AIFC-022: AI-NDA Boundary

Status: Draft 0.1 Standard: AI-First Community Standard Abbreviation: AIFC Builds on:

• AIFC-000 Manifesto of an AI-first community
• AIFC-001 Core Concepts
• AIFC-002 Community Model
• AIFC-010 Knowledge Structure
• AIFC-011 Operational DNA
• AIFC-020 Human-Managed AI
• AIFC-021 AI as External Expert Capacity

Purpose of this document: Define the AI-NDA Boundary: the confidentiality, access, processing, storage, training, audit, revocation, and incident boundary that governs how AI may work with non-public community know-how.

1. Purpose of this document

This document defines how an AIFC community protects its non-public know-how when using AI.

AI may be extremely useful, but it may also behave like external intelligence with access to internal memory.

When AI reads internal documents, prompts, customer context, decision logic, workflows, or Operational DNA, the community must know:

• what AI may see,
• what AI must not see,
• why AI receives access,
• where data is processed,
• whether data is stored,
• whether data may be used for training,
• who can see prompts and outputs,
• how access is audited,
• how access is revoked,
• how incidents are handled,
• and how the community prevents lock-in.

The AI-NDA Boundary is the AIFC mechanism for making this explicit.

2. Core principle

The core principle of this document is:

AI must not access non-public community know-how without a defined AI-NDA Boundary.

AI may help with internal knowledge only when the community has consciously defined the boundary.

AIFC therefore says:

Treat AI access to non-public know-how like access by external intelligence.

The point is not to block AI.

The point is to govern what the community is exposing and under what conditions.

3. Definition

AI-NDA Boundary is the approved boundary that defines how AI may work with non-public or sensitive community know-how.

It defines:

• data classification,
• allowed data,
• forbidden data,
• purpose limitation,
• processing location,
• storage and retention,
• use for training,
• prompt and output visibility,
• agent memory rules,
• auditability,
• revocation,
• incident response,
• owner,
• lifecycle,
• relationship to source of truth and Operational DNA.

The AI-NDA Boundary is not only a legal idea.

It is an operational governance boundary.

4. Why AI-NDA Boundary matters

Without a boundary, AI use can quietly expand.

What starts as a simple summary may become:

• analysis of internal strategy,
• work with customer information,
• interpretation of Operational DNA,
• decision support over sensitive data,
• creation of derived know-how,
• storage of context in agent memory,
• informal external memory of the community.

This may happen without anyone making an explicit decision.

The AI-NDA Boundary prevents the community from confusing convenience with consent.

Minimum requirement

Every significant AI use over non-public know-how must have an explicit and traceable AI-NDA Boundary.

5. AI-NDA is not optional for non-public knowledge

If the knowledge is public, the boundary may be light.

If the knowledge is internal, restricted, customer-related, security-related, legal, financial, personal, or part of Operational DNA, the boundary is mandatory.

The community must not assume that a tool is safe just because it is easy to use.

Ease of use is not a confidentiality model.

Minimum requirement

Non-public know-how must not be shared with AI without an approved purpose, scope, owner, and data boundary.

6. Data classification

AIFC recommends classifying data before using it with AI.

Public

Public data is intentionally available outside the community.

Examples:

• public website content,
• published standard,
• public documentation,
• public announcements.

Internal

Internal data is not secret, but is intended for the community.

Examples:

• internal process notes,
• working drafts,
• non-public planning documents,
• internal meeting summaries.

Restricted

Restricted data requires stronger protection.

Examples:

• customer data,
• personal data,
• credentials,
• security details,
• legal or financial information,
• HR information,
• private partner information.

Operational DNA

Operational DNA is a high-value form of community know-how.

It includes how the community actually works:

• workflows,
• decision logic,
• roles,
• skills,
• fallback procedures,
• critical operating patterns,
• sensitive knowledge structure.

Operational DNA requires explicit approval before AI access.

Minimum requirement

AI use must respect data classification and treat Operational DNA as a protected category.

7. Purpose limitation

AI may access data only for an approved purpose.

The same data may be acceptable for one purpose and unacceptable for another.

