Agents

AI agents are moving from retrieving data to building memories about users. Most privacy frameworks weren't designed for that shift — and the gap is widening fast.

What compliance teams haven't figured out yet is that they own this problem.

Engineers call this context management. Lawyers should call it something else: selective deletion with no retention policy.

AI agents with memory aren't just smarter — they're harder to govern. Each memory layer creates distinct privacy and retention obligations product counsel needs to address at the architecture stage.

MCP servers let AI agents access your APIs without custom code. Most weren't built for production security. That gap between "works in demo" and "safe at scale" is where the liability lives.

When long-running AI agents summarize their own context to stay within token limits, they're deciding what to forget. That's not an engineering problem — it's a governance one.

LLMs break traditional observability — and that creates a compliance gap most governance teams haven't addressed yet. If you can't trace the full AI pipeline, you can't audit it.

SaiKrishna Koorapati's piece in VentureBeat makes the case that observable AI isn't about adding monitoring dashboards. It's about audit trails that connect every AI decision back to its prompt, policy, and outcome