Data Foundations for Agentic AI

A language model reasons over what it is given. Give it the wrong, stale, or missing facts and it will reason flawlessly to a confident wrong answer — the failure mode users call hallucination and engineers recognize as a context failure. In production, the model is rarely the weak link; the assembly of relevant, current, permissioned information into the working context is. The data foundation is therefore not infrastructure beneath the AI — it is the AI's input, and its quality is the ceiling on everything downstream.

Grounding an agent in enterprise knowledge is an engineering system, not a vector database. It spans chunking (how documents are split without severing meaning), embeddings and indexing, hybrid retrieval (lexical and semantic together, because each fails where the other succeeds), re-ranking (precision over raw recall), and grounding with citation so every claim traces to a source. The agent is the last stage of this pipeline, not the first — and its reliability is largely decided before it ever reasons.

Correctness has a half-life. A fact retrieved from a stale index is wrong on a schedule, and an agent has no way to know unless freshness is engineered in. Every retrievable fact should carry recency and lineage — where it came from, when, and through what transformation — so the agent can weight it and the audit can trace it. Provenance is not bureaucracy; it is what makes an answer defensible [2].

This is the failure that turns a helpful agent into a breach. An agent must act with exactly the permissions of the user it serves — row-, field-, and document-level access carried into retrieval — never with a god-mode service account that can read everything. Get this wrong and the agent becomes a data-exfiltration engine: a user asks an innocent question and the system answers from records they were never entitled to see. Permission must travel the whole pipeline, or the foundation is unsafe at any capability.

Anything that enters the context window is, in effect, instructions the model may follow — which makes untrusted content an injection surface. Retrieved documents, tool outputs, and user-supplied text can carry adversarial payloads. The controls are the same ones that make data trustworthy in general: provenance to know the source, sanitization at ingest, and least-privilege so that even a successful injection cannot reach what it is not entitled to.

Most “the AI didn't work” outcomes are a readiness mismatch — an agent asked to run on an estate two levels below what the task requires. The model below lets an organization locate itself honestly before it invests.

Data readiness is the gate on the entire AI portfolio [3]. An organization that funds agents on an L1 estate is buying confident errors and a permission breach waiting to happen; one that invests first in reaching L3–L4 on the data that matters unlocks every downstream use case at once. The sequencing rule for the executive is therefore unglamorous and decisive: fund the data foundation for the domains you intend to operate in — before, not alongside, the agents that will run on it.

Readiness is domain-specific: an estate can be L4 for one function and L1 for another, so the model is applied per domain, not per company. Retrieval quality is itself an active research area, and no architecture eliminates context failure entirely — it bounds it. And permission propagation across heterogeneous legacy systems is genuinely hard engineering; it is the work, not a checkbox.

Reliable agents are built on trustworthy context, and trustworthy context is engineered — retrieved, fresh, provenance-bearing, and permissioned to the user. The data foundation is where agentic reliability and agentic safety are both won or lost. AI strategy ends where the bill begins; data foundations are where the agent earns its trust.