Kiteworks: Why Data-Layer Controls Are the Missing Piece for Agentic AI Governance
Kiteworks urges data-layer governance for agentic AI, exposing gaps in discovery, containment, and audit trails that RSAC 2026 made plain and calls for action.
Kiteworks walked the RSAC 2026 floor with a simple message: agentic AI governance cannot rely on visibility alone — it needs data-layer enforcement. The term agentic AI governance has moved from theoretical concern to an operational priority as enterprises accelerate deployments of autonomous agents and workflow automation. At the center of the debate is a practical question: when an AI agent touches regulated or sensitive data, what technical controls ensure its behavior stays within legal, ethical, and corporate boundaries?
Why RSAC made agents a consensus topic
The conference atmosphere reflected a shared industry diagnosis: autonomous AI components — “agents” — are now a mainstream enterprise problem. Vendors and platform providers presented discovery and runtime protections as their immediate response, while standards organizations surfaced new frameworks for governing agentic control planes. From established security vendors to cloud infrastructure providers, announcements emphasized agent detection, policy enforcement, and runtime constraints.
That broad attention confirms what vendor research indicates: organizations aren’t merely experimenting. According to Kiteworks’ recent forecast, every surveyed organization has agentic AI on its roadmap. But the same research surfaces an alarming pattern of deficiencies beneath that adoption signal — most organizations can detect and monitor agents but cannot reliably bind those agents to purpose, isolate them from wider networks, or forcibly terminate misbehaving instances. These gaps turn a visibility problem into a control problem.
The governance gap: discovery vs containment
Discovery is necessary but not sufficient. Several vendors highlighted capabilities to find and catalog agents — from endpoint and SaaS discovery to pipeline-level shadow AI detection — and those tools are valuable. Yet Kiteworks’ research quantifies the limits of discovery: 63% of organizations cannot enforce purpose limitations on agents, 60% lack the ability to kill agents that stray, and 55% cannot isolate agent workloads from broader networks. In short, many security teams know an agent exists without having levers to stop it or constrain its actions.
That distinction matters because governance is not the same as observability. Observability answers “what is happening?” Governance answers “what is allowed and how do we prove it?” Security teams are increasingly asking that second question out loud: how do we apply consistent policy and produce auditor-grade evidence for agent interactions with regulated data — across HIPAA, PCI, CMMC, SOX and other regimes — without building bespoke controls for every AI product we adopt?
Audit trails as governance infrastructure
One of the least glamorous but most consequential findings from Kiteworks’ work is the centrality of audit trails. A surprising proportion of organizations cannot produce evidence-quality logs: 33% lack them entirely, and 61% operate with fragmented logging spread across disconnected systems. Audit quality strongly correlates with governance maturity; teams with robust, tamper-evident trails are measurably further ahead in purpose binding, human-in-the-loop controls, and the ability to recover training data provenance.
Audit trails matter because regulators do not—and will not—differentiate between human and autonomous actors when protected information is accessed. The same compliance obligations apply. That means every agent interaction with regulated data needs authentication, encryption, policy enforcement and a tamper-evident record that feeds security telemetry and supports incident response. Without that foundation, monitoring and runtime guards are fragile: you can detect anomalies but not demonstrate compliance or perform reliable forensics.
Data-layer governance versus model- or runtime-layer controls
RSAC conversations and vendor roadmaps revealed a strategic fork in the market. Some approaches emphasize securing the model or runtime — sandboxing agents, filtering prompts, and building behavioral guardrails within the agent environment. Other approaches push governance to the data layer: controlling who and what can access data, applying attribute-based access controls, enforcing cryptographic protections, and logging every access event independent of the agent framework.
Kiteworks advocates for the latter for operational durability. Model-layer controls are valuable but brittle; prompts and runtime checks can be bypassed or rendered ineffective as new agent frameworks and deployment patterns emerge. Data-layer policies — identity-based authorization, FIPS-grade encryption, attribute-based controls, and immutable audit records — operate orthogonally to models. They persist as the AI landscape evolves and provide a consistent locus for compliance evidence.
This isn’t a repudiation of runtime protections; it’s an architecture choice about where the most stable, auditable enforcement should live. Industry moves such as infrastructure-level enforcement models emphasize the same point: secure the data plane and environment rather than rely solely on model internals.
How data-layer enforcement works in practice
Data-layer governance ties together multiple technical controls that collectively constrain what agents can do:
- Identity and authentication: ensuring agents and their host services are cryptographically identified before they request access.
- Attribute-based access control (ABAC): binding access rights to the context of a request — who the agent is, the purpose, the data classification, and the operational environment.
- Purpose binding and tokenization: issuing fine-grained tokens that encode permitted uses and time windows, so data access can be purpose-limited and revoked.
- Network and workload isolation: segmenting agent runtimes so an errant agent cannot traverse to other systems or exfiltrate data.
- Tamper-evident logging: writing every interaction to an immutable audit trail that feeds SIEMs and supports forensics and compliance reporting.
Implementing these controls requires interoperability with many enterprise systems: identity providers, SIEMs, cloud storage, DLP, and the AI platforms themselves. That interoperability is why centralized AI data gateways — still present in fewer than half of organizations today — are increasingly discussed as practical enablers of cross-platform governance.
