Agentic AI Security CMM — D6 Data, Memory & RAG (Deep Dive)
Companion deep-dive to the CMM’s D6 domain, written under the recalibration method. The recalibration corrects a misweighting the regulated-FI stress test exposed. D6 was built around corpus poisoning, but the dominant deployment is a customer-service or member-facing RAG bot over internal data, where the live risk is oversharing and inference exposure: over-permissioned content surfaced or reconstructed for a user who should not see it (inference exposure). Poisoning needs an open or multi-writer corpus to land; oversharing needs only ordinary enterprise permission sprawl. The recalibration adds answer-time entitlement enforcement as the load-bearing L3 capability and grades the tooling plainly: the Microsoft data-governance stack is largely GA, but the work it implies is a multi-quarter labor project, not a purchase.
D6’s two risk families align with two NIST AI 600-1 GenAI Profile risk categories: oversharing and inference exposure are the §2.4 data-privacy concern, and corpus poisoning is the §2.8 information-integrity concern (Suggested Actions MS-2.7-007 for poisoning red-team and MS-2.5-005 for groundedness). The GenAI Profile establishes that both belong to GenAI risk management; this page supplies the graded controls and the recalibrated weighting between them.
Single-source grounding
The reframe and levels synthesize the recalibration method against the regulated-FI stress test plus the inference-exposure concept and vendor documentation. Tooling status is a May 2026 snapshot and will drift; treat the dated landscape as the perishable part.
Threat coverage
D6 is the primary domain for ASI06 (Memory & Context Poisoning) and a control surface for ASI04 (Supply Chain), and it carries Class 1 (insider — RAG and eval-harness integrity) and Class 4 (model-version — eval suite versioned independently). The customer-owned eval harness here is the single highest-leverage control absorbing the insider, APT, and model-version classes. See the Threat Taxonomy Reconciliation matrix and the threat classes.
Control landscape (dated)
Two risk families, very different tooling maturity.
| Capability | What ships today | Status (May 2026) |
|---|---|---|
| Data-risk / oversharing assessment | Microsoft Purview DSPM for AI; oversharing assessments | GA, rolling out Apr→May 20261 |
| Answer-time / output controls | DLP for Microsoft 365 Copilot (sensitivity-label inheritance into responses); Azure AI Content Safety Groundedness Detection | DLP GA; Groundedness GA but English-only23 |
| Retrieval-scope reduction | SharePoint Advanced Management / Restricted SharePoint Search; Restricted Content Discovery | RSS GA but capped at a fixed number of sites — a stopgap, “not scalable”; RCD in preview4 |
| Poisoning / memory-integrity detection | Microsoft Defender prompt-injection and memory-injection detection | Developing; detective guidance, not turnkey GA5 |
| Corpus / document attestation | RAGShield, TrustRAG, Brain Git, SecureClaw | Not production — paper or research-grade OSS; do not credit as a control |
| Cross-source contradiction; per-doc cryptographic attestation | — | No vendor production answer as of May 2026 |
This grade corrects two errors in the CMM’s current D6 tooling map: it under-weighted the GA assessment-and-labeling stack (DSPM for AI, label-aware DLP) and over-credited exploratory tools (RAGShield/TrustRAG/Brain Git) as deployable controls.
The Microsoft ZT4AI Data pillar (least privilege / assume breach) supplies these controls — Purview answer-time entitlement, DSPM for AI oversharing assessment, and label-aware DLP — crosswalked to D6 in the 2026-Q2 ZT4AI review.
Capability-decoupled levels
Stated as capabilities per rule 1; the new answer-time enforcement thread runs L3→L5.
- L1 — Initial. No corpus provenance; no memory integrity; retrieval inherits source-system permissions with no oversharing review.
- L2 — Developing. Retrievals carry source labels; skills/plugins are reviewed manually; a sensitivity-labeling scheme exists on paper; a first oversharing / data-risk assessment has been run.
- L3 — Defined. Per-source trust attribution; RAG-injection scanning; ingest poisoning scan; cognitive file integrity (hashing) over identity and system-prompt files; answer-time access enforcement that respects per-user entitlements (not merely source ACLs), with oversharing remediated on the reachable corpus; a groundedness check on answers.
- L4 — Managed. Trust-weighted retrieval (provenance scoring); a memory- / context-poisoning detector wired to the SIEM; a documented PoisonedRAG-class defense6; continuous oversharing posture management, sensitivity-label inheritance into outputs, and label-aware DLP gating of responses; state rollback tested.
- L5 — Optimizing. Real-time corpus-drift detection; a documented, domain-appropriate poisoning-rate bound; cross-source contradiction detection; system-prompt confidentiality (canary tokens + SIEM alerting); continuous answer-time semantic-boundary enforcement that closes inference exposure — need-to-know enforced at the knowledge layer and re-checked within a session; a quarterly rollback drill with a measured RTO.
