Helmwart
← Atlas · Mitigations Tier 2 · Real-composable

MITIGATION · m-data-classification

Data classification with tool-access allow-lists — a sensitivity label on every dataset, enforced at every access seam

Every dataset, document, and external system an agent can reach carries a classification label. The agent's permitted-class set and the tool's permitted-class set are intersected at the moment of every read or write. When the requested data's class falls outside that intersection, access is denied at the seam. This is the data-side complement to least-privilege: it adds a data-sensitivity constraint that role scoping alone does not provide.

Last reviewed 2026-05-12 · Status: published · Evidence →

At a glance

MATURITY
Tier 2
Available off-the-shelf or as a documented pattern, but newer or less broadly proven. Expect integration work and some operational nuance.
PLACES ON
node · seam
Restricted to node kinds: agent, shared-memory, document-store, external-system
COVERAGE
4 threats
T2 · T8 · T15 · T46
TRADE-OFFS
LAT
low
COST
low
UX
medium
DEV
medium
Latency · cost · UX friction · dev effort.
TL;DR
  • Tag every data asset with a classification label (public / internal / confidential / restricted) at ingest, not retroactively.
  • Each agent identity and each tool carries a permitted-class allow-list; the policy engine intersects the two and denies access when the data's class falls outside that intersection.
  • Least-information is the data-side complement to least-privilege: an agent correctly scoped by role can still over-read when the role is defined more coarsely than the data sensitivity requires.
  • Classification metadata is the dominant attack surface, treat label storage as a high-integrity write surface and enforce write-access controls and periodic label-consistency audits alongside retrieval enforcement.

How it behaves

Agent tool call requests data (read or write)
Compare data class against the agent-tool allow-list intersection
Allow access, log the cross-class check
Deny at the seam, do not log-after-the-fact
The check fires at retrieval and at write, not only at role assignment. Permitted-class sets can differ per tool even within the same agent identity.

What it is

Data has sensitivity, and agents should only reach the data their task requires. Classification formalises that boundary: every dataset, document, vector-store namespace, and external system the agent might read or write carries a classification label, typically public / internal / confidential / restricted. The agent's role and each tool it can invoke carry a permitted-class allow-list. At every read and every write, a policy engine compares the data's label against the agent-tool combination's allow-list and denies access at the seam when the data class falls outside the permitted set.

This is the least-information complement to least-privilege. Least-privilege says the agent may perform this action. Least-information says the agent may access this scope of data while performing it. An agent correctly scoped to "read customer record" can still reach records it should never see when the role is defined more coarsely than the data sensitivity requires. Classification adds the data-side constraint that role-side controls cannot provide.

The primary attack surface for this control is label integrity. An attacker with write access to the classification metadata can downgrade a restricted document to public and bypass the allow-list silently. Classification metadata must therefore be treated as a high-integrity write surface, protected by write-access controls and subject to periodic label-consistency audits.

Detection signals

  • Cross-class access attempts denied at the policy gate. A sustained spike indicates a mis-scoped agent or an active attempt to reach above-class data.
  • Unclassified-data ingestion rate. A rising count of documents entering the system without a class label indicates a gap in the classification pipeline.

Threats it covers

  • T2 Tool Misuse −1 severity step

    WHY IT HELPS Tool misuse exploits the gap between what an agent is permitted to do and what data it can reach while doing it. A role-scoped agent that can call a retrieval tool can pivot from a permitted query into a higher-classification dataset if no data-level check exists. Classification labels paired with per-tool allow-lists close that gap: the agent can invoke the tool only against data whose class the agent-tool combination is permitted to access.

  • T8 Repudiation and Untraceability −1 severity step

    WHY IT HELPS Sensitive data disclosure occurs when an agent reads or surfaces information it was never supposed to reach. Classification enforcement prevents the agent from reading above its permitted class in the first place; the access attempt is denied at the seam and written to the audit trail, rather than succeeded and logged after the fact.

  • T15 Human Manipulation −1 severity step

    WHY IT HELPS Social engineering and manipulation payloads typically depend on specific data about the target, names, roles, relationships, prior interactions. When the agent's permitted-class set excludes the data required to construct a targeted payload, the manipulation is constrained to information the agent is authorised to hold.

  • T46 Data Residency / Compliance Violation via MCP Server −1 severity step

    WHY IT HELPS Data residency and compliance violations occur when data crosses a jurisdictional or regulatory boundary it must not cross. Classification labels that encode jurisdictional scope (for example, EU-PII or HIPAA-PHI) can drive MCP server access-control rules that block cross-border data transfer to agents outside permitted jurisdictions, directly reducing compliance-violation risk.

Principle coverage

Defence-in-Depth stage: Prevent — and it advances:

  • Least Privilege Least-privilege limits what an agent may do; classification limits which data it may reach while doing it. An agent correctly scoped by role can still over-read when the role is defined more coarsely than the data sensitivity requires, classification adds the data-side constraint that role scoping does not provide.
  • Default / Implicit Deny Classification implements default-deny at the data layer: access to any dataset above the agent-tool pair's permitted class is denied at the seam unless an explicit allow rule covers that class. The absence of an allow-list entry is itself the denial.
  • Provenance & Trust-tagging Classification labels are a form of provenance for data sensitivity: they record what the data is at ingest and carry that assertion through every downstream access check, so agents cannot treat unlabelled or mis-labelled data as implicitly low-sensitivity.
  • The Lethal Trifecta The lethal trifecta requires an agent that can access sensitive data, exfiltrate it, and act on instructions. Classification directly constrains the first condition: an agent whose permitted-class set excludes sensitive data cannot read it in the first place, reducing the attack surface the trifecta depends on.
  • Data Minimization & Privacy Classification is the enforcement mechanism for data minimisation: it operationalises the principle by specifying, per agent-tool pair, exactly which classes of data may be accessed, and denying everything above that floor at the access seam.

