Trustworthy AI is an uncomfortable subject. **It’s the most difficult question that everyone needs an answer to; but you never want an AI to answer it for you.** It’s the question that no one wants to talk about; but...everyone wants to believe we have an answer to. 

## Garbage-in, Garbage-out
The old addage "Garbage-in, Garbage-out" is a <a href="https://www.sciencedirect.com/science/article/pii/S0893395224002667" target="_blank" rel="noopener noreferrer">fundamental truth in AI</a>. If you feed an AI system bad data, it will produce bad results. With little or no stretch of the imagination you'll arrive at the corrolary: "Untrusted data in, Untrusted results out".  It's a simple concept that is often overlooked in the rush to deploy AI systems.

Unfortuntaly, lack of predictability in AI systems prevents the inverse statement, "Trusted data in, Trusted results out", from being true for all results.  Yet it does hold true that to have trusted results out, you must have trusted data in.  This is the foundation of trustworthy AI.

## The AI Trust Gap

On our journey to build a fundamentally new kind of data governance platform we’ve asked over one-hundred enterprises a simple question... **“Do you Trust your Agentic AI Systems?”</strong>**

95% of the time, the answer is, “of course not; but we use it anyway. We don’t have any real choice. Our competitors use AI, and we can’t sit idle while they gain an advantage” – FOMO is a real thing.

<div class="w-3/4 mx-auto py-4" align="left">
    <p>Today, trust in AI-driven processes is a key barrier. For AI to succeed at scale, individuals, companies and partners must trust and take responsibility for ensuring that processes powered by AI are safe, reliable and effective... A global survey found that 61% of people hesitate to rely on AI systems, often due to concerns over <strong>data security</strong> and third-party involvement.</p><span class="caption"><a href="https://reports.weforum.org/docs/WEF_AI_in_Action_Beyond_Experimentation_to_Transform_Industry_2025.pdf" target="_blank" rel="noopener noreferrer">- World Economic Forum, AI Governance Alliance</a></span>
</div>

Trustworthy AI starts and ends with your data. Data is fundamentally critical for AI models. The more data you give a model, the more information it can reason through, plan with and work with, to structure remarkable superhuman results. “Data is to AI, what oxygen is to Humans" is a universally accepted constant in the AI industry.
Data security and third party involvement get to the heart of the AI Trust Gap.  Was the data tampered with?  Where did the data come from?  

## Data Lineage
The aspirational goal of Agentic AI systems is to achieve “on-par trust” with human employees, so that the business decisions being made with AI are “Trustworthy at parity” with the employees that direct the AI (or are replaced by it). This compounded trusted relationship generates an environment that should deliver radically new remarkable superhuman results for businesses. We need both the employee and the AI system to co-operate within a **Circle of Trust** that the business can prove, believe in and govern. 

Knowing if data, and hence AI, is within this circle of trust requires knowledge of that data's lineage.  This is a modern hybrid GenAI concept that converges the business goals of data governance, security, compliance, data Lineage and trust...into a single Mission critical business objective - to achieve AI Trust.

## Data Knowledge Graph

At Caber, our core Gen AI thesis is that **AI Trust starts and ends with data**. Knowledge of data quality requires all sources of AI data and metadata consumed by Gen AI have a trusted, discoverable, lineage that is strongly connected to its security posture; at a deep granular level beyond the document container (down into the intra-document chunk, embedding and byte-segment level). We believe that trust can only be built from deeply understanding how data, metadata and segmented chunks of data flow through-out enterprise networks and Gen AI Agentic stacks (e.g. API’s, services, endpoints, databases, object stores, file systems, caches, frameworks, pipelines, etc.); and the relationships of all those data elements are graphed together in a way that trust can be deterministically computed and governed for your business.
Knowing we can't rely on such a dynamic knowledge graph of data to be pre-existing in companies is the reason why building this graph efficiently and scalably is at the heart of Caber's platform.