For example:

• using internal documentation to detect duplicates may be acceptable,
• using the same documentation to train an external model may not be acceptable,
• using anonymized support tickets for pattern detection may be acceptable,
• using raw tickets for external AI chat may not be acceptable.

Minimum requirement

Every AI-NDA Boundary must define the purpose for which AI may use the data.

8. Allowed data

Allowed data describes what AI may access.

It should be specific enough to avoid ambiguity.

Examples:

• selected public pages,
• specific internal documentation folders,
• anonymized support tickets,
• approved decision records,
• non-restricted workflow descriptions,
• selected source of truth artefacts.

Minimum requirement

The AI-NDA Boundary must define allowed data in a way that is understandable to humans and enforceable in practice.

9. Forbidden data

Forbidden data describes what AI must not access.

Examples:

• credentials and secrets,
• raw personal data,
• unrestricted customer data,
• restricted HR data,
• legal privileged documents,
• unapproved Operational DNA,
• security vulnerabilities without approval,
• data outside the approved scope,
• data from another community without permission.

Minimum requirement

The AI-NDA Boundary must define forbidden data, and the community must treat violation as a governance issue.

10. Need-to-know principle

AI should receive only the data required for the approved purpose.

It should not receive all available context simply because more context might improve the answer.

The need-to-know principle limits exposure, reduces risk, and prevents accidental transfer of know-how.

Minimum requirement

AI access must follow least privilege, need to know, purpose limitation, auditability, and revocation.

11. Processing location

The community must know where AI processing happens.

This may include:

• local device,
• community-controlled infrastructure,
• vendor cloud,
• third-party subprocessors,
• cross-border processing,
• temporary processing environment.

Processing location affects confidentiality, law, security, and exit strategy.

Minimum requirement

AI-NDA Boundary must define or reference the processing environment for non-public data.

12. Storage and retention

AI use may create stored artefacts:

• prompts,
• outputs,
• logs,
• embeddings,
• agent memory,
• temporary files,
• review records,
• derived summaries.

The community must know what is stored, where, for how long, and who can delete it.

Minimum requirement

AI-NDA Boundary must define storage and retention rules for prompts, outputs, logs, and memory when non-public data is involved.

13. Training use

The community must know whether data, prompts, outputs, or derived artefacts may be used to train or improve a model.

Training use is different from temporary processing.

If non-public know-how enters a training pipeline, it may become difficult or impossible to remove.

Minimum requirement

Non-public community know-how must not be used for model training unless this is explicitly approved.

14. Prompt and output visibility

Prompts and outputs may contain sensitive information even when source files are protected.

The community must know:

• who can see prompts,
• who can see outputs,
• whether prompts are logged,
• whether outputs are shared,
• whether outputs can be exported,
• whether outputs can be searched,
• whether outputs can be reused by agents.

Minimum requirement

AI-NDA Boundary must define visibility of prompts and outputs for non-public work.

15. Derived knowledge

AI may create derived knowledge.

Derived knowledge may be:

• a summary,
• pattern,
• rule,
• classification,
• decision support,
• risk note,
• workflow proposal,
• skill update,
• extracted operating logic.

Derived knowledge can still be sensitive even when it does not contain the original text.

Minimum requirement

Derived knowledge from non-public or restricted data must be classified and handled according to its sensitivity.

16. Agent memory

Agent memory is especially sensitive.

If an agent remembers internal context, it can become an external memory of the community.

Memory rules must define:

• whether memory is allowed,
• what may be stored,
• what must not be stored,
• who can view it,
• how it is exported,
• how it is deleted,
• how it is audited,
• how it is prevented from replacing the source of truth.

Minimum requirement

Agent memory must not store restricted know-how or Operational DNA without explicit approval and review.

17. Source of truth protection

AI must not become a substitute source of truth.

The source of truth remains the authoritative community memory.

AI may read, summarize, propose, and help maintain it.

But approved knowledge, decisions, workflows, skills, and Operational DNA must remain in community-owned structures.

Minimum requirement

AI-generated or AI-derived know-how that matters must be assessed for return to the source of truth.