Who needs this, and when does it matter
Agentic AI governance is relevant across the enterprise: security operations and compliance teams, application owners embedding automation, development teams shipping AI-driven pipelines, and third-party vendors integrating AI features. It is especially urgent for organizations handling regulated or sensitive information — healthcare providers, financial services, defense contractors, and companies subject to stringent privacy laws.
The timing is immediate. Kiteworks’ forecast shows that a meaningful share of organizations are already building agents that will act autonomously: roughly one-third plan autonomous workflow agents that operate without prior human approval, and another quarter are designing decision-making agents with independent access to sensitive data. That means decisions about architecture — whether to enforce governance at the model, runtime, or data layer — are being made now and will influence the safety and auditability of AI systems for years to come.
Practical questions security teams ask (and how to answer them)
Security leaders at RSAC weren’t debating whether agents are risky; they were asking how to exercise consistent policy across diverse AI tools. The questions usually resolve into five practical areas:
-
What does a governed agent interaction look like?
A governed interaction is authenticated, purpose-bound, encrypted, auditable, and revocable. The request carries a policy token representing permitted operations and a clear linkage to an identity and business purpose. -
How do we stop an agent that misbehaves?
Implement kill-switch mechanisms at workload and network layers, enforce short-lived tokens and revocable sessions, and integrate runtime telemetry with automated incident response workflows. -
How can we prove compliance after the fact?
Invest in evidence-quality logs that are tamper-evident and mapped to policy decisions. The audit trail must include the agent identity, policy asserted, data accessed, and the outcome of any filtering or transformation. -
Who manages governance across multiple AI vendors?
Treat governance as an infrastructure responsibility owned jointly by security, platform engineering, and compliance. Use centralized gateways and standardized protocols to avoid vendor-specific governance silos. - When will enforcement be available?
Many discovery and runtime products are shipping now; durable, enterprise-ready data-layer enforcement architectures and standards are emerging today but require integration and operationalization over the next 12–24 months.
These answers are implementable but require organizational commitment: decisions about tokenization, logging standards, and gateway placement often involve legal, privacy, and platform teams as much as security.
Industry implications for developers and businesses
A few industry trends become visible when you connect the dots. First, discovery capability surge will improve visibility but not automatically reduce risk. Second, demand for vendor-agnostic governance will pressure platform providers and SIEM vendors to accept standardized telemetry and control APIs. Third, supply-chain concerns will amplify: third-party handling of data for AI is already a top security worry, and many organizations lack visibility into partner practices.
For developers, the implication is clear: integrate with data-layer controls and design agents to assume constrained, tokenized access rather than free access to backend stores. For security architects, the imperative is to codify policy in a portable way that can be expressed across storage systems, message queues, and AI frameworks. For businesses, governance decisions are strategic — choosing a governance model today locks in how AI agents will be controlled as the ecosystem shifts.
Operational challenges and trade-offs
Adopting a data-layer governance approach introduces trade-offs. Centralized gateways can become bottlenecks if not architected for scale; granular audit logging increases storage and analysis costs; and strict purpose binding can slow development velocity if policy management is cumbersome. Organizations must weigh these costs against the upside: reproducible compliance, reduced blast radius for misbehaving agents, and clearer incident response.
Organizations should approach implementation incrementally: prioritize regulated data flows, instrument those paths with tokens and audit logging, and expand controls iteratively. Establishing cross-functional governance bodies and embedding policy-as-code practices reduces friction between security and product teams.
Standards, partnerships, and the emerging ecosystem
Standards bodies and vendor consortia are moving quickly to define control planes and interoperability patterns for agentic AI. That momentum matters because governance is as much about policy semantics as it is about technical enforcement. Open protocols that represent purpose and consent, standardized audit schemas, and shared attestations for runtime environments will make it easier for enterprises to adopt data-layer controls without reinventing the wheel for each AI vendor.
Meanwhile, partnerships between identity providers, cloud vendors, and specialized governance platforms will shape the market. Enterprises should seek suppliers that commit to auditable, model-agnostic enforcement rather than solutions that bind governance solely to a particular model runtime.
Checklist for security teams starting now
- Inventory: discover agent instances across endpoints, SaaS, and cloud.
- Prioritize: map agents that touch regulated or sensitive data and classify data flows.
- Gateways: evaluate centralized data gateways or policy enforcement points for critical flows.
- Tokens and ABAC: implement short-lived, purpose-bound tokens and attribute-based policies.
- Audit rigor: ensure logs are tamper-evident, standardized, and integrated with SIEM and e‑discovery.
- Kill switches: design and test containment controls and revocation mechanisms.
- Vendor controls: require third parties to demonstrate their data-handling practices and provide visibility into their AI usage.
These steps blend discovery with enforceable controls and create a path from visibility to demonstrable governance.
The RSAC conversations made a clear point: the market is building monitoring and runtime protections quickly, but foundational enforcement that survives platform shifts must live at the data layer. Organizations that wait to retrofit controls after agent deployments will face evidence gaps and compliance risk; those that architect governance into the data plane will preserve policy as models, agents, and vendor relationships evolve.
Looking forward, expect standards and product integrations to accelerate around model-agnostic logging, revocable purpose tokens, and gateway-based policy enforcement. As enterprises adopt more autonomous agents, the debate will shift from whether to govern agents to how quickly organizations can operationalize data-layer controls that provide both safety and auditability. The next 12–24 months will be decisive: the architectures chosen now will determine whether agentic AI becomes an auditable, controllable enterprise capability — or a proliferating source of compliance exposure.