<div class="w-3/4 mx-auto py-4" align="center">
      <img src="/images/blog/caber_data_knowledge_graph_dark.png" alt="Caber Data Knowledge Graph" onclick="window.open(this.src, '_blank');">
</div>
<p class="caption" align="center">
      <span>Caber links common byte-sequences found in stored objects, database records, on the network, in APIs, and used inside Agentic services to trace the lineage of data through a company's environment and identify it by the relationships it has.</span>
</p>

Caber becomes your trusted data system that independently and neutrally governs AI Trust for your enterprise. As such Caber becomes your always-on system that runs as a core platform underneath and with your Gen AI Data systems, curating a complaint **circle of trust** for users as they interact and converse with your deployed Agentic AI Apps and infrastructure.

## Conclusion
Gen AI Trust starts and ends with deterministic knowledge of your data. Caber delivers data knowlege, intelligence, and governance on a platform that can redact, block and deny low quality user-centric data flows before they are injected into the LLM’s context frame; deterministically preventing low performance, error-prone, inaccurate, false and confused LLM outputs. The result is higher quality LLM performance, with guaranteed private and secure AI application data operations made compliant to existing and upcomming regulations through conversational policy inputs. 

We understand that Trustworthy AI requires an ‘Unstoppable Unyielding Always-on’ service based on intelligently knowing what constitutes useful, high-quality, trusted data – and can share that knowledge with other Agentic AI systems through powerful API services & insights. for Data that is utilized, accessed and flows throughout the entire Gen AI Agentic stack.
 
Caber is the platform that delivers this vision. We are excited to be on this journey with you.


Do trusted data inputs lead to trusted data outputs?  Lineage is fundamental to the answer.

Trust in AI Requires Trust in AI Data Use

Getting access control to work in vector databases is no easy feat. Most likely an AI agent using a service account with broad access rights, not the user the access is made on behalf of, is performing all data reads.  In this blog post by <a href="https://zilliz.com" target="_blank" rel="noopener noreferrer">Zilliz</a>, the makers of the <a href="https://milvus.io" target="_blank" rel="noopener noreferrer">Milvus</a> vector database, Caber CEO Rob Quiros discusses the challenges of data governance in AI systems like this at Zilliz's Unstructured Data Meetup.  A recording of the talk is available by clicking <a href="https://www.youtube.com/watch?v=gAqHbNrHMsM" target="_blank" rel="noopener noreferrer">HERE</a>

<div class="mx-auto py-4" align="center">
    <img src="/images/blog/zilliz_caber_blog_image.png" alt="Click this image to read the original post on Zilliz's website" onclick="window.open('https://zilliz.com/blog/beyond-rag-partitions-per-user-per-chunk-access-policy', '_blank');">
</div>
<p class="caption" align="center">
    Click the image above to read the original post on Zilliz's website
</p>


Dynamic policies and AI agent identites undermine access control

Fixing Access Control in Vector DBs

Retrieval Augmented Generation (RAG) has become essential for enterprise AI applications to make proprietary data available for responding to user queries. Optimizing RAG's accuracy and precision ensures relevant application responses while maintaining data security and privacy. However, these objectives often conflict. Current methods for enforcing permissions on RAG vector databases can degrade results or leak data to unauthorized users due to the need to divide enterprise data into chunks for GenAI applications.

## AI's Chunked View of Data
Businesses typically handle data as files, documents, videos, or database tables--units of information we can name, organize, and manage. Metadata, such as creation time, size, creator, and applicable policies, links to these data units when stored.
However, GenAI applications don't view data this way. They break down large, complex sources into smaller, semantically meaningful segments or chunks. LLMs train on chunks, vector databases store vectors created from chunks, AI applications consume data in chunks, and APIs called by AI agents move data in chunks.

<div class="w-3/4 mx-auto py-4" align="center">
    <img src="/images/blog/rag_permissions_0.png" alt="Same data chunks in different Apple 10Q statements" onclick="window.open(this.src, '_blank');">
</div>
<p class="caption" align="center">
    Common paragraphs or chunks (blue) and unique chunks (orange) mixed in two Apple 10Q statements. Denying access to all chunks from the Q2 2024 statement in a vector database would also deny users access to much of the data in the Q2 2023 statement as well.
</p>

It seems intuitive that document-level attributes should apply to their chunks. Many AI vendors reinforce this idea. However, this assumption is fundamentally flawed and can lead to inaccurate AI responses, biased results, and compromised data security.

