Cybersecurity reporter Sergiu Gatlan broke the news in a Bleeping Computer article on February 18th this way:  “Microsoft says a Microsoft 365 Copilot bug has been causing the AI assistant to summarize confidential emails since late January, bypassing data loss prevention (DLP) policies that organizations rely on to protect sensitive information.”

Marketing and product management leader Louis Columbus, posting in VentureBeat on February 20th after citing Gatlan, added this observation: “The advisory….marks the second time in eight months that Copilot’s retrieval pipeline violated its own trust boundary — a failure in which an AI system accesses or transmits data it was explicitly restricted from touching.”

But it was AI strategy board advisor Barbara Cresti, commenting via LinkedIn on the Copilot bug on the 20th, who provided the first insights I came across about the nature of the problem. She made these specific points:

Generative AI does not merely access a file:

🔹 It interprets across many

🔹 It synthesizes context

🔹 It generates new meaning

In this case, the interpretive layer moved ahead of the control layer.

If “Confidential” can be bypassed by a misalignment inside a trusted platform, how many other safeguards rely on assumptions that have never been tested against AI behaviour?

Most enterprises have Copilot embedded across Microsoft 365.

In many environments, AI features are enabled by default.

Updates are continuous. Capabilities expand quietly in the background.Oversight, however, remains static and periodic.

The current RDF stack isn’t static or periodic, and the most powerful ontologies that help most with agent challenges aren’t static or periodic either. 

The most powerful ontologies, in fact,  provide substantial help within the context of RDF-star, quads and fine-grained access control for enterprises seeking to govern agentic AI and IT environments as a whole across the time / space continuum. 

In this post, I’ll describe the power of the current W3C stack, including  four capable ontologies and how the combination of technologies can encourage system owners to take on the agent development paradigm with less fear and loathing.

PROV-O: A data DNA tracking and tracing mechanism

PROV-O entered the tech landscape in 2013 when the W3C released it as a Recommendation for provenance mapping. “Provenance” refers to ownership tracking and tracing as information assets (including agents) and their component parts originate, combine or separate and evolve over time and place. The PROV-O model makes it possible for RDF graph representations of people, places, things and ideas (including code) in their current state can be traced back to their origins with the help of a standard #wasDerivedFrom relationship, for instance.

Today’s RDF graphs include nodes, relationships and named graphs. If a named graph has a confidential classification, the system as a whole will be able to control access on the basis of that classification over time and place. So in the case of the previously mentioned Copilot bug, the content in an agent-changed state retains the association with  its original security classification. And so the access control rules therefore can retain their intended force.

PROV-AGENT: A semantic model for autonomous agent actors

In an environment filled with automated tools, we must know exactly which entity is touching the data. PROV-AGENT is a model that defines these autonomous actors. It distinguishes between a human user and an AI agent. By recording which specific agent created a summary, the system creates an audit trail. When an agent crosses a boundary, the system knows exactly which agent was responsible and what authority it used.

PKO: A model for explicitly machine-readable procedures

Standard operating procedures (SOPs) tend to be general. Agents need explicit specifics. The Procedural Knowledge Ontology (PKO) endeavors to make the tacit knowledge left untouched by SOPs explicit and conformed to a single semantic graph format so that agents can follow procedures from different sources. 

ODRL: Componentized, computable, machine-readable contracts

Open Digital Rights Language (ODRL) provides machine-readable data sharing rules that involve any information assets. The main classes of rules in ODRL include permissions, prohibitions, actions and duties. 

With ORDL’s explicit, computable guidelines, both humans and machines can understand up front from a data sharing perspective what’s allowed, what’s not and who’s responsible.

SHACL: Compliance checking using graph shapes

Shapes and Constraints Language (SHACL) compares an ideal RDF graph shape with an actual graph to evaluate the validity of the actual graph. It rejects graphs that don’t conform to the specified rules. In this sense, SHACL can be the enforcement mechanism for ODRL, a means of refusing requested connections by a subgraph to the main graph. 

How today’s RDF-star, named graphs and relevant ontologies together address the Copilot problem

Microsoft Copilot summarized confidential emails because the security check was a separate gate that the software simply bypassed. To prevent this kind of bypassing, enterprises can move security into the data layer using a semantic knowledge graph approach. A modern RDF stack using specific ontologies and models provides a systematic fix.

How RDF quads and fine-grained access control contribute

RDF quads add a fourth element to subject-verb-object triples called a named graph. This subgraph acts as a security zone for the instance data in the knowledge graph.