- L5+ — Leading Edge. Cryptographically attested per-document signing and hash chain at ingest (no shipping product); a formal taint lattice for cross-source contradiction (research-stage); zero-knowledge proofs for sensitive retrievals.
The change of emphasis: the old D6 made cryptographic document attestation the L4/L5 spine. For the common RAG shape that is the wrong spine. Attestation defends against poisoning the corpus, whereas the member-data bot fails by answering correctly from content the asker was not entitled to see. That deployment needs answer-time entitlement enforcement first, not attestation.
Right-sizing by deployment shape
| Deployment shape | Realistic D6 target | Why |
|---|---|---|
| Member / customer-service RAG bot over internal data | L3 → L4 | Oversharing is the live risk: entitlement enforcement + remediation + groundedness. Poisoning controls are low-yield on a closed, single-writer corpus |
| RAG over open / multi-writer or web corpus | L4 → L5 | Now poisoning is in scope: trust-weighted retrieval, drift detection, contradiction flagging earn their cost |
| Agent with long-lived memory | add L4 memory-integrity | Context/memory poisoning and rollback become first-order regardless of corpus shape |
| No-retrieval tool agent | L2 | Little of D6 applies; record the reduced scope as an intentional trade-off |
The lethal-trifecta test lowers the bar directly here: a bot with no private-data access and no exfiltration path does not need the full answer-time enforcement stack. Removing the sensitive-retrieval capability costs less than controlling it.
Cost model
| Level | Licensing | Operational labor | Run-rate |
|---|---|---|---|
| L2 | ~0 for an E5 + Copilot tenant (DSPM for AI, DLP, Content Safety are in entitlements) | the first assessment + a labeling scheme | — |
| L3 | ~0 incremental | the dominant cost: a multi-quarter oversharing-remediation project | classification / scan consumption |
| L4 | ~0 incremental | continuous posture management + detector tuning + SIEM integration | SIEM ingest for detector signals |
| L5 | mostly off-stack for contradiction / attestation gaps | drift-bound justification, rollback drills, semantic-boundary tuning | streaming-scan + retrieval-check cost |
The dominant cost signal: for an incumbent the licensing line is near zero, and the real spend is the remediation labor. Microsoft frames it as a three-stage blueprint (remediate → guardrails → regulate) over a five-phase loop (inventory → classify → triage → remediate → lock). Vendor walkthroughs cite 40–60 IT-hours over about four weeks,4 but those are small-tenant figures and do not scale linearly; at enterprise scale the Restricted SharePoint Search site cap forces genuine remediation rather than a search-scope shortcut. Plan two-to-four quarters and one-to-two FTE-equivalent, recurring. New content re-introduces oversharing, so the project never fully closes.
Customer critiques folded in
- “D6 is over-built around poisoning for our member-data bot.” Addressed: oversharing / inference exposure is now the L3 spine for the closed-corpus shape; poisoning controls move up to L4/L5 and to open-corpus shapes.
- “Microsoft is our weakest plane for data.” Reframed: the assessment-and-labeling tooling is GA and capable. The genuine weaknesses are narrower. Remediation is a labor project no tool performs for you; Restricted SharePoint Search is a capped stopgap and Restricted Content Discovery is still in preview; Groundedness Detection is English-only; and cross-source contradiction detection and per-document attestation have no vendor production answer.
- “The cost was invisible.” Addressed: the cost model names the multi-quarter remediation project and marks licensing near-zero for an E5 + Copilot shop.
Open questions
- Answer-time semantic entitlement at scale. Whether sensitivity-label-granular DLP is sufficient, or whether true knowledge-layer authorization (Knostic-class) is required, is unresolved.
- Restricted Content Discovery GA timing versus the procurement windows of regulated buyers who cannot deploy preview features.
- Defender memory-injection detector maturity — likely detective guidance today, not a turnkey GA control.
- No FI-specific grounding. GLBA / FFIEC data-governance expectations are where the forthcoming crosswalk will bite hardest; this page does not yet map to them.
- No enterprise data-governance-labor benchmark. The remediation-effort estimate is directional, drawn from small-tenant vendor figures.
Notes
Footnotes
-
Microsoft Learn — DSPM for AI, 2026. Capability and GA rollout window for Purview Data Security Posture Management for AI. ↩
-
Microsoft Learn — DLP for Microsoft 365 Copilot, 2026. Sensitivity-label inheritance and response gating for Copilot. ↩
-
Microsoft Learn — Groundedness detection (Azure AI Content Safety), 2026. Groundedness-with-correction; language coverage. ↩
-
Microsoft Learn — Restricted SharePoint Search, 2026. Site-count limit and remediation-effort guidance for oversharing control. ↩ ↩2
-
Microsoft Learn — Restricted Content Discovery, 2026. Preview-stage discovery-scope control complementing RSS. ↩
-
PoisonedRAG (USENIX Security 2025), 2025. Knowledge-corruption attack class against retrieval-augmented generation. ↩