets,” he said. “First, you have to look at how enterprise customers are consuming AI. One part of it is your employees, your users, they're consuming hundreds of commercially available tools—chatbots, coding assistant tools, embedded AI. And the biggest blind spot on that segment is your current existing security infrastructure. Whatever you have implemented for the last 15, 20 years doesn't work anymore.”He also mentioned firewalls.“If you talk to your IT security team, they have implemented firewalls and proxies and DLP and CASBs that can only find vulnerabilities in HTTP traffic,” he said of a theoretical problem scenario. “And then when your users are consuming all of these tools, they're completely blind. They're essentially all these millions of dollars of investment that you did, they just became a URL filtering engine and nothing else.”AI AgentsTackling the idea of how things work in the agentic age, Khan cited some advice he often gives founders: “crawl, walk, run.”“First, do you even have visibility into what your employees are doing? What tools are they using?” he said. “The first step is to understand what's in your network, which is difficult with legacy technology. You need to know which tools are sanctioned and which are not. With AI agents, you need to know who they are and what tasks have been delegated to them.”Noting the challenges of controlling individual “shadow AI” efforts, Khan put the whole thing in a slightly wider lens.“Shadow AI is one problem, but with AI agents, you have a different problem,” he said. “You need to know what these tools are doing based on their delegation. If 3,000 AI agents are talking to each other on a Slack channel using their own language, negotiating and executing tasks, do you even have visibility into that?”