Agentic AI Security CMM — D6 Data, Memory & RAG (Deep Dive)

Companion deep-dive to the CMM’s D6 domain, written under the recalibration method. The recalibration corrects a misweighting the regulated-FI stress test exposed. D6 was built around corpus poisoning, but the dominant deployment is a customer-service or member-facing RAG bot over internal data, where the live risk is oversharing and inference exposure: over-permissioned content surfaced or reconstructed for a user who should not see it (inference exposure). Poisoning needs an open or multi-writer corpus to land; oversharing needs only ordinary enterprise permission sprawl. The recalibration adds answer-time entitlement enforcement as the load-bearing L3 capability and grades the tooling plainly: the Microsoft data-governance stack is largely GA, but the work it implies is a multi-quarter labor project, not a purchase.

D6’s two risk families align with two NIST AI 600-1 GenAI Profile risk categories: oversharing and inference exposure are the §2.4 data-privacy concern, and corpus poisoning is the §2.8 information-integrity concern (Suggested Actions MS-2.7-007 for poisoning red-team and MS-2.5-005 for groundedness). The GenAI Profile establishes that both belong to GenAI risk management; this page supplies the graded controls and the recalibrated weighting between them.

Single-source grounding

The reframe and levels synthesize the recalibration method against the regulated-FI stress test plus the inference-exposure concept and vendor documentation. Tooling status is a May 2026 snapshot and will drift; treat the dated landscape as the perishable part.

Threat coverage

D6 is the primary domain for ASI06 (Memory & Context Poisoning) and a control surface for ASI04 (Supply Chain), and it carries Class 1 (insider — RAG and eval-harness integrity) and Class 4 (model-version — eval suite versioned independently). The customer-owned eval harness here is the single highest-leverage control absorbing the insider, APT, and model-version classes. See the Threat Taxonomy Reconciliation matrix and the threat classes.

Control landscape (dated)

Two risk families, very different tooling maturity.

CapabilityWhat ships todayStatus (May 2026)
Data-risk / oversharing assessmentMicrosoft Purview DSPM for AI; oversharing assessmentsGA, rolling out Apr→May 20261
Answer-time / output controlsDLP for Microsoft 365 Copilot (sensitivity-label inheritance into responses); Azure AI Content Safety Groundedness DetectionDLP GA; Groundedness GA but English-only23
Retrieval-scope reductionSharePoint Advanced Management / Restricted SharePoint Search; Restricted Content DiscoveryRSS GA but capped at a fixed number of sites — a stopgap, “not scalable”; RCD in preview4
Poisoning / memory-integrity detectionMicrosoft Defender prompt-injection and memory-injection detectionDeveloping; detective guidance, not turnkey GA5
Corpus / document attestationRAGShield, TrustRAG, Brain Git, SecureClawNot production — paper or research-grade OSS; do not credit as a control
Cross-source contradiction; per-doc cryptographic attestationNo vendor production answer as of May 2026

This grade corrects two errors in the CMM’s current D6 tooling map: it under-weighted the GA assessment-and-labeling stack (DSPM for AI, label-aware DLP) and over-credited exploratory tools (RAGShield/TrustRAG/Brain Git) as deployable controls.

The Microsoft ZT4AI Data pillar (least privilege / assume breach) supplies these controls — Purview answer-time entitlement, DSPM for AI oversharing assessment, and label-aware DLP — crosswalked to D6 in the 2026-Q2 ZT4AI review.

Capability-decoupled levels

Stated as capabilities per rule 1; the new answer-time enforcement thread runs L3→L5.

  • L1 — Initial. No corpus provenance; no memory integrity; retrieval inherits source-system permissions with no oversharing review.
  • L2 — Developing. Retrievals carry source labels; skills/plugins are reviewed manually; a sensitivity-labeling scheme exists on paper; a first oversharing / data-risk assessment has been run.
  • L3 — Defined. Per-source trust attribution; RAG-injection scanning; ingest poisoning scan; cognitive file integrity (hashing) over identity and system-prompt files; answer-time access enforcement that respects per-user entitlements (not merely source ACLs), with oversharing remediated on the reachable corpus; a groundedness check on answers.
  • L4 — Managed. Trust-weighted retrieval (provenance scoring); a memory- / context-poisoning detector wired to the SIEM; a documented PoisonedRAG-class defense6; continuous oversharing posture management, sensitivity-label inheritance into outputs, and label-aware DLP gating of responses; state rollback tested.
  • L5 — Optimizing. Real-time corpus-drift detection; a documented, domain-appropriate poisoning-rate bound; cross-source contradiction detection; system-prompt confidentiality (canary tokens + SIEM alerting); continuous answer-time semantic-boundary enforcement that closes inference exposure — need-to-know enforced at the knowledge layer and re-checked within a session; a quarterly rollback drill with a measured RTO.
  • L5+ — Leading Edge. Cryptographically attested per-document signing and hash chain at ingest (no shipping product); a formal taint lattice for cross-source contradiction (research-stage); zero-knowledge proofs for sensitive retrievals.

