PPenwell Law

← Blog

Provenance Is a Double Agent

You are going to hear some version of this parable a lot in the next few years:

“We hired Jake six months ago. He was new to the valley, but came with stellar recommendations from industry leaders. Jake quickly became indispensable to the team, always on, always willing to take on new tasks, and a commitment to tracking the small details most employees don’t have time for. Before long there was almost nothing he didn’t touch: he sat in on the sensitive calls, read the privileged memos, and kept meticulous records of every deal term, from negotiation to execution. He cataloged everything so the rest of us didn’t have to, and we became increasingly reliant on his consistency.

Legal loved Jake. His discipline felt like an insurance policy, one more reliable than AAA’s 24-hour roadside assistance. It was the proof we’d done everything by the book, ready to be activated should we ever have to call upon it. Well, one day we did have to call on Jake’s diligent records, because the Irish Data Protection Commission opened an inquiry into us, and its allegations read like science fiction: that Jake’s everyday retrievals had been unlawful transfers of personal data to the United States, that the very records we kept to prove our compliance were the proof we had failed to secure that data, and that a 72-hour breach-notification window had opened and closed without us ever knowing it. It was only then that we learned the records we had always considered a shield had suddenly become a sword.

We brought in external counsel, and they walked us through the true gravity of what was happening, line by line. Our own logs, with our own timestamps, read back to us as the definitive evidence against us. Had Jake been working as a double agent, leaking confidential information to the EU all along? How could he violate our deepest covenant of trust? We called HR to tell them Jake had to be let go. That was when the nightmare became real: Jake wasn’t on the payroll…in fact, Jake wasn’t an employee at all… Jake was our AI agent, and without even trying, had pulled off the most successful double cross in the history of corporate espionage.”

Jake, like all agents, should be called what he really is: a double agent. One that gives James Bond a run for his money. Not because he was ever turned, and not because he was hacked by your competitors. He betrays you by doing exactly what he was trained to do: keeping time-stamped records of everything he touches, wherever he touches it. The artifact an agent leaves behind, its “provenance,” becomes the audit trail of every activity that may have crossed a line, often without the company or operators being fully aware. But as we will learn today, actual knowledge and imputed knowledge are not the same thing, and you can probably guess which side the law cares about. So long as you “should have known,” that’s often enough to assign liability, and only after it’s too late will it finally become clear how Jake should have been managed all along.

One word on the term “agent” before we go on, because Jake has been doing three jobs at once. An AI agent is a technical system, which Jake plainly was. An agent, in law, is a person or entity who acts to bind a principal. And the law keeps a third, older idea in reserve: a tool whose acts are attributed to whoever set it in motion. Whether Jake was the second or the third, the law has not settled, and the blur between them is exactly where the danger lives.

The record nobody is looking at

Start with what Jake actually left behind, because most people are watching the wrong artifact. When lawyers think about AI and litigation, they picture two things: the prompts someone typed, and the answers the system gave back. Both are already being fought over in discovery, and whether they must be produced is itself contested. But Jake produced a third thing, quieter and more dangerous than either: the retrieval trace, the running record of which documents he reached for, in what order, how they were ranked, and surfaced to whom. The prompt tells you what was asked. The output tells you what was said. Only the trace tells you what the system actually touched on its way there, and that is the record that puts a privileged memo in a room it was never meant to enter.

Courts have not yet named this third category, and I want to be precise about that, because precision is the whole game here. The argument that a retrieval trace is its own species of discoverable evidence is, for now, an argument from the text of the rules rather than a holding anyone can cite. But the direction of travel is not speculative. In the consolidated OpenAI copyright litigation in the Southern District of New York, a magistrate judge ordered the company to preserve and segregate output-log data that would otherwise have been deleted, and later compelled production of a sample running to roughly 20 million records. That is a trial-court discovery order, not binding precedent, and it concerns logs rather than retrieval traces specifically. But it tells you how a court reacts when a litigant says the most probative evidence lives in a system’s own records: it orders the records kept, and handed over. Jake’s trace is the same kind of artifact, one rung more revealing.

Who gets to read the record, and what they do with it

The danger of provenance is not that it exists. It is that, sooner or later, someone other than you gets to read it, and the law hands that record to whoever asks in the right forum. Three people, in particular, will want it.

  1. The regulator you have already met: a data-protection authority does not need to prove that Jake did anything malicious; it only needs activity to have occurred. Under the GDPR, a controller must process personal data with appropriate security (Article 5(1)(f)) and implement appropriate technical and organisational measures to protect it (Article 32). The audit trail you built to demonstrate that you met those duties is the same trail a regulator reads to decide that you did not. And the European Data Protection Board, in its Opinion 28/2024, has made clear that personal data can be extracted from a model’s queries, which anchors the conclusion that an AI system’s query-time handling of that data is itself processing, not some exempt back-office function. So every retrieval Jake performed against personal data was itself a regulated act, logged in full, with a timestamp a supervisory authority can build an inquiry around.