18. Operational DNA protection

Operational DNA requires stronger protection than ordinary internal content.

AI access to Operational DNA may reveal how the community actually works, decides, recovers, and learns.

This access requires:

• explicit purpose,
• approved owner,
• limited scope,
• AI-NDA Boundary,
• audit,
• memory rules,
• output review,
• exit strategy.

Minimum requirement

AI access to Operational DNA must be explicit, limited, auditable, and revocable.

19. Redaction and minimization

Before giving data to AI, the community should minimize exposure.

Methods may include:

• removing identifiers,
• anonymizing personal data,
• replacing customer names,
• selecting only necessary excerpts,
• using synthetic examples,
• separating restricted context,
• using summaries where raw data is not needed.

Minimum requirement

When possible, non-public AI use must apply redaction or minimization before exposing data.

20. Human approval

Some AI access requires human approval.

Approval is required especially for:

• restricted data,
• Operational DNA,
• customer data,
• security information,
• legal or HR information,
• agent memory over non-public data,
• model training use,
• cross-community data.

Minimum requirement

High-risk AI access must be approved by an accountable human or governance body before use.

21. Auditability

AI-NDA Boundary must be auditable in proportion to risk.

Audit may record:

• who approved the boundary,
• what purpose was approved,
• what data was allowed,
• what data was forbidden,
• what tool, model, or vendor was used,
• where processing occurred,
• whether storage or training was allowed,
• what prompts and outputs were created,
• who reviewed the output,
• what incidents occurred.

Minimum requirement

AI use over restricted data or Operational DNA must have an audit trail.

22. Revocation

AI access must be revocable.

Revocation may include:

• removing permissions,
• disabling an integration,
• deleting temporary data,
• deleting agent memory,
• rotating credentials,
• stopping a workflow,
• closing an AI engagement,
• updating the boundary.

Minimum requirement

Every AI-NDA Boundary must define how access can be revoked.

23. Incident response

An AI-NDA incident occurs when AI sees, stores, exposes, or uses data outside the approved boundary.

Examples:

• restricted data pasted into an unapproved tool,
• Operational DNA shared without approval,
• prompt logs exposed to the wrong audience,
• agent memory stores sensitive content,
• vendor changes training policy,
• output reveals hidden internal logic,
• data from another community is used without permission.

Incident response should include:

• containment,
• assessment,
• notification of owner,
• revocation or restriction,
• cleanup,
• decision record if significant,
• update of rules or skills,
• retrospective.

Minimum requirement

AI-NDA Boundary must define how incidents are reported and handled.

24. AI-NDA Boundary lifecycle

AI-NDA Boundary has a lifecycle.

Recommended states:

draft
proposed
approved
active
paused
under_review
revoked
expired
archived

Why it matters

A boundary is not a one-time checkbox.

It may need review when data, purpose, model, vendor, memory, autonomy, or output type changes.

Minimum requirement

AI-NDA Boundary must have an owner, status, and review trigger.

25. Relationship with AI engagement

AI engagement defines why and for what AI is used.

AI-NDA Boundary defines what AI may see and under what conditions.

They should reference each other when the engagement involves non-public data.

Minimum requirement

An AI engagement involving non-public data must reference an approved AI-NDA Boundary.

26. Relationship with Human Cockpit Layer

The Human Cockpit Layer should make AI-NDA Boundaries visible.

It may show:

• active AI engagements,
• approved data boundaries,
• owners,
• risk level,
• data classification,
• AI tools or vendors,
• memory status,
• incidents,
• review dates,
• revocation status.

Without visibility, the boundary may exist on paper but not in operations.

Minimum requirement

Significant AI-NDA Boundaries must be visible to accountable humans.

27. Relationship with AI-off fallback

AI-NDA Boundary and AI-off fallback are connected.

If a boundary blocks AI use for a risky data area, the community still needs a way to do the work.

Human Capability Reserve and AI-off fallback reduce pressure to violate the boundary.

Minimum requirement

Critical work that cannot safely use AI must have a non-AI path or an approved risk.