The change of emphasis: the old D6 made cryptographic document attestation the L4/L5 spine. For the common RAG shape that is the wrong spine. Attestation defends against poisoning the corpus, whereas the member-data bot fails by answering correctly from content the asker was not entitled to see. That deployment needs answer-time entitlement enforcement first, not attestation.

Right-sizing by deployment shape

Deployment shapeRealistic D6 targetWhy
Member / customer-service RAG bot over internal dataL3 → L4Oversharing is the live risk: entitlement enforcement + remediation + groundedness. Poisoning controls are low-yield on a closed, single-writer corpus
RAG over open / multi-writer or web corpusL4 → L5Now poisoning is in scope: trust-weighted retrieval, drift detection, contradiction flagging earn their cost
Agent with long-lived memoryadd L4 memory-integrityContext/memory poisoning and rollback become first-order regardless of corpus shape
No-retrieval tool agentL2Little of D6 applies; record the reduced scope as an intentional trade-off

The lethal-trifecta test lowers the bar directly here: a bot with no private-data access and no exfiltration path does not need the full answer-time enforcement stack. Removing the sensitive-retrieval capability costs less than controlling it.

Cost model

LevelLicensingOperational laborRun-rate
L2~0 for an E5 + Copilot tenant (DSPM for AI, DLP, Content Safety are in entitlements)the first assessment + a labeling scheme
L3~0 incrementalthe dominant cost: a multi-quarter oversharing-remediation projectclassification / scan consumption
L4~0 incrementalcontinuous posture management + detector tuning + SIEM integrationSIEM ingest for detector signals
L5mostly off-stack for contradiction / attestation gapsdrift-bound justification, rollback drills, semantic-boundary tuningstreaming-scan + retrieval-check cost

The dominant cost signal: for an incumbent the licensing line is near zero, and the real spend is the remediation labor. Microsoft frames it as a three-stage blueprint (remediate → guardrails → regulate) over a five-phase loop (inventory → classify → triage → remediate → lock). Vendor walkthroughs cite 40–60 IT-hours over about four weeks,4 but those are small-tenant figures and do not scale linearly; at enterprise scale the Restricted SharePoint Search site cap forces genuine remediation rather than a search-scope shortcut. Plan two-to-four quarters and one-to-two FTE-equivalent, recurring. New content re-introduces oversharing, so the project never fully closes.

Customer critiques folded in

  • “D6 is over-built around poisoning for our member-data bot.” Addressed: oversharing / inference exposure is now the L3 spine for the closed-corpus shape; poisoning controls move up to L4/L5 and to open-corpus shapes.
  • “Microsoft is our weakest plane for data.” Reframed: the assessment-and-labeling tooling is GA and capable. The genuine weaknesses are narrower. Remediation is a labor project no tool performs for you; Restricted SharePoint Search is a capped stopgap and Restricted Content Discovery is still in preview; Groundedness Detection is English-only; and cross-source contradiction detection and per-document attestation have no vendor production answer.
  • “The cost was invisible.” Addressed: the cost model names the multi-quarter remediation project and marks licensing near-zero for an E5 + Copilot shop.

Open questions

  • Answer-time semantic entitlement at scale. Whether sensitivity-label-granular DLP is sufficient, or whether true knowledge-layer authorization (Knostic-class) is required, is unresolved.
  • Restricted Content Discovery GA timing versus the procurement windows of regulated buyers who cannot deploy preview features.
  • Defender memory-injection detector maturity — likely detective guidance today, not a turnkey GA control.
  • No FI-specific grounding. GLBA / FFIEC data-governance expectations are where the forthcoming crosswalk will bite hardest; this page does not yet map to them.
  • No enterprise data-governance-labor benchmark. The remediation-effort estimate is directional, drawn from small-tenant vendor figures.

Notes

Footnotes

  1. Microsoft Learn — DSPM for AI, 2026. Capability and GA rollout window for Purview Data Security Posture Management for AI.

  2. Microsoft Learn — DLP for Microsoft 365 Copilot, 2026. Sensitivity-label inheritance and response gating for Copilot.

  3. Microsoft Learn — Groundedness detection (Azure AI Content Safety), 2026. Groundedness-with-correction; language coverage.

  4. Microsoft Learn — Restricted SharePoint Search, 2026. Site-count limit and remediation-effort guidance for oversharing control. 2

  5. Microsoft Learn — Restricted Content Discovery, 2026. Preview-stage discovery-scope control complementing RSS.

  6. PoisonedRAG (USENIX Security 2025), 2025. Knowledge-corruption attack class against retrieval-augmented generation.