Open Data Infrastructure

AI-Ready Data Access Reviews for Agents

How access review evidence for agents should cover identities, tool scopes, purpose limits, denials, approvals, and owners.

An agent can have a user, a tool, a service identity, and a task. A normal access review usually sees only one of those.

Agent access is not user access

AI-ready data access reviews need to account for the way agents touch data. A human may ask the question, but the agent may call a tool through a service identity, retrieve context from multiple data products, and receive denials that shape the final answer.

NIST frames AI risk management as an organizational discipline. W3C PROV defines provenance around entities, activities, and agents. OpenLineage models jobs, runs, datasets, and facets. Those ideas point to the same practical requirement: access review needs evidence about the activity, not just the account.

Reviews need agent evidence

A useful review record names the human requester when present, the agent identity, tool scope, allowed data products, purpose limit, approval path, denial records, owner, retention rule, and evaluation evidence. It should also show whether the agent can write, propose writes, or only read.

Denials matter as much as grants. A denied access path can reveal missing policy, unsafe tool design, or a useful guardrail doing exactly what it should.

Core idea: Agent access reviews should inspect the whole data activity, not only the credential that made the call.

The ODI review pattern

Open Data Infrastructure can make agent access review concrete by connecting identities, tools, data products, policies, lineage, and audit records. The catalog should know what the agent was allowed to see. The lineage system should know what it used. The evaluation system should know whether the result was acceptable.

For adjacent context, read AI-ready data entitlement graphs, why agents need governed data access, and access logs as evaluation evidence.

What breaks first

  • Agents share service accounts, so review cannot distinguish workloads.
  • Tool permissions are broader than the agent task requires.
  • Denied requests disappear from review because only successful access is measured.
  • Data product owners never see which agents depend on their data.

Questions to ask

Ask which identity represents the agent, which tools it can call, and which data products each tool can reach. Ask how purpose limits, denials, and approval trails are retained.

If the review cannot replay the data activity, the review is too shallow.

Sources to start with

These primary sources anchor the technical claims in this guide.

Agent access is safe only when it leaves reviewable evidence.

ODI hub Article library Use the scorecard Entitlement graphs Governed access
Get started with Apache Iceberg, today! Want to learn more? Visit https://www.opendatainfrastructure.com/