Context window holds multi-tier classified data simultaneously outside institution's encryption and access control perimeter. May be logged by model provider for purposes outside the institution's control.
Context windows are temporary workspaces where agents assemble data for reasoning. They are not persistent stores; they exist only during the reasoning session. However, they hold multi-tier classified data simultaneously, outside the institution's encryption and access control perimeter. The data is transmitted to the model provider's servers, held in memory on the model provider's infrastructure, and may be logged by the provider for purposes outside the institution's control (debugging, model improvement, security monitoring).
The context window is a critical vulnerability because it violates fundamental assumptions of institutional data governance. Data classification assumes that sensitive data is encrypted at rest and in transit, that access logs are controlled by the institution, and that data is not held on third-party infrastructure. Context windows violate all three assumptions. Data is held in plain text (or minimally protected) on model provider servers, access is logged by the provider (not the institution), and the institution has no contractual control over how the provider uses the logs.
GDPR processing agreements (Data Processing Agreements) typically prohibit model providers from using customer data for model training or commercial purposes. However, many contracts permit logging for "system monitoring and security purposes." The definition of these purposes is broad. A model provider could log context windows as part of "security monitoring," analyze the logs with tools, extract patterns, and use those patterns to improve their models, all under the broad interpretation of "security monitoring." The institution's classified data has moved into the provider's analytics infrastructure without explicit consent.
A Swiss bank operates under strict data localization requirements: all customer data must remain within Swiss borders and EU servers. The bank uses a large language model via API to generate analytical summaries of customer portfolios. The bank sends customer names, account balances, transaction histories, and risk assessments to the model via API calls. These summaries are sensitive data; customer account information is subject to Swiss banking secrecy laws. The context window on the model provider's servers temporarily holds this data. The bank's contract with the model provider permits logging for "system monitoring and security purposes."
The model provider logs context windows (including the customer data) as part of its monitoring infrastructure. The logs are stored on US servers (not Swiss or EU). The provider analyzes the logs with a commercial analytics tool, looking for patterns that might indicate security issues or operational anomalies. The analysis extracts patterns from customer financial data without explicit consent. A Swiss bank regulator discovers the practice (through compliance audit or incident investigation). The bank has violated Swiss data localization requirements by transmitting customer data to US servers. The bank has also violated GDPR Article 32 (data security) by failing to ensure data is protected appropriately during transmission and processing.
The bank faces regulatory enforcement from Swiss Financial Market Supervisory Authority (FINMA) and data protection authorities. The bank must notify all affected customers. The bank's reputation is damaged.
| Dimension | Score | Rationale |
|---|---|---|
| D - Detectability | 4 | Context window data is often invisible to institution. Discovery occurs through audit of model provider practices or regulatory investigation. |
| A - Autonomy Sensitivity | 3 | Occurs regardless of agent autonomy; context window use is inherent to LLM-based agents. |
| M - Multiplicative Potential | 4 | Every agent interaction creates new context window with sensitive data. Multiplied by number of interactions. |
| A - Attack Surface | 4 | External actors (model provider, malicious insiders, state actors) may access context windows. Encryption and access control outside institution's domain. |
| G - Governance Gap | 5 | Data governance assumes data is encrypted and access-controlled by institution. Context windows are inherently outside this control. |
| E - Enterprise Impact | 5 | Regulatory enforcement, customer notification, reputation damage, potential violations of data localization and privacy requirements. |
| Composite DAMAGE Score | 4.0 | Critical. Requires immediate architectural controls. Cannot be accepted. |
How severity changes across the agent architecture spectrum.
| Agent Type | Impact | How This Risk Manifests |
|---|---|---|
| Digital Assistant | High | Copilot still sends data to context window. Even with human oversight, data exposure occurs. |
| Digital Apprentice | High | Progressive autonomy means more frequent context window usage. More data exposure. |
| Autonomous Agent | Critical | Frequent autonomous interactions mean continuous context window exposure of sensitive data. |
| Delegating Agent | Critical | Agent determines what data to pass to tool APIs. May invoke model APIs with sensitive context. |
| Agent Crew / Pipeline | Critical | Multiple agents each use context windows. Aggregate data exposure is multiplicative. |
| Agent Mesh / Swarm | Critical | Peer-to-peer agent network with continuous context window usage across mesh. Massive aggregate exposure. |
| Framework | Coverage | Citation | What It Addresses | What It Misses |
|---|---|---|---|---|
| GDPR | Moderate | Article 32, Article 28 | Requires appropriate security measures and processor agreements. | Does not explicitly address context window logging by model providers. |
| PDPA | Moderate | Section 36 | Requires appropriate protection of personal data. | Does not address context window logging. |
| HIPAA | High | 45 CFR 164.308 | Requires security measures for protected health information. | Does not address context window exposure in cloud-based models. |
| GLBA | Moderate | 15 U.S.C. 6809 | Requires appropriate security measures for customer information. | Does not address third-party context window logging. |
| EU AI Act | Partial | Article 24 (Documentation) | Requires documentation of data handling. | Does not explicitly address context window security. |
| BCBS 239 | Partial | Principle 5 | Requires secure data handling and infrastructure. | Does not address third-party context window logging. |
| MAS AIRG | Partial | Section 6.1 | Requires data governance and information security. | Does not address context window security. |
| ISO 27001 | Partial | Section 12.3 | Requires network security and data isolation. | Does not address context window security in cloud APIs. |
Data localization requirements (Switzerland, China, Russia, and other jurisdictions) prohibit sensitive data from being transmitted to non-compliant jurisdictions. If an institution uses cloud-based LLMs with context windows, and the context windows are logged on servers outside the jurisdiction, the institution is in violation. Swiss banking secrecy, EU data protection, healthcare privacy, and financial data protection requirements all assume institutions control where data is stored and who accesses it. Context windows break this assumption.
In healthcare, patient data sent to third-party LLM context windows violates HIPAA. In finance, proprietary trading strategies sent to context windows may violate securities laws. In insurance, underwriting methodologies sent to context windows may be disclosed to competitors. The context window is not just a temporary holding area; it is a vulnerability that bypasses the institution's data protection infrastructure. Institutions must assume that data sent to context windows may be logged, analyzed, and used for purposes outside their direct control.
Context Window as Uncontrolled Data Store requires architectural controls that go beyond what existing frameworks provide. Our advisory engagements are purpose-built for banks, insurers, and financial institutions subject to prudential oversight.
Schedule a Briefing