The original article appeared on Substack.
There is a design assumption built into every enterprise security program that almost nobody has written down, because nobody ever needed to. It was self-evident.
A human being would be present in the loop.
Not necessarily watching every transaction, but present in the decisions that mattered. Present when a customer support agent decided which account details to include in a response. Present when a sales representative chose what to share in a proposal. Present when a financial analyst pulled records to assemble a report. The human carried something that no policy document ever needed to specify: an understanding of who the data belonged to, what relationship it represented, and whether sharing it in this context made business sense.
That assumption is now quietly breaking. And most security programs have not yet noticed.
What Actually Transferred
When enterprises deploy AI agents — Copilot, Claude, Salesforce Agentforce, custom frameworks built on MCP servers — they transfer access. The agent can reach the same repositories the human reached. It can retrieve the same documents, query the same databases, and assemble context from the same sources. In many cases it does so faster, at greater scale, and with fewer of the natural friction points that slowed human decisions down.
Access transferred completely.
What did not transfer is judgment. The agent does not know that a customer’s contract terms are sensitive to a particular counterparty. It does not know that two accounts should never appear in the same context because of a competitive relationship. It does not know that the regulatory obligation attached to this customer’s data is different from the one attached to the customer in the adjacent record. The human knew these things intuitively. The agent has no idea they exist.
This is not a failure of AI capability. It is an architectural gap. The human was the judgment layer, and nobody built a replacement when the human stepped back.
The North-South Problem, Made Concrete
Earlier articles in this series introduced the concept of the North-South control plane: the vertical dimension of agent risk, where data is retrieved, assembled, and reasoned over inside a transient execution context that traditional controls were never designed to see.
This is what that problem looks like in practice.
An agent handling a customer inquiry retrieves relevant account information through an MCP server. It combines that information with context from a previous interaction, adds policy details from a knowledge base, and generates a response. Each of those retrieval events is a judgment call the human used to make intuitively: is this the right account? Is this information appropriate for this customer in this context? Does this output mix data that should never appear together?
The agent makes no such judgment. It makes a retrieval decision, not a business decision. And the controls designed to govern data movement were built for the latter, not the former.
The data flows in both directions. Business context and user intent travel outward through every tool invocation and MCP call. Enterprise data travels inward through every retrieval response. Neither direction carries the judgment that would make the flow appropriate or inappropriate in a specific business context. That judgment was never encoded anywhere. It lived in the human.
Why Channel Visibility Is Not Enough
The instinct of the security industry, when a new data movement surface appears, is to wrap a visibility layer around it. Log the traffic. Monitor the calls. Alert on anomalies. That instinct is not wrong — visibility is necessary.
It is not sufficient.
Gartner noted in June 2025 that “as enterprises move towards complex multi-agent systems that communicate at breakneck speed, humans cannot keep up with the potential for errors and malicious activities.” The speed problem is real. But the deeper problem is not speed — it is meaning. Logging that an agent retrieved a customer record does not tell you whether that retrieval was appropriate for the specific interaction the agent was serving. Monitoring outbound MCP calls does not tell you whether the business context embedded in those calls should have been exposed to the service receiving them.
What the channel visibility layer sees is traffic. What it cannot see is whether the traffic makes business sense.
The human saw both. The agent sees neither. And the monitoring layer, by design, only sees the first.
The Governance Gap Is Already Producing Failures
Gartner’s May 2026 research found that by 2027, 40 percent of enterprises will demote or decommission autonomous AI agents due to governance gaps identified only after production incidents occur. “When agents operate autonomously,” Gartner noted, “actions are executed at a scale and speed that can outpace human oversight.”
The governance gaps Gartner is describing are not primarily authentication failures or prompt injection attacks. They are judgment failures: agents that combined data they should not have combined, that served information to the wrong context, that generated outputs whose sensitivity was invisible to any control that looked only at the data and not at the business relationship it carried.
Those failures happen because the judgment layer is missing. Not because the agent was misconfigured. Not because the access controls failed. Because nobody replaced what the human used to provide.
What the Reasoning Loop Needs
The previous article in this series established that three distinct builder populations — vibe coders, citizen developers, and agentic engineers — all create the same enterprise data exposure regardless of their intent or technical sophistication. The conclusion was that enforcement has to operate at the data boundary, uniformly, regardless of who built the workflow.
This article names why.
The enforcement has to operate at the data boundary because that is where the judgment gap lives. That is where the human used to stand. The agent arrives at the data boundary equipped with access and instructions. It needs something else: the business context that tells it whether using this data, in this interaction, for this purpose, is appropriate.
That context is not a label on a file. It is not a permission in an access control list. It is knowledge of who the data belongs to, what relationship it represents, and what obligations attach to it in the current context. It is, in other words, exactly what the human carried naturally and the agent was never given.
Governing AI data flows means giving the reasoning loop what the human already had: an understanding of the business context surrounding every piece of data it touches. Not after the fact, through monitoring and alerts. Inside the loop, before the decision is made.
The Shift That Defines the Next Phase
Data security has always had a hidden dependency on human judgment. Classification told the tool what type of data was present. Access control told the tool who was permitted to reach it. But the decision about whether reaching it made sense in a specific business context — that was the human’s job.
The agent era does not simply create a new attack surface. It removes the hidden dependency and exposes the gap underneath.
The access transferred. The judgment did not.
Closing that gap is the central data security challenge of the agentic era. Not securing the channel. Not monitoring the traffic. Giving the reasoning loop the context it needs to make the decisions the human used to make without being asked.
The original article appeared on Substack.