Cloud Portal ONE Desktop ONE DQ&C ONE MDM ONE RDM ONE Runtime Server
User Community Service Desk Downloads

AI Governance and Security

This article provides an overview of Ataccama’s approach to AI governance and security, highlighting our commitment to responsible AI usage, data protection, and regulatory compliance.

Our approach to responsible AI

At Ataccama, we recognize the importance of responsible AI governance and robust security practices. We are committed to ensuring transparency, compliance, and ethical usage of AI technologies embedded within the Ataccama ONE platform.

Our AI governance policies are guided by the NIST AI Risk Management Framework, underscoring our dedication to managing AI risks effectively and responsibly.

AI features in ONE

Ataccama’s AI capabilities enhance productivity across data governance, data quality, and master data management domains. Our offering includes:

Traditional machine learning

Deployed locally within your environments in Ataccama Data Quality and Catalog cloud and on-premise offering, these features assist with tasks like business term classification, anomaly detection, and master data matching.

Generative AI

Accessible via our embedded user interface, these capabilities include generating descriptions, SQL queries, rule expressions, and conversational assistance.

AI Agent

The ONE AI Agent is a goal-based tool agent that enables automation of complex data management tasks. Unlike traditional chatbots or assistants that primarily answer questions, the AI Agent can dynamically plan, refine, and execute multi-step workflows on behalf of users.

When given a goal, the Agent develops a plan and executes it by calling tools in succession to achieve the desired outcome. The Agent interacts with the platform through tools, which are API-based interfaces that allow the Agent to read information from and write information to the Ataccama ONE platform.

Current capabilities include:

  • Search tools (catalog, business terms, rules, documentation).

  • Metadata and data access tools (catalog metadata, attribute fetching, profiling, data sampling, SQL queries).

  • Data modification tools (SQL catalog item creation, DQ rule creation and assignment, description generation).

  • Utility tools (calculator).

All AI features provide suggestions that are easy to delete and edit. AI users are responsible for reviewing and validating the output of the AI.

AI Agent architecture and security

To understand how the Agent maintains security and compliance, it helps to look at its underlying architecture.

How the Agent works

A typical agentic workflow is as follows:

  1. User provides a goal or task description.

  2. Agent develops a plan to achieve the goal.

  3. Agent executes the plan by calling tools in succession.

  4. Agent refines the plan as needed based on tool results.

  5. User reviews and validates the results.

Tool-based access model

The Agent interacts with the platform exclusively through defined tools (APIs).

Each tool has specific, bounded capabilities. This architecture ensures the Agent can only perform actions within the scope of its defined tools and cannot access systems or data outside these boundaries.

Transparency and auditability

Users can view the Agent’s execution steps, review its reasoning, and inspect all proposed changes before they take effect. This transparency supports governance requirements and enables meaningful human oversight of AI-driven operations.

Data use and privacy

Data minimization and Agent data access

Ataccama AI features primarily use metadata rather than raw data. The AI Agent accesses metadata through tool calls to perform tasks such as searching the catalog, retrieving attribute information, and generating descriptions.

The AI Agent includes an optional data sampling tool that provides access to actual data values. This enables use cases like accurately querying tables to answer business questions and validating data quality patterns.

Organizations that cannot expose data to AI systems can turn off this feature.

Administrator controls

The data sampling tool can be turned off by administrators in Global settings > Gen AI.

When turned off, the Agent operates exclusively on metadata, maintaining the traditional data minimization approach while still providing substantial automation capabilities. Data access for all Gen AI features remains minimal, optional, and fully controlled by your administrators.

No training on customer data

Customer data and metadata are never used for training shared generative AI models.

Traditional machine learning (ML) models are trained locally within your environment for tailored outcomes.

The AI Agent’s underlying models are not trained or fine-tuned using customer data, metadata, or Agent interaction logs. Customer interactions with the Agent do not influence the behavior of models used by other customers.

