REFERENCE · §10 · LAST REVIEWED 2026-04-27
ACF §10 — Data Governance
Agent data governance covers the firm’s policies and controls for every flow of data into, through, and out of the agent stack — including training-data assertions from providers, prompt-cache retention, customer-data exposure to tools, and the regulator-facing posture for each.
Existing data governance assumes data flows into known systems with documented retention and access controls. Agent stacks rearrange this: customer data enters a foundation model via a prompt, may be cached, may be observed by a tool vendor, and may shape outputs influenced by training data the firm did not select. The framework section maps each flow to the firm’s GDPR / DIFC DPL / CCPA / sectoral rules and produces a defensible posture for each. Specifically for prompt caching — Anthropic’s and OpenAI’s caching behaviour requires explicit governance.
Regulatory anchors
- GDPR Art. 5, 22, 28, 32
- DIFC DPL
- CCPA
- MAS FEAT
- EU AI Act Art. 10
What this covers
- Customer-data exposure mapping across the agent stack
- Prompt-caching posture with each provider
- Training-data assertions and verification
- Retention obligations across providers, MCP servers, tools
- Cross-border data flows and transfer-mechanism documentation
Common gaps
- Customer PII exposed to the model with no DPA covering AI use
- Prompt-caching assumed off; provider default is on
- Training-data assertions accepted at face value with no verification
- Cross-border transfer mechanism for the agent stack never documented
Related sections
- §5 — Vendor Due Diligence
Foundation model providers, MCP servers, tool authors — third-party risk for the agent stack.
- §8 — Third-Party Risk
Outbound API calls made by the agent on behalf of the firm.
- §9 — Customer Disclosure
When and how to disclose to end-users that an agent is taking actions on their behalf.
- §11 — Sanctions & Screening
Real-time vs. batch screening for agent-mediated transactions.
Take action
Score your firm's readiness across all twelve dimensions with the Agent Compliance Scorecard →
Reference compiled by Sebastian Heine. Editorial perspective at The SHeine Brief.