All posts
AI Agents

What Does Your AI Know About Your Business? Hopefully Nothing.

Because if it did, your knowledge would be sitting inside a model you don’t control.

At first this sounds backwards. An AI that knows nothing about your business is supposed to handle your support requests? Exactly that. The “knowing nothing” isn’t the flaw you need to fix — it’s the property you want to protect.

Two ways to give an AI your knowledge

There are two ways to make your business knowledge available to an AI.

The first: you train or fine-tune a model on your data. Then the model “knows” something about your customers, contracts, prices. The knowledge sits inside the model — in a place you can barely inspect, hardly delete selectively, and never fully control. What has once been trained in cannot be revoked with a click.

The second: the model stays empty. For each request it receives exactly the information that this one request needs — and nothing beyond it. Afterwards it forgets everything again. The knowledge stays in your systems; the model is merely the case worker, briefed for the duration of a single task.

The second way is winning out in practice. Not because it’s more convenient — it’s more work — but because it’s controllable.

What this looks like: a cancellation

A customer wants to cancel their support contract. The ticket lands in the system. At this point the AI knows nothing: not who the customer is, not whether they even have a contract, not under what conditions they can cancel.

So the pieces get gathered: identity from the customer database, contract data from the contract system, the cancellation terms from the T&Cs — the latter usually via semantic search in a vector database, because no one dumps the full contract text into every call. Only with this package does the AI assess: Is the cancellation within the notice period? Which options remain? Is this a premium customer who’d be better off receiving a retention offer?

The result goes to the case worker. They decide. If they say yes, the AI writes the confirmation and sets the contract’s end date.

The hard part

So far, unspectacular. The hard part isn’t that the AI gets to the data. The hard part is that it gets to the right data — and only that.

The package for this one case must contain exactly this customer. Not the similarly named one from the same postcode area. Not the contract data of someone else that happens to sit in the same search index. An AI passes on what it deems helpful — not what is permitted in context. If it accidentally receives the data of three customers, it may well write a correct answer to the wrong one. Right person, wrong room.

This is precisely where it’s decided whether a system makes it from the demo into production: Dissemination Control — governing what an AI agent is allowed to pass on in which context, independent of what it has access to.

Where the real work lies

The path from ticket to cancellation confirmation is craft. Non-trivial, but solvable. The real work lies in the question that gets skipped in every demo and asked in every audit: How does the AI know it’s only talking about this customer?

Whoever has no solid answer to that hasn’t built an AI feature. They’ve built a data leak with a voice.


That’s problem one: the AI may only see this customer. Problem two sits right behind it — it sees the right customer and still draws the wrong conclusion: misreads the notice period, invokes a clause that isn’t in the contract that way. No scope helps against that, only a second, independent check. And “independent” is the whole difficulty — a second AI that simply agrees with the first result isn’t a check, it’s an echo.

How to keep it genuinely independent: in the next part.