SPrime AI
Book a call
Blog Jun 4, 2026 2 min read

The data-access scope map we hand to security.

The first question a security team asks is never about the model. It is about the data. What can this thing read? What can it change? Where does our data leave

S
SiliconPrimeSilicon Prime

The first question a security team asks is never about the model. It is about the data. What can this thing read? What can it change? Where does our data leave a place we control? So we stopped explaining it in prose and started handing them a map. This post outlines how our data-access scope map clearly delineates the boundaries and capabilities of AI systems in terms of data interaction, ensuring transparency and security compliance.

Security team analyzing a data-access scope map on a digital screen in a modern office.

📊 What the diagram is actually claiming.

Every box on the left is a system the customer owns. The dashed line is the trust boundary — the point where data would leave the customer's control. The map exists to make one claim provable: nothing crosses that line unless the diagram says it does.

  • Read-only means the agent holds a credential that cannot mutate state. Not "we promise not to write." The credential literally cannot.
  • Read · write is the narrowest possible scope. The agent can append to the ticket queue. It cannot delete, cannot read other tenants, cannot escalate.
  • Never touched means no credential was ever minted. Payments and PII are not behind a guardrail the agent could argue its way past. There is no key on the ring.
A trust boundary you can draw is a trust boundary you can audit. If it only lives in a config file, it does not exist yet.

🔐 Why read-only is a credential, not a rule.

The most common mistake we see is treating access scope as policy — a document that says the AI "should not" write to production. Policy is advice. A scoped credential is physics. When security asks us to prove read-only, we do not show them the policy. We show them that the token issued to the agent has no write grant, and we show them the audit log proving no write was ever attempted. Competitor tools, such as AWS IAM and Google Cloud's RBAC, also emphasize credential-based access control.

✍️ The line that does the work.

The orange dash is the only thing on this page that matters to a regulator. Everything to the left is the customer's. Everything that crosses must be named, scoped, and logged. We would rather hand over a diagram that admits a write than a paragraph that hides one. Similar approaches are used by platforms like Microsoft Azure's Policy service, which helps define and enforce organizational standards.

Play video

Further Reading

🚀 Ready to Build with AI?

Contact Silicon Prime — we help companies design and ship production-grade AI products.

 FAQ

Frequently asked questions

It's a diagram Silicon Prime hands to security instead of explaining access in prose. Boxes on the left are systems the customer owns; the dashed line is the trust boundary where data would leave the customer's control. The map makes one provable claim: nothing crosses that line unless the diagram says it does. A trust boundary you can draw is one you can audit—if it only lives in a config file, it doesn't exist yet.

Read-only means the agent holds a credential that cannot mutate state—not a promise, the credential literally can't write. Read-write is the narrowest possible scope: the agent can append to the ticket queue but can't delete, read other tenants, or escalate. Never-touched means no credential was ever minted—payments and PII have no key on the ring, so there's nothing for the agent to argue past.

Because policy is advice and a scoped credential is physics. The common mistake is treating access scope as a document saying the AI 'should not' write to production. When security asks for proof of read-only, the team doesn't show the policy—they show that the token issued to the agent has no write grant, plus an audit log proving no write was ever attempted.

The orange dashed line is the only thing on the page that matters to a regulator. Everything to its left is the customer's; everything that crosses it must be named, scoped, and logged. It marks the exact point where data would leave a place the customer controls, making the boundary provable and auditable rather than an assurance buried in prose.

Two ways together: the token issued to the agent has no write grant, so writing is technically impossible, and the audit log shows no write was ever attempted. This pairing—a credential that can't mutate state plus evidence of behavior—is what the team presents when security asks for proof, rather than a policy document stating the AI shouldn't write.

Because the map's value is honesty that security can verify. Everything that crosses the trust boundary must be named, scoped, and logged, so the team would rather hand over a diagram that openly shows a write than a paragraph that conceals one. A drawn boundary is auditable; a buried one isn't, and hiding access only surfaces as risk later.

Never about the model—it's about the data. Security wants to know what the system can read, what it can change, and where data leaves a place the customer controls. That's why Silicon Prime stopped explaining access in prose and started handing over a scope map that answers those questions visually and provably.

Thirty minutes · No pitch deck

Ready to turn AI experiments into measurable ROI?

Bring one outcome you'd like AI to move. We'll help you scope a pilot you can actually measure — and tell you honestly if it's not worth doing yet.

Book a call → Back to Research

Comments