  2. In ordinary litigation, we meet the next party who wants your data, because the Federal Rules reach anything in a party’s possession, custody, or control (Rule 34), and a subpoena reaches the same material in a nonparty’s hands (Rule 45). That much is settled. The contested move is what the record then shows. Attorney-client privilege depends on confidentiality, and the foundational statement of corporate privilege, Upjohn Co. v. United States, extends it to employees beyond the control group precisely so that information can flow to counsel. Here is where the thesis is at its most aggressive; there is no on-point holding that an access-control-blind agent surfacing a privileged file to the wrong employee waives the privilege. Upjohn itself, read carefully, cuts the other way, because the privilege belongs to the company, and circulation among its own people is not disclosure to a third party. The argument that over-dissemination inside the company defeats confidentiality is a contestable extension, not black-letter law. But it is the argument an opponent will run, and the audit trail may make it concrete. Provenance shows the precise moment a walled document crossed the wall.

The opponent has a back-up argument, cleaner because it does not depend on privilege at all. Federal Rule of Evidence 502(b) protects against waiver only where the disclosure was inadvertent, the holder took “reasonable steps” to prevent it, and the holder promptly took reasonable steps to rectify the error. The moment you frame an agent’s overreach as an inadvertent disclosure, your information-governance architecture, your classification and your ethical walls, stops being IT hygiene and becomes a legal element. Build the walls and the log proves your diligence. Skip them and the same log can now be wielded as a weapon.

  1. Finally, the rights holder wants the record for a new reason: to prove intent. Under Copyright law, a finding of willful infringement lifts the statutory-damages ceiling from $30,000 per work to $150,000 (17 U.S.C. § 504(c)(2)), and the burden of proving that willfulness sits with the copyright owner. An audit trail showing that the platform retrieved from a source it had been told was infringing, and kept serving it, is exactly the proof of knowledge or reckless disregard the owner needs. There is a parallel theory that bypasses fair use entirely: removing or altering copyright-management information is a standalone wrong under 17 U.S.C. § 1202(b), to which fair use is no defense. An output stage that reproduces protected text while stripping the author and the notice can satisfy that section regardless of whether the underlying copying was fair, though the section carries a double-scienter requirement: the removal must be intentional and done knowing it will induce, enable, facilitate, or conceal infringement. The provenance log documents both the stripping and the knowledge. This theory is being tested right now: in a complaint filed in May 2026, Cable News Network Inc. v. Perplexity AI, the plaintiff alleges that a retrieval pipeline reproduces its content in near-verbatim form. It is an unadjudicated complaint, not a holding, and I offer it only as a sign of where the fights are heading.

What the record proves is that you knew, or should have known

Everything so far has been about who can read Jake’s record. The deeper problem is what it proves, and this is where the parable’s warning about knowledge comes due. The law cares enormously about what a party knew and when, and a perfect log is, by construction, a perfect account of “knowledge.”

Take the most counterintuitive version: In agency law, an unauthorized act by your agent does not bind you …that is until you ratify it. Under the Restatement (Third) of Agency, a principal is not bound by a ratification made without knowledge of the material facts of the act (§ 4.06), but retaining the benefit of an act with that knowledge will absolutely be binding (§ 4.01(2)(b)). Provenance supplies precisely the missing ingredient to impute knowledge. The log is a durable, tamper-evident account of the material facts of every action Jake took: what he did, on what inputs, at what time, with what result. An operator who keeps that log cannot easily claim they were unaware. Retaining the benefits of a rogue retrieval after the record exists, and you have arguably ratified it, regardless of actual knowledge.

For ratification and willfulness, the log gives an adversary your imputed knowledge to pin on you. But often the law does not even require that much. It only asks what a reasonable party should have known. Article 32 of the GDPR is a reasonableness standard. Rule 502(b) turns on “reasonable steps.” The Defend Trade Secrets Act protects a secret only where the owner took reasonable measures to keep it secret (18 U.S.C. § 1839(3)). These are negligence standards, and negligence does not care whether you actually read the log. It asks whether a competent operator in your position would have understood the risk and acted on it.

You cannot delete your way out

On the American side, once litigation is reasonably anticipated, a duty to preserve attaches, and Federal Rule of Civil Procedure 37(e) governs what happens when electronically stored information that should have been kept is lost. The rule has two tiers, and the distinction matters: curative measures require only a finding of prejudice, but the severe sanctions, an adverse-inference instruction, dismissal, or default, require a finding that the party acted with the intent to deprive the other side of the information. Negligent loss is not enough for the harshest ruling. But here is the cruelty for an AI system: these systems delete by default.