## Data Redundancy from Chunking
Through our experience with <a href="https://www.f5.com/pdf/products/big-ip-wan-optimization-manager-ds.pdf" target="_blank" rel="noopener noreferrer">WAN optimization</a>, over 90% of data chunks flowing through enterprise networks are redundant. In storage systems holding enterprise data, 50%-90% of <a href="https://www.snia.org/sites/default/files/Understanding_Data_Deduplication_Ratios-20080718.pdf" target="_blank" rel="noopener noreferrer">storage blocks are duplicates</a> . 

As documents are shared, edited, and converted across platforms, identical paragraphs or images often appear in multiple versions. These redundancies accumulate as authors merge comments from various drafts, circulate files, and manage revisions.

<div class="w-3/4 mx-auto py-4" align="center">
      <img src="/images/blog/rag_permissions_1.png" alt="Duplicate data biases AI" onclick="window.open(this.src, '_blank');">
</div>
<p class="caption" align="center">
      <span>AI researchers at Google and University of Pennsylvania recorded the number of duplicate chunks seen across 348 million web documents. The number of chunks appearing only once have Group Size = 1. Eighty-five thousand chunks appeared 6–10 times. The length of chunks are not represented in this graph. Source: <a href="https://arxiv.org/abs/2107.06499" target="_blank" rel="noopener noreferrer">https://arxiv.org/abs/2107.06499</a></span>
</p>

## Unintended Consequences
When enterprise documents are ingested into an LLM training set or RAG vector database, identical chunks are stored only once. Identical binary sequences generate identical vectors, which vector databases use for data lookup.

However, metadata can differ significantly between documents containing the same chunks. When two such documents are ingested, the first chunk gets metadata from the first document, which the second ingestion overwrites with the second document's metadata. This can lead to problems including poor AI performance, data leakage, and biases in responses


<div class="w-3/4 mx-auto py-4" align="center">
    <img src="/images/blog/rag_permissions_2.png" alt="Graph of data chunk relationships across Apple 10Q statements" onclick="window.open(this.src, '_blank');">
</div>
<p class="caption" align="center">
    Using content-defined chunking, data in seven Apple 10Q statements (pink and blue dots) common sets of chunks (in red) can be mapped to the statements they are found in. Pink dots represent the entirety of data in each statement as would be seen by data governance systems that do not take chunking into account.
</p>

### Poor AI Performance and Data Leakage
Consider a document with metadata allowing public access and another with metadata restricting access to Amy. If a common chunk exists in both, the second document's restrictive permissions might overwrite the first's open-access metadata. Bob, who should access the first document, might be denied access, while Amy could see both documents' data.

This issue, if unchecked, diminishes RAG search precision despite improvements from graph-based RAG, cascading retrieval, and other methods. Without a monitoring system, users might receive incomplete responses or unintentionally access sensitive data like coworker salaries.

### Ethical Issues and Biases
As chunk sizes increase, sub-sequences within chunks become a concern. Paragraph-length chunks may contain common sentences appearing in multiple chunks. Research from <a href="https://arxiv.org/abs/2107.06499" target="_blank" rel="noopener noreferrer">Google and University of Pennsylvania</a> shows duplicate data in LLM training sets can introduce biases and errors in responses. Repetition in prompts has been shown to <a href="https://shelf.io/blog/10-ways-duplicate-content-can-cause-errors-in-rag-systems" target="_blank" rel="noopener noreferrer">cause errors</a> in RAG systems.

Where limits exist on the number of chunks retrieved from RAG, a user query with a high similarity score to chunks containing the same sentence, may preclude other chunks relevant to the query to be dropped thus reducing response accuracy.

