Agents combine multi-tier classified data in a single context window without namespace separation. Output classification fails silently inside the reasoning process.
Data governance frameworks classify data by sensitivity, use case, and regulatory handling (top secret, confidential, internal, public). Institutions maintain these classifications through schema-based access controls: a database table is marked "confidential," field-level encryption is applied, access logs are produced. When a human or application requests data, the classification is visible and enforceable. Agents fundamentally break this model because they operate through natural language and do not respect schema boundaries.
An agent may be given a prompt that says "summarize the customer risk profile" and receives access to fraud detection signals, credit bureau data, sanctions watch lists, and prior account activity. In a well-controlled system, these data sources have different classification levels, data residency requirements, and retention rules. When the agent processes them through a language model context window, those boundaries dissolve. The context window holds all of them simultaneously, classified only by the prompt context, not by the system that manages them. The agent outputs a summary that blends all tiers. The summary is then transmitted, stored, or served to a user whose access level may entitle them to some sources but not others. The output classification is ambiguous because the agent performed no classification step; it performed reasoning that commingled classified data.
This is not a classification error in a single document. It is silent commingling: the institution's data governance controls successfully quarantined each source independently. The agent then bypassed the quarantine through a reasoning operation that produced no classification decision point.
A regional bank's anti-financial crime team uses an agent to analyze suspicious transaction reports. The agent has access to the bank's internal fraud indicators (highly confidential, retention 10 years, BCBS 239 scope), the customer's prior regulatory intervention history (sensitive, retention 7 years, managed by compliance), and the customer's transaction velocity analytics (confidential, retention 5 years, managed by operations). These three sources are housed in separate, classified databases with different access controls. The bank's data governance policy requires that analysis combining all three be reviewed by the CFO before serving to staff below management level.
The agent receives the instruction "flag high-risk customers where transaction velocity spikes concurrent with regulatory intervention precedent." The agent reasons across all three data sources, identifies 47 customers, and produces a summary report. The agent's output is an unclassified natural language report. No classification decision step occurs. The bank's system automatically transmits the report to compliance officers who do not have access to internal fraud indicators and should not see them in this context. The report contains inferences derived from the fraud data even though the fraud data is not explicitly visible in the output. The compliance officers consume analysis that was supposed to be restricted. The bank's data governance control (CFO review gate) was not triggered because the system saw only unclassified natural language output, not a multi-source analysis requiring review. The control worked; the agent bypassed it through commingling.
| Dimension | Score | Rationale |
|---|---|---|
| D - Detectability | 4 | Commingling occurs inside opaque context window. Requires explicit logging of retrieved sources to detect. Often discovered only through audit or incident investigation. |
| A - Autonomy Sensitivity | 3 | Occurs regardless of autonomy level; less autonomous agents may have more oversight, but agent reasoning is still opaque. |
| M - Multiplicative Potential | 4 | Every agent reasoning pass risks commingling. Compounds across multiple agents or iterative reasoning. |
| A - Attack Surface | 2 | Primarily a structural risk; not easily weaponized by external attack. Prompt injection could trigger commingling but risk exists without attack. |
| G - Governance Gap | 4 | Data governance frameworks assume requests for specific classified data are classified. Agents request data through natural language reasoning without classification context. |
| E - Enterprise Impact | 4 | Unauthorized access to classified data, compliance violations, potential regulatory enforcement. Impacts data governance audit results. |
| Composite DAMAGE Score | 4.3 | Critical. Requires immediate architectural controls. Cannot be accepted. |
How severity changes across the agent architecture spectrum.
| Agent Type | Impact | How This Risk Manifests |
|---|---|---|
| Digital Assistant | Moderate | Human reviews output, may catch commingling; but output is already commingled before human sees it. |
| Digital Apprentice | Moderate-High | As autonomy increases, less frequent human review. Commingling occurs before human oversight kicks in. |
| Autonomous Agent | High | Agent operates independently with no intermediate human review. Commingled outputs are served to downstream systems. |
| Delegating Agent | High | Agent determines which tools/APIs to invoke. May invoke multiple data sources in single reasoning pass, commingling before tool calls are visible. |
| Agent Crew / Pipeline | Critical | Multiple agents, each combining sources. Outputs of one agent become inputs to next, propagating commingling through pipeline. |
| Agent Mesh / Swarm | Critical | Peer-to-peer delegation compounds commingling. Data flows between agents without central classification checkpoints. |
| Framework | Coverage | Citation | What It Addresses | What It Misses |
|---|---|---|---|---|
| BCBS 239 | Partial | Principle 5, Principle 6 | Requires sound data governance with appropriate classification and secure transmission. | Does not address classification through unstructured reasoning or commingling in context windows. |
| EU AI Act | Partial | Article 24 (Documentation) | Requires documentation of classification and handling of training and input data. | Does not address runtime data commingling during agent reasoning. |
| GDPR | Partial | Article 32 (Security) | Requires appropriate security measures including encryption of personal data. | Does not address context window security or classification during agent processing. |
| NIST AI RMF 1.0 | Partial | GOVERN 1.2 (Data Governance) | Recommends data governance frameworks for AI systems. | Does not specify controls for commingling in unstructured reasoning. |
| MAS AIRG | Moderate | Section 6.1, Appendix 2 | Requires clear data governance and information security standards. | Does not anticipate commingling through agent reasoning. |
| ISO 42001 | Partial | Section 6.1 (Information Management) | Addresses information security and classification requirements. | Does not address classification during LLM context window processing. |
| OWASP LLM Top 10 | Partial | LLM06 (Improper Output Filtering) | Addresses validation and filtering of LLM outputs. | Does not address classification or access control during reasoning. |
| SOX 404 | Partial | IT Controls | Requires control over information systems handling financial data. | Does not address classification integrity in unstructured reasoning systems. |
Data governance is the foundation of regulatory compliance in finance. Regulators expect institutions to control who sees what data, when, and under what conditions. Commingling breaks that control at the system level while leaving governance documentation intact. An institution can claim it classifies its data properly, but agents are commingling it without the governance framework detecting that commingling. Auditors discover this risk through data access logs (seeing users access commingled analyses) or incident investigation after unauthorized access. The institution discovers it has been operating outside its data governance controls.
In capital markets, proprietary trading signals must be separated from client execution data. In insurance, underwriting models must not see claims data from other risk pools. In payments, interchange data must not comingle with consumer transaction history. Agents operating across these boundaries blur the separation that regulatory frameworks assume is maintained. The risk is not that agents access prohibited data (they may be authorized to); the risk is that they combine it in an untracked context where access controls do not function and classifications are lost.
Silent Data Commingling requires architectural controls that go beyond what existing frameworks provide. Our advisory engagements are purpose-built for banks, insurers, and financial institutions subject to prudential oversight.
Schedule a Briefing