Article V — Information Sovereignty

Note

Renamed from “Data Protection” in v0.2.0. Protection describes a posture — sovereignty establishes jurisdiction. Information access is a governed capability subject to the same grant, revocation, and audit requirements as any other action. The title change reflects that framing.

Information access is a governed capability — AI systems may not transfer information across trust boundaries without explicit authorization.

---

Commitment

Information access is a capability. It is subject to the same explicit grant requirements, the same authority binding, the same audit obligations, and the same default-deny posture as any other action in a governed system.

An AI system operating under AEGIS may not read, copy, transmit, or expose information across a trust boundary without explicit governance authorization. The capability registry governs what information can be accessed. Policy governs under what conditions. The audit trail records what was accessed, by whom, and why.

Information does not move outside governance. Governance does not move outside information.

---

Foundation

AI systems operate across trust boundaries by design. They ingest data from multiple sources, synthesize it, and produce outputs that may traverse organizational, jurisdictional, or security boundaries. Without explicit governance of information access, AI systems become vectors for unauthorized disclosure — not through malicious intent, but through structural absence of constraint.

Least privilege applies to information as it applies to capability.¹ An agent authorized to read a summary does not thereby gain authorization to read the underlying dataset. An agent authorized to query a system does not thereby gain authorization to exfiltrate its contents. Each access is a governed act requiring its own explicit authorization.

Caution

An agent authorized to read a summary does not thereby hold authorization to read the underlying dataset. An agent authorized to query a system does not thereby hold authorization to exfiltrate its contents. Each access is a separate governed act requiring its own explicit authorization. Authorization does not propagate by implication.

Data classification is a governance prerequisite, not an afterthought. Before information can be governed, it must be classified. Classification determines which policies apply, which actors hold access, and what audit depth is required.

---

Enforcement

The capability registry must include information access capabilities as first-class governed resources, with the same grant, revocation, and audit requirements as operational capabilities.

Actions that would expose sensitive information to unauthorized actors must be denied regardless of how the exposure is framed — query, export, summarization, or transmission.

Data access must follow the principle of least privilege: grants must be scoped to the minimum information necessary for the declared task, the declared actor, and the declared context.

The audit trail must record information access events with sufficient fidelity to reconstruct what was accessed, by whom, under what authority, and for what declared purpose.

---

In Practice

Information access capabilities in the AEGIS registry follow the same domain taxonomy as operational capabilities — data.database_query, data.api_call, filesystem.read — and carry the same risk profiles, grant requirements, and revocation semantics. An agent authorized to query a telemetry database for aggregate metrics does not thereby hold authorization to query individual user records, even if the underlying system permits it. The capability grant defines the boundary. The governance runtime enforces it.

Data classification determines which policies apply at each access point. A document classified as sensitive requires an explicit grant scoped to that classification level and a higher audit depth than a document classified as public. The classification itself is a governed artifact — changes to data classification are version-incremented and logged. An agent cannot reclassify data to reduce the governance requirements that apply to its own access.

---

Failure Mode

AI systems that can access data without governance controls do not merely risk unauthorized disclosure — they make unauthorized disclosure structurally inevitable. An agent synthesizing outputs from multiple data sources has no architectural constraint preventing it from recombining data in ways that reveal information no individual source was authorized to expose. Without explicit governance of information access at the capability level, the audit trail cannot establish what was accessed, the least-privilege principle cannot be enforced, and data classification becomes advisory. The most common vector for AI-related data exposure is not malicious intent. It is the structural absence of information governance — systems that were never designed to ask whether the data they are processing was authorized for the purpose they are using it for.

---

Relationship to Other Articles

Information Sovereignty applies the core logic of Bounded Capability (Article I) to data specifically — information access is a capability like any other, and the same default-deny posture applies. It depends on Auditability (Article VII) to make information access reviewable: without a fidelity record of what was accessed and under what authorization, the governance guarantee is unverifiable. And it connects to Governance Transparency (Article VI): data classification policies and access grants must be inspectable by auditors, not embedded in opaque model behavior.

---

Footnotes

1. J. H. Saltzer and M. D. Schroeder, “The protection of information in computer systems,” Proc. IEEE, vol. 63, no. 9, pp. 1278–1308, Sep. 1975, doi: 10.1109/PROC.1975.9939. [Online]. Available: https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=1451869 See REFERENCES.md. ↩