When you talk to people who have responsibility for today’s systems, one thing that often comes up is data governance.

Yes, parts of the world have new laws, like Europe’s General Data Protection Regulation or GDPR , not to mention the AI Act, but there’s still quite a big gray area in how companies, people and agents are going to treat personal information, in a world where we tried so hard to get guardrails on pre-AI systems.

Simply speaking, much of our levee on private data is becoming obsolete. AI has new ways of ferreting out information, new attack vectors for black hats, new and scary bugbears of automation gone rogue. Just look at Mythos, a model that has essentially been put into a cage called Project Glasswing , because business and government leaders correctly surmised that it would be too dangerous to let this thing out unfettered into the world.

With that in mind, I wanted to showcase some comments I heard in a panel at the Imagination in Action event at MIT in April (which I help put on) and how professionals are thinking about this issue. We had the esteemed Nina Gregory of NPR fame interviewing Moinul Khan of Aurascape and Sunil Ratan of Precognitive. In an initial discussion of data governance, Ratan weighed in on its importance, given that one of the company’s services is an AI entity he called a “guardian angel” for seniors who might need to coordinate a lot of doctor visits, home care, etc.

‘We're not just integrating historical data, but current, live data about somebody as they're being monitored,” he said. “You can integrate all of that into what amounts to a living profile of an individual. We translate that into meaning, and that drives meaningful, coordinated, and cohesive action. This ends up saving society a lot of money, because a lot of money we're spending on healthcare and social services is because people fall through the cracks; then there's a disconnect, they have a crisis, and now we spend all this money to get them out of the crisis.”

Ratan called for governance of AI data at two levels.

“One is at the corporate level, to avoid what I call the ‘Facebook problem,’ where you put this thing out there in the world without any rules, and stuff happens,” he said. “The second place where we need to have governance is at the community level. I'm all for us being regulated under HIPAA, but at the end of the day, we're not going to be effective if people don't trust us. But people are corruptible. So, how do you deal with that?”

Khan addressed how to deal with a range of security and governance “blind spots,” citing his experience working with firms like Palo Alto Networks, Zscaler, Netscope, and Juniper.

“When you talk about the security blind spots, I would put them in two different buckets,” he said. “First, you have to look at how enterprise customers are consuming AI. One part of it is your employees, your users, they're consuming hundreds of commercially available tools—chatbots, coding assistant tools, embedded AI. And the biggest blind spot on that segment is your current existing security infrastructure. Whatever you have implemented for the last 15, 20 years doesn't work anymore.”

He also mentioned firewalls.

“If you talk to your IT security team, they have implemented firewalls and proxies and DLP and CASBs that can only find vulnerabilities in HTTP traffic,” he said of a theoretical problem scenario. “And then when your users are consuming all of these tools, they're completely blind. They're essentially all these millions of dollars of investment that you did, they just became a URL filtering engine and nothing else.”

Tackling the idea of how things work in the agentic age, Khan cited some advice he often gives founders: “crawl, walk, run.”

“First, do you even have visibility into what your employees are doing? What tools are they using?” he said. “The first step is to understand what's in your network, which is difficult with legacy technology. You need to know which tools are sanctioned and which are not. With AI agents, you need to know who they are and what tasks have been delegated to them.”

Noting the challenges of controlling individual “shadow AI” efforts, Khan put the whole thing in a slightly wider lens.

“Shadow AI is one problem, but with AI agents, you have a different problem,” he said. “You need to know what these tools are doing based on their delegation. If 3,000 AI agents are talking to each other on a Slack channel using their own language, negotiating and executing tasks, do you even have visibility into that?”

Stewardship and Community

Another of the principles that the panel covered has to do with making this key governance a team effort.

Ratan called for governance boards including ethicists, even suggesting that you might, for example, hire a local pastor to make sure that the initiatives around 21 st century data protection are being done with an eye toward human rights.

“Trust is the coin of the realm,” he explained. “You also have to keep stuff simple. A lot of what we're battling is the sheer complexity and fragmentation of our healthcare and social services systems. We're not introducing another IT platform; we're introducing an intelligence and orchestration layer. You want to minimize the capacity for human imperfection.”

I thought that phrase, minimize the capacity for human imperfection, is useful, in a way, if flowery. What is the imperfection that Ratan is referencing? Part of it might just be the financial incentive, against the lofty goals of user protection.

Toward the end, Gregory had each of the two panelists weigh in again. Ratan illustrated some company goals:

“Our goal is basically to disrupt the whole concept of managed care, in which people are denying you care,” he said, in a nod to what should be another human right: healthcare. “We've been trying to control costs through things like prior authorization for the average person, but from a cost perspective, the average person is not the problem. The trick is to identify those people and get them appropriate, coordinated, cohesive care. If we do a better job of supporting the roughly 15 million Americans who account for $2.5 trillion a year in cost, we can reduce our costs by half a trillion dollars a year.”

Khan had this to say about governance:

“In the agentic world, everything in the past was rule-based, and that needs to change to an automated way. For hackers, everything has changed; they can find and exploit vulnerabilities very quickly with AI. Therefore, enterprise customers have to think about defense with AI. Infrastructure must evolve from rule-based security policies to more intention-based policies. My optimism is that there are startups doing innovation, implementing cybersecurity in a very different way than the last 20 years.”

Basically, the idea there was that things are changing and adapting, that the world is waking up to the imperatives of agentic AI. But is it quick enough?

I hear advocates like Will.i.am of Black Eyed Peas fame and others strenuously arguing for the rights of humans in owning their own data. We need this. We need rules that allow individuals to stand against corporate interests driving AI programs. So keep thinking about this as the second half of 2026 commences.