## Conclusion
The rise of agentic AI--where autonomous AI agents collaborate and take intertwined actions--adds new layers of complexity to enterprise AI systems. These agents depend on dynamically retrieved and processed data, making robust data governance essential. As agents interact, risks like data mismanagement, bias, and leakage increase, elevating data governance from a best practice to a critical necessity.
Traditional data governance systems designed for documents, files, and tables--data-at-rest--are incompatible with how AI processes data. GenAI applications break data into "chunks," stripping away context and metadata needed for effective policy enforcement. To control enterprise data use in these complex AI ecosystems, data governance products must adapt by addressing the unique challenges of chunked data. Without this shift, enterprises face degraded AI precision, reduced reliability, and potential data breaches--risks amplified by agentic AI's interconnected nature.

Duplication of data across documents causes unseen biases in Retrieval Augmented Generation

How Duplicate Data Kills Your RAG

In the cybersecurity echo chamber, the relentless assault of false positives on Security Operations Center (SOC) teams is surpassed only by the cacophony of vendor marketing fluff claiming to reduce them. It's like listening to a symphony played on broken instruments. You know you're more likely to get that two or five percent reduction by turning off an existing tool than adding a new one.

False positive rates in existing tools are awful. Yet, we've accepted their inevitability to the point where we measure them to compare how good a tool is versus how bad it is. "Sucks-less" may be inevitable in political decisions, but it doesn't have to be with security tools. Deterministic detection of security incidents exists with the potential to silence the noise of those broken instruments and reveal attack signatures too faint to break through.

This blog explores the transformative potential of deterministic authorization across the three states of digital data, at rest, in transit, and in use, to eliminate false positives in incident detection.

### **The False Positive Quandary and Deterministic Solutions**

#### **Data-at-Rest: A Model of Determinism**

The foundation of data security, data-at-rest, showcases the efficacy of deterministic access controls such as Access Control Lists (ACLs). These controls set the stage for explicit, enforceable permissions that significantly mitigate the risk of false positives, demonstrating the untapped potential of deterministic methods in broader cybersecurity contexts.

#### **Data-in-Transit: Bridging the Gaps**

When data transitions into motion, it encounters a landscape where deterministic authorization becomes challenging yet increasingly necessary. The lack of embedded permissions in data packets underscores a critical vulnerability in confidentiality, despite existing measures for integrity and availability. This gap highlights the urgent need for integrating permissions within data protocols to ensure comprehensive and deterministic security measures.

#### **Data-in-Use: The Final Frontier**

Arguably the most complex state to secure, data-in-use demands a nuanced approach to deterministic incident detection. The proliferation of microservices and cloud-based architectures has obscured the clear linkage between user identities and data permissions, necessitating innovative solutions to restore determinism in authorization practices within these distributed environments.

### **Towards a Deterministic Future: Strategies and Solutions**

The journey to a more deterministic cybersecurity framework requires a multifaceted strategy. It begins with embedding permissions directly within data transactions and extends to reevaluating our architectural approaches to cloud applications. By drawing inspiration from initiatives like Caber's CA/CO, and filling in the gaps exposed by Google's BeyondProd, and enterprise Digital Rights Management we can chart a path towards achieving deterministic authorization across all states of digital data.

### **Conclusion: A Call to Action for SOCs**

The embrace of deterministic incident detection signals a pivotal moment in cybersecurity. By adopting a deterministic approach, SOCs can dramatically reduce false positives, focusing their efforts on genuine threats and enhancing overall operational efficiency. This blog has outlined the critical steps and considerations necessary for this transformation, highlighting the indispensable role of innovative solutions and collaborative industry efforts. As we move forward, the call to action is clear: the time for SOCs to pivot towards a deterministic and more secure future is now.


Directly securing data-in-transit is the key to eliminating growing false-positives

Recent Posts

Trust in AI Requires Trust in AI Data Use

Fixing Access Control in Vector DBs

How Duplicate Data Kills Your RAG

Data: The Path to False Positive Freedom

Coming Soon: Limited Free Access for Development Use