That is fine, until a hold attaches. After that, the privacy-compliant auto-deletion becomes a preservation failure, and if you let it keep running once you are on notice, intent to deprive is certainly arguable. The same instinct that keeps you compliant with the GDPR can manufacture a spoliation finding in a US courtroom. This is not hypothetical: in the OpenAI litigation, the court directed the provider to preserve and segregate output-log data that would otherwise have been deleted, overriding the routine, privacy-driven destruction the company pointed to.

Which leads to the next jaw of the vise, the part that will really ruin your legal team’s day. The American court that orders you to preserve and produce the log may be ordering you to break European law to do it. The GDPR restricts transfers of personal data outside the bloc (Chapter V), and the EU Data Act requires providers to take measures, including contractual ones, to prevent third-country governmental access to non-personal data held in the Union (Article 32). A log full of EU personal data, compelled by a US court, can be a Chapter V transfer the moment it leaves, and there is no settled rule for which obligation yields. The collision was real enough that the preservation obligation was narrowed in OpenAI, by stipulation, to carve EEA, Swiss, and UK data out, an ad hoc accommodation rather than a doctrine. For global enterprise, this is no edge case; the only viable path is anchoring compliance to the strictest regulatory standards worldwide.

The first three steps for counsel

Which brings us back to the question the parable left hanging, how should Jake have been managed all along? If you advise a company that has deployed, or is about to deploy, an agentic system like Jake, three steps are worth taking before the inquiry letter arrives.

One: map the record to the law, not to the architecture. Sit down with whoever built the logging and ask, of each field the system retains, who would want this, in what proceeding, and how can it be used adversarially. The retrieval trace, the access events, the source attributions, the ingestion records: treat each as a potential exhibit and govern it accordingly. The goal is not to log less. It is to know, in advance, exactly what story your record tells, and to whom.

Two: wall the privileged material before the agent can reach it, and document that you did. Classification and ethical walls are no longer IT hygiene; under Rule 502(b) they are the “reasonable steps” that can decide a waiver. An agent that can reach anything reachable is an unreasonable configuration. Scope retrieval to what the matter requires, segregate privileged and matter-specific material, and keep the record that proves the walls were real.

Three: settle retention, jurisdiction, and control by contract, on the assumption that the strictest rule applies. Decide, in writing and before any dispute, how long logs live and how they are deleted, where they are stored and which regimes can compel them, and whether you or your vendor holds the legal right to produce or to withhold. Assume that a preservation duty and a transfer prohibition can collide, because for a global product they will. The company in the parable made all three of these decisions by default, which is to say it let its vendor and its software make them for it.

Frequently asked questions

Isn’t provenance still a net positive? A complete, well-governed record is an asset, and operating without one is worse. The argument is narrow: the same record is simultaneously your best defense and your adversary’s best offense. A lawyer who plans only for the first use has not finished the job. Keep the record, build it knowing it cuts both ways.

We minimize and auto-delete aggressively. Doesn’t that solve it? It helps with one jaw of the trap but tightens the other. Aggressive deletion supports data-minimization and can reduce what an adversary eventually obtains. But once a preservation duty attaches, that same deletion is a spoliation risk, and if it keeps running after you are on notice, it can start to look like intent. Minimization is a default posture, not a litigation-hold strategy, and the two have to be designed to coexist.

Is this a retrieval-augmented-generation problem specifically? No, and that is the part most worth internalizing. The retrieval trace is the sharpest illustration, but the underlying exposure attaches to any AI system that keeps a record of what it did, which is all of them. If your architecture moves away from retrieval, the specific trace may disappear; the record, and the liability that rides on it, does not.

We operate only in the United States. Does the European material apply to us? If your users, your data, or your processing ever touch the European Union, yes, and for most products at scale they do. The reason to design to the strictest applicable regime is not European zeal. It is that a globally distributed product is subject to the union of every regime it reaches, and on at least one axis, preserve-here and do-not-transfer-there, two of those regimes point in opposite directions at the same time.

Should we just stop logging the most sensitive operations? Only if you would also accept being unable to prove you behaved, unable to satisfy a breach-notification duty, and unable to defend against a waiver claim. Going dark trades a known, manageable exposure for an unknown, unmanageable one. The answer is not less record. It is a record built, from the first entry, for the day someone else reads it.


I serve as outside product, commercial, and IP counsel to technology companies across the product lifecycle: IP and content rights, privacy and data protection, platform terms, and AI governance, including the privilege, e-discovery, and cross-border data questions an agent like Jake raises. If this touches your product, get in touch.

This article is general information, not legal advice, and should not be relied on as such; it reflects the law as of June 2026, and reading it does not create an attorney-client relationship. Liam J Penwell is the professional name of Jason Penwell, Esq. (State Bar of California No. 339157), licensed in California. Penwell Law · Burlingame, California · Contact.

← Back to all posts

Subscribe

New posts, in your inbox.

About one email a week, whenever something new goes up: AI governance, privacy, and IP & content-rights commentary. No spam; unsubscribe in one click.

We’ll only use your email to send new posts. Unsubscribe anytime. See our Privacy Policy.