28. Suggested metadata

Example metadata for an AI-NDA Boundary:

ai_nda_boundary:
  id:
  title:
  status: draft | proposed | approved | active | paused | under_review | revoked | expired | archived
  owner:
  approved_by:
  purpose:
  related_ai_engagement:
  data_classification:
    - public
    - internal
    - restricted
    - operational_dna
  allowed_data:
  forbidden_data:
  processing_location:
  tool_or_vendor:
  model:
  training_use_allowed: true | false
  storage_allowed: true | false
  retention:
  prompt_visibility:
  output_visibility:
  memory_allowed: true | false
  memory_rules:
  audit_required: true | false
  revocation_method:
  incident_response:
  review_cycle:
  last_reviewed:

This structure is illustrative.

The final schema should be defined in the agent-actionable layer of the standard.

29. Boundary levels

AIFC may use boundary levels to make AI access easier to govern.

Level 0 - Public AI Use

AI works only with public data.

Governance may be light, but outputs still need review when they become source of truth.

Level 1 - Internal AI Use

AI works with non-public internal data that is not restricted.

Requires purpose, owner, scope, and basic audit.

Level 2 - Restricted AI Use

AI works with restricted, customer, personal, legal, security, or sensitive operational data.

Requires explicit approval, strong boundary, audit, minimization, and incident response.

Level 3 - Operational DNA AI Use

AI works with Operational DNA.

Requires explicit governance approval, limited scope, AI-NDA Boundary, audit, memory rules, owner review, and exit strategy.

Minimum requirement

The community must classify significant AI access by boundary level or an equivalent risk model.

30. Anti-patterns

AIFC rejects the following anti-patterns.

30.1 AI access by convenience

AI receives data because it is easy, not because the boundary was approved.

30.2 No distinction between public and internal

The community treats non-public knowledge as if it were public.

30.3 No training rule

Nobody knows whether prompts, outputs, or data can be used for model training.

30.4 Prompt leakage ignored

The source file is protected, but sensitive content leaks through prompts.

30.5 Derived knowledge unclassified

AI summaries and extracted patterns are treated as harmless even when they reveal sensitive know-how.

30.6 Agent memory as uncontrolled storage

Agent memory stores non-public know-how without owner, audit, or deletion path.

30.7 Operational DNA sent to AI without explicit approval

Critical operating logic is exposed without a governed boundary.

30.8 AI-NDA Boundary without owner

A boundary exists, but nobody is accountable for it.

30.9 AI-NDA Boundary without revocation

Access is granted but cannot be safely removed.

30.10 AI-NDA Boundary without incident response

The community has no procedure for handling boundary violations.

31. Minimal requirements

In the area of AI-NDA Boundary, an AIFC community must at minimum:

1. Define an AI-NDA Boundary for significant AI use over non-public know-how.
2. Classify data before exposing it to AI.
3. Treat Operational DNA as a protected category.
4. Define the purpose of AI access.
5. Define allowed data.
6. Define forbidden data.
7. Apply least privilege and need-to-know.
8. Define processing location for non-public data.
9. Define storage and retention rules.
10. Explicitly approve or forbid training use.
11. Define prompt and output visibility.
12. Classify derived knowledge.
13. Define agent memory rules.
14. Protect the source of truth from being replaced by AI memory.
15. Require explicit approval for AI access to Operational DNA.
16. Use redaction or minimization where possible.
17. Require human approval for high-risk AI access.
18. Maintain an audit trail for restricted data or Operational DNA.
19. Define revocation.
20. Define incident response.
21. Give the boundary an owner, status, and review trigger.
22. Link AI engagements involving non-public data to an approved boundary.
23. Make significant boundaries visible to accountable humans.
24. Provide a non-AI path or approved risk when AI cannot safely access required data.

32. Summary

The AI-NDA Boundary protects the community from uncontrolled exposure of its non-public know-how.

AI can help the community understand, synthesize, and improve its knowledge.

But the community must govern what it shares with external intelligence.

Without a boundary, AI may become:

• hidden external memory,
• uncontrolled consultant,
• accidental data processor,
• source of derived sensitive knowledge,
• lock-in point,
• or an unmanaged part of Operational DNA.

AIFