R-TV-06 Temporal & Validity DAMAGE 3.5 / High

Temporal Validity Window Absence

No mechanism exists to declare how long a piece of data remains reliable. Premises have no expiration date. Stale data is consumed indefinitely.

The Risk

Every piece of data has a temporal validity window: a period of time during which it is considered current and reliable. A customer profile might be valid for 30 days; a market price might be valid for 1 minute; a regulatory ruling might be valid for 5 years. If no explicit validity window is defined, the data may be used indefinitely even after it has decayed.

Without explicit validity windows, there is no mechanism to trigger re-verification or to reject stale data. The agent will use whatever data is available, regardless of how old it is.

This is fundamentally agentic because agents are designed to operate continuously with whatever data is available. Without explicit validity windows, an agent has no way to know when it should request fresh data or should escalate for human decision.

How It Materializes

A bank's KYC (Know Your Customer) compliance agent is responsible for maintaining updated customer profiles. When a customer first onboards, the agent gathers and verifies information: name, address, source of funds, beneficial ownership. This information is stored in the customer profile.

However, no explicit validity window is defined for this information. The profile information is treated as "once collected, always valid" unless explicitly updated by the customer.

Five years later, a customer's beneficial ownership structure changes significantly (the customer sells their business, and is no longer a business owner). The customer profile still lists the outdated beneficial ownership information from the initial KYC. The agent, preparing an annual KYC review, consults the customer profile and finds no reason to re-verify information. The agent's review concludes: "KYC information is current, no update required."

The bank continues to operate the account based on outdated beneficial ownership information. When a regulator reviews the bank's KYC procedures, they find that customer profiles are not being re-verified on any schedule and that beneficial ownership information is 5 years stale.

The regulator issues a finding: "Customer profiles lack a defined refresh schedule and are not being re-verified on a regular basis. This is a control deficiency in KYC procedures."

DAMAGE Score Breakdown

Dimension Score Rationale
D - Detectability 4 Absence of validity windows is invisible unless KYC/profile refresh procedures are explicitly audited.
A - Autonomy Sensitivity 4 Agent operates from stale data indefinitely without awareness of staleness.
M - Multiplicative Potential 4 Impact scales with number of data elements without validity windows and duration of staleness.
A - Attack Surface 5 Any system that does not define validity windows is vulnerable.
G - Governance Gap 5 No standard framework requires agents to enforce temporal validity windows.
E - Enterprise Impact 4 KYC control failure, regulatory finding, requirement to implement refresh procedures.
Composite DAMAGE Score 3.5 High. Requires targeted controls and monitoring. Should not be accepted without mitigation.

Agent Impact Profile

How severity changes across the agent architecture spectrum.

Agent Type Impact How This Risk Manifests
Digital Assistant Low Human naturally re-verifies information on a reasonable schedule.
Digital Apprentice Medium Apprentice governance requires KYC re-verification on defined schedule.
Autonomous Agent Critical Agent operates from stale customer data indefinitely.
Delegating Agent High Agent invokes tools based on stale data.
Agent Crew / Pipeline Critical Multiple agents in sequence operate from stale data.
Agent Mesh / Swarm Critical Agents share stale data.

Regulatory Framework Mapping

Framework Coverage Citation What It Addresses What It Misses
GLBA Addressed 16 CFR Part 314, Customer Identification Program (CIP) Requires ongoing KYC and beneficial ownership verification. Does not specify validity window periods.
FinCEN KYC Guidance Addressed FinCEN guidance on customer identification and verification Requires periodic verification and update of customer information. Does not require agents to enforce validity windows.
SR 11-7 / MRM Partial Enterprise-wide controls (Section 3) Expects documented control procedures. Does not address temporal validity windows.
NIST AI RMF 1.0 Partial MAP.2 Recommends documenting AI system inputs. Does not require validity windows.

Why This Matters in Regulated Industries

In AML/KYC compliance, regulators expect that customer information is verified on a regular basis and is kept current. FinCEN guidance specifies that KYC information must be updated periodically, though it does not specify exact timelines (which are industry-specific).

When an agent operates from customer profiles without defined refresh schedules, it is violating the principle that KYC information must be current. This is a compliance control deficiency that regulators flag.

Controls & Mitigations

Design-Time Controls

  • Define temporal validity windows for all data: for every type of data the agent uses (customer profiles, market data, policy documents, etc.), explicitly define how long the data is valid before re-verification is required.
  • Implement automated validity window enforcement: configure the system to reject data that has exceeded its validity window. If an agent requests expired data, the system should either reject the request or flag it for re-verification.
  • Implement validity window metadata: every piece of data should include metadata indicating when it was collected and when it expires. The agent should check this metadata before using the data.

Runtime Controls

  • Monitor data freshness against validity windows: track the age of all data the agent is using relative to defined validity windows. Alert when data approaches or exceeds its validity window.
  • Implement automatic data refresh triggers: when data approaches its validity window expiration, automatically trigger re-verification or refresh processes.
  • Log validity window compliance: record whether the agent was using data within its validity window or whether it was using expired data.

Detection & Response

  • Audit validity window compliance: periodically review agent decisions and verify that all data used was within defined validity windows. Flag decisions made with expired data.
  • Implement decision escalation for expired data: if the agent requests to use expired data, automatically escalate for human review rather than allowing the agent to proceed.
  • Conduct root cause analysis on stale data use: if an agent makes a decision using expired data, investigate whether the validity window was appropriate or whether it should be shortened.

Related Risks

R-TV-01 Temporal & Validity
Temporal Validity Drift

Drift is enabled by absence of validity windows. Context was accurate at retrieval but has since decayed.
R-TV-04 Temporal & Validity
Document Version Blindness

Version blindness is enabled by absence of validity windows on documents. Agent cannot distinguish current from superseded versions.

Address This Risk in Your Institution

Temporal Validity Window Absence is the foundational temporal risk that underlies many others. Our advisory engagements are purpose-built for banks, insurers, and financial institutions subject to prudential oversight.

Schedule a Briefing
Agentic AI Risk & Controls Workshop Our Methodology Regulatory Landscape