Why Traditional Data Governance Breaks Down for AI Workloads
Role-based access, column-level classification, quarterly permission reviews, and other traditional data governance methods were built around humans being the consumer. AI agents require a different model entirely. The controls built for one don’t transfer to the other.
The most dangerous part is that despite controls not working, on the surface everything still looks governed. Logs keep filing and permissions keep getting enforced, so nothing looks broken from the outside. The original assumptions that were implicitly set by traditional data governance just no longer hold.
The clearest way to see where those assumptions break is to dive into each one directly. This piece follows five specific places where traditional governance was right for the customer it was built for and why it is now wrong.
What changes when the consumer is an agent
AI agents introduce a second identity
Every traditional governance model starts from the same place. Every action has a known identity, or a role. When something goes wrong, the audit points directly to whoever broke it. AI agents don’t have a responsible party. An agent authenticates as a service account. When a query is made on behalf of a user, the database receives the service account of the AI agent.
This matters because there are now two identities in the transaction: The agent making the query and the user whose intent drove it. Traditional governance was designed around a single actor making a deliberate choice. The concept of acting on behalf of someone else didn’t exist in the old model.
With agents, an intermediary is introduced. Row-level security scoped to the real user never fires. Worse, the service account’s permissions scoped to nothing specific are what get enforced instead. EU AI Act Article 12 now requires that AI system logs identify the responsible party behind each interaction.
AI agents are non-deterministic
Traditional governance was built for deterministic systems. Predictability is what made control possible. The same input produces the same output so you can reason about it in advance. AI agents are more nuanced. The same prompt run twice can produce two different queries. There’s no canonical version of what an agent “does” with a given request. Its behavior is determined at runtime from the model and the context it finds along the way.
Every traditional control rests on the ability to specify acceptable behavior before it occurs, and non-determinism takes that away. Policies are written against known actions. Audits compare what happened against what was supposed to happen. Take away a knowable “what was supposed to happen,” and there’s nothing left for a policy to check against.
AI agents create sensitive data at query time
Data classification was designed to tag sensitivity at the field level. A column with social security number is classified as PII and a schema with compensation data is restricted. The assumption is that sensitivity is a property of the data itself, knowable before any query runs.
AI agents typically don’t query one source. They pull from whatever systems are connected and synthesize a single response from all of it. The combination they produce (and the sensitivity it carries) isn’t determined until the query executes.
Field-level tags miss this entirely. A column tagged as external in Salesforce and a field tagged as internal in Workday each pass their individual checks. Neither check evaluates what those fields produce together. Deal ownership and payment history, assembled into a single response about a specific person, can be sensitive in a way neither source was on its own; the risk comes from the join, not from either field.
AI agents read and write in the same execution
In the traditional model, reads and writes were governed separately because they were done separately. Analysts queried data. Applications modified data through defined workflows. The systems that read and the systems that wrote were different systems, so the controls governing them could be different too.
AI agents don’t have that boundary. In a single execution, an agent can read from a CRM, reason about what it finds, update a field, trigger a downstream workflow, and write a result back to the requesting system. And it doesn’t do this once per session the way a human might; it runs continuously, executing dozens of read-write cycles per task.
Traditional governance has no model for that volume or that autonomy. Write controls were calibrated for human-speed, intentional modifications. The nature of writes for AI agents has completely changed its risk profile.
AI agents outlive permissions
Human access was self-correcting by design. Someone changes roles, their permissions change. Someone leaves, their access ends. Accordingly, traditional governance was built around the assumption that the access surface would be periodically revisited.
Service accounts have none of these triggers. There’s no role change or off-boarding. They’re created when a project needs them. They are granted whatever access seemed necessary in the moment and are left running. Permissions tend to accumulate quickly through incremental additions.
That becomes a huge problem when an incident requires revocation, because the service account is usually shared across other agents and pipelines. Revoke it outright and everything downstream stops. Scope it down instead, and you’re rebuilding the permission structure from scratch, mid-incident.
None of these failures are surprising in isolation. Together, though, they all point to the same gap.
Closing Thoughts
The deeper issue across all five failures is timing. Traditional governance roles, queries, columns, and permissions are all configured at design time. AI agents operate entirely at runtime. They carry the user’s intent, the conversation history, the task they’re trying to complete, and all of the other context. That context is used to make decisions in real time about what to query and what data sources to combine.
Governance that was designed to be configured before execution can’t reason about context that only exists during it. A different layer is needed: One that operates at runtime alongside the agent, evaluating each query against the identity and context that produced it, across every connected source rather than one at a time. Peaka is built as that layer. It sits on top of existing infrastructure without replacing any of it.
If you’re looking to modernize your data infrastructure to keep up with the agentic era, book a demo with Peaka.