With a capability like GraphDB’s Fine-Grained Access Control (FGAC), the semantic graph database management system (DBMS) checks this fourth element before showing a result to the agent. Or it can deny access to specific predicates.  If a user does not have permission to enter the confidential folder graph, the DBMS acts as if those quads do not exist. The agent cannot summarize what it cannot see.

Tracking the DNA in the data

As Cresti pointed out, agents interpret and synthesize multiple documents to create new meaning. This creates a lineage problem. If an agent reads a secret and writes a summary, the summary needs to remain secret. Here’s how current semantic standards help: 

• PROV-O—the provenance ontology—links new information to its origin. 
• Procedural Knowledge Ontology (PKO) converts general operating procedures into machine-readable steps. This ensures that a given agent follows a specific path when handling sensitive information
• Open Digital Rights Language (ODRL) creates computable contracts. It sets clear permissions and prohibitions for data sharing. With ODRL, the rules for who can see a confidential email are written in a language that both the database and the agent understand.
• Shapes and Constraints Language (SHACL) acts as the final enforcement mechanism. It compares the data produced by the AI against an ideal shape or set of rules. If an AI agent attempts to create a summary that lacks the required confidential label, SHACL identifies the mismatch. It rejects the data before it can be delivered to a user.

With meaningful descriptions, constraints and rules, the system defends itself

A standards-based semantic layer is self-defending. RDF quads and FGAC hide sensitive data from unauthorized agents. PROV-O and RDF-star track the lineage of every summary. While PROV-AGENT identifies the actors, PKO and ODRL define the rules. Finally, SHACL validates every move. 

This way, security is built into how semantic graphs perform their data sharing + governance role.

For more information:

Carriero, Valentina Anita, Mario Scrocca, Ilaria Baroni, Antonia Azzini, and Irene Celino. “Procedural Knowledge Ontology (PKO).” arXiv, March 26, 2025. https://doi.org/10.48550/arxiv.2503.20634.

Barbara Cresti, “How do we ensure that AI systems are not only innovative but also safe, fair, and accountable? The answer lies in robust #AIGovernance and #RiskManagement,” LinkedIn, February 11, 2025, https://www.linkedin.com/posts/barbaracresti_aigovernance-riskmanagement-ai-share-7430521435632291840-6DF9.

Sergiu Gatlan, “Microsoft Says Bug Causes Copilot to Summarize Confidential Emails,” Bleeping Computer, February 18, 2024, bleepingcomputer.com.

Renato Iannella and Serena Villata, eds., “ODRL Information Model 2.2,” W3C Recommendation, World Wide Web Consortium, February 15, 2018, https://www.w3.org/TR/odrl-model/.

Holger Knublauch and Dimitris Kontokostas, eds., “Shapes Constraint Language v(SHACL),” W3C Recommendation, World Wide Web Consortium, July 20, 2017, https://www.w3.org/TR/shacl/.

Timothy Lebo, Satya Sahoo, and Deborah McGuinness, eds., “PROV-O: The PROV Ontology,” W3C Recommendation, World Wide Web Consortium, April 30, 2013, https://www.w3.org/TR/prov-o/.

Miles, Simon, and Yolanda Gil, eds. “PROV Model Primer.” W3C Working Group Note. World Wide Web Consortium, April 30, 2013. https://www.w3.org/TR/2013/NOTE-prov-primer-20130430/

Ontotext. “GraphDB 10.6: Enhanced Data Management Capabilities and Improved User Experience.” February 21, 2024. https://www.ontotext.com/company/news/enhanced-data-management-improved-ux-graphdb-10-6.

Robaldo, Livio, Francesco Pacenza, Jessica Zangari, Roberta Calegari, Francesco Calimeri, and Giovanni Siragusa. “Efficient Compliance Checking of RDF Data.” Journal of Logic and Computation 33, no. 8 (June 2023): 1753–76.https://doi.org/10.1093/logcom/exad034.

Sebastian Schmidt and Todor Primov, “GraphDB & metaphactory Part II: An RDF Database and A Knowledge Graph Platform in Action,” metaphacts Blog, October 28, 2021, https://blog.metaphacts.com/an-rdf-database-and-a-knowledge-graph-platform-in-action.

World Wide Web Consortium. “SHACL Use Cases and Requirements.” W3C Working Group Note, 2017.https://www.w3.org/TR/shacl-ucr/.