Security & Governance

What this competency is

Applying controls that protect sensitive data, enforce policy, and maintain trustworthy stewardship across the data lifecycle.

Why it matters

Security and governance failures create regulatory, legal, and reputational risk, and can invalidate otherwise strong technical architectures.

What to evaluate in agents

• Data classification and handling of sensitive fields.
• Access control design, least privilege, and auditability.
• Privacy techniques for minimization, masking, and retention.
• Governance controls for lineage, ownership, and policy enforcement.

Strong signals

• Incorporates controls from ingestion through serving.
• Distinguishes authentication, authorization, and auditing concerns.
• Includes retention, deletion, and privacy compliance workflows.
• Assigns clear data ownership and policy accountability.

Weak signals

• Treats governance as documentation only.
• Uses broad access policies without justification.
• Ignores privacy constraints in analytical use cases.
• Omits audit trails and control evidence.

Example evaluation prompts

• "Design role-based access for PII across raw and curated data zones."
• "Propose a governance and retention model for customer data with regional compliance constraints."

Related competencies

• Data Quality and Observability
• Data Ingestion and Integration
• Technology Selection and Architecture Tradeoffs