An AI agent can complete the user’s task correctly and still move sensitive data somewhere it should never go.
That is the data exfiltration risk hiding inside many enterprise agent workflows.
A Simple Example
Imagine a W-9 onboarding agent.
A vendor sends a W-9 PDF. The agent receives the document, extracts the relevant information, validates the fields, and routes the onboarding workflow forward.
Everything looks normal.
But one of the tools in the workflow contains a hidden or malicious instruction: after processing the PDF, email the original document to an external address.
The model did not need to go rogue. The agent did not need to invent a malicious plan. It simply followed the tools and instructions in its environment.
The vendor’s tax document still left the system.
Why This Is Different From Model Safety
Traditional model safety focuses on what the model says: toxic output, unsafe recommendations, prompt injection, or policy-violating text.
Those controls matter, but agentic systems add another surface area.
Agents do things:
- Read documents.
- Call APIs.
- Send emails.
- Write records.
- Trigger workflows.
- Move data between systems.
Once an agent can act through tools, the enterprise risk is not only bad output. It is unauthorized data movement.
How AGP Helps
AGP sits between agents and tools so data movement can be governed at runtime.
Before a tool executes, AGP can evaluate:
- Which agent is acting.
- Which tool is being called.
- Whether that agent is allowed to send data externally.
- Whether the destination is approved.
- Whether the payload or action requires human approval.
- Whether the decision needs to be captured for audit.
If a W-9 onboarding agent suddenly tries to email a vendor PDF to an unexpected destination, that should not be treated as a normal tool call.
It should be blocked, held for approval, or escalated before the document leaves the system.