Ataccama retains logs of Agent prompts and interactions to support troubleshooting and improve service quality. Customers can opt out of this logging if required by their internal policies.

Security measures

Ataccama employs secure development practices, including rigorous security assessments, penetration testing, and regular third-party audits to safeguard your information.

The Agent operates within the same security framework as other Ataccama Gen AI features. All traffic between the AI Agent and Ataccama services is encrypted in transit.

Compliance with privacy laws

We comply with applicable data protection regulations, including GDPR, and require all third-party AI service providers (such as Azure OpenAI) to uphold similar compliance standards.

AI governance principles

Our governance program emphasizes transparency, fairness, and reliability in AI operations. Key objectives include:

  • Performance and accuracy: Continuous model evaluation and improvement to maintain high accuracy.

  • Fairness and bias mitigation: Regular testing to identify and correct potential biases.

  • Explainability and transparency: Clear documentation and explanations provided for all AI-driven recommendations.

  • Security and privacy: Strict adherence to data security practices and customer data usage preferences.

  • Legal and regulatory compliance: Ongoing monitoring and alignment with AI-related laws and guidelines.

Intellectual property and ownership

Ownership of inputs and outputs

You retain ownership of your data and any AI-generated outputs derived from your metadata. Ataccama maintains intellectual property rights related to the AI logic, model architectures, and underlying technology.

Third-party AI providers

Customers acknowledge the licensing terms of third-party providers like Azure OpenAI. Ataccama communicates these terms clearly.

Customer responsibilities

You are expected to use AI responsibly, ethically, and lawfully, adhering to the following principles:

  • Lawful and ethical use: Compliance with all applicable laws and ethical standards.

  • Precise prompting: Providing clear, specific goals and instructions when interacting with the AI Agent. Well-defined prompts help the Agent develop accurate plans and reduce the likelihood of unintended actions.

  • Human oversight: Reviewing and validating all AI-generated outputs, with particular attention to changes made by the AI Agent.

    The Agent provides a "Review changes" option that allows you to inspect modifications before they are finalized. Only approve actions that align with your intentions.

  • Change validation: Carefully reviewing all modifications that the AI Agent makes to catalog items, rules, descriptions, and other platform assets. Users are responsible for ensuring Agent-generated changes are accurate and appropriate before accepting and propagating them across the system.

  • Data and privacy management: Appropriate classification and secure management of data inputs to AI systems.

  • Reporting and feedback: Prompt reporting of any identified issues such as biases, inaccuracies, or security concerns.

For best practices on using Generative AI features effectively, see Gen AI Best Practices.

Audit and compliance

Ataccama conducts biannual internal audits assessing compliance with governance policies, including:

  • Automated monitoring and manual reviews.

  • Regular evaluations of AI model performance, fairness, and security practices.

  • Clear documentation, reporting, and remediation procedures to address any identified issues.

Controls and administration

You retain full control over the usage of AI within your environments:

  • AI features can be individually turned on or off by your administrators.

  • Role-based access control ensures only qualified personnel can approve AI outputs.

  • Clear user interfaces facilitate management and oversight of AI capabilities.

AI Agent controls

Administrators can configure AI Agent behavior through the Gen AI global settings, including:

  • Turning on or off the data sampling tool to control whether the Agent can access actual data values.

  • Setting token limits to manage Agent usage.

  • Configuring prompt logging retention policies.

  • Managing user access to Agent capabilities through role-based access controls.

See also Transparency and auditability.

Updates and changes

Ataccama continually enhances AI technologies to improve performance and compliance:

  • Material updates are communicated in advance, allowing you to review and provide feedback.

  • Policy changes align with evolving legal, technological, and customer requirements, with clear communication about updates and effective dates.

Contact information

For more information or assistance, reach out to your Customer Success Manager (CSM). Our team is ready to provide further guidance and support.

Was this page useful?