Design & governance principles (open design, economy of mechanism, accountability, …) are architectural, not advanced by a single placed control.

Implementation options

Five implementation options covering managed discovery platforms, cloud-native tag-plus-IAM patterns, and a self-build approach. For Microsoft 365 environments, Purview sensitivity labels are the default. For AWS-native workloads, S3 Object Tags plus IAM conditions is the lightest path. GCP DLP plus IAM Conditions is the GCP equivalent. BigID covers multi-cloud deployments. Self-build is the appropriate choice when storage is internal or when the classification surface is a vector store where object tags do not exist.

Microsoft Purview Information Protection Assign sensitivity labels (Public, General, Confidential, Highly Confidential) to files, emails, and data-map assets. Labels that apply encryption embed usage rights into the content: only principals granted the EXTRACT right can open the item, including Copilot agents and MIP-SDK-integrated services.

Why choose it: Best for Microsoft 365 and Azure environments and for any agent pipeline that uses the MIP SDK. Labels persist with the file across downloads, re-uploads, and republication. Microsoft 365 Copilot agents check usage rights against sensitivity labels before returning content, the only option in this list that enforces classification at the model layer for AI agents natively.

More details:

AWS S3 Object Tags + IAM condition key Tag every S3 object at ingest with a Classification key. Write IAM policies that use the s3:ExistingObjectTag condition key to allow or deny s3:GetObject based on the tag value.

Why choose it: Best for AWS-native agentic workloads where data lives in S3. No additional service to operate: the tag is attached at PUT time and the IAM condition evaluates it at GET time. Pair with Amazon Macie to automate discovery and retroactive tagging of sensitive objects that lack a classification tag.

More details:

Google Cloud DLP (Sensitive Data Protection) + IAM Conditions Run Cloud DLP discovery jobs to classify Cloud Storage and BigQuery resources. Apply GCP resource tags based on DLP findings. Write IAM deny policies with resource.matchTag() conditions to block access to resources tagged above the agent's permitted class.

Why choose it: Best for GCP-native agentic workloads. Cloud DLP produces structured findings with sensitivity and risk scores. GCP IAM Conditions support tag-based deny: resource.matchTag('org/sensitivity', 'restricted') is a documented pattern. The discovery-to-tag-to-IAM pipeline requires automation glue, but all three primitives are production-available.

More details:

BigID, multi-cloud data discovery and classification BigID performs automated data discovery and classification across cloud and on-prem stores using ML-based analysis beyond pattern matching. It assigns custom labels by sensitivity, residency, identity, and risk, and federates those labels into Microsoft Purview and Google sensitivity label schemas.

Why choose it: Best when data spans multiple clouds or on-prem systems and a single classification inventory is required. Use BigID as the discovery and labelling source of truth; use cloud-native enforcement as the policy enforcement layer downstream.

More details:

Self-build, classification labels in object metadata + agent-tool allow-list policy At ingest, write a classification label into the document's metadata. At retrieval, the agent runtime or a policy sidecar intersects the agent's permitted-class set with the tool's permitted-class set and passes that intersection as a metadata filter to the retrieval call.

Why choose it: The only option when all storage is internal (no cloud-native IAM) or when the classification surface is a vector store where object tags do not exist. Pair with m-opa for the policy-engine layer and m-vector-acl for vector-store retrieval enforcement.

More details:

Trade-offs

  • Tag checks at retrieval add tens of microseconds, a metadata filter, not a model call. The ingest-time classifier is the latency cost: 5–50 ms per document depending on model complexity.
  • Retroactive classification of an existing unstructured corpus is the dominant cost driver: typically several engineer-weeks per terabyte of unstructured text.
  • Dev effort is concentrated in two phases: the ingest-time classification harness and per-tool allow-list configuration, followed by ongoing label-consistency auditing.

When NOT to use

  • Do not apply classification to pipelines that consume a single already-classified source; the labelling layer adds overhead without access-control benefit when every document is already in the same class.
  • Do not use this control as the sole mechanism for pure read-only advisory agents with no write path and a single-class data source.
  • Do not omit write-access controls on the classification metadata store itself, a classification system whose labels can be silently downgraded by the agent provides no protection.

Limitations

  • Classification accuracy depends on label accuracy. A document mis-labelled at ingest carries the wrong class until re-classified.
  • Cloud-native enforcement applies at the storage API level; it does not filter at the application layer. An agent that receives data through a proxy or cache that does not re-check the tag bypasses the control.
  • BigID and Purview discovery pipelines have scan latency, newly ingested data may be unclassified for minutes to hours until the next scan cycle completes.
  • There is no industry-standard agent-tool allow-list schema for agentic AI systems; every deployment authors its own mapping of classification levels to agent roles and tool capabilities.

Maturity tier reasoning

  • Tier 2 fits because all individual primitives, Purview sensitivity labels, S3 object tags, IAM condition keys, Cloud DLP, BigID, OPA, are production-available and documented by their maintainers.
  • What keeps the agentic application at Tier 2 is the absence of a standard agent-tool allow-list schema or a managed service that implements the full ingest-classify-enforce pipeline specifically for agentic AI workloads.
  • The MIP SDK integration that lets Microsoft 365 Copilot agents check sensitivity-label usage rights is the closest available native agentic-AI classification enforcement primitive as of mid-2026.

Last verified against upstream docs: 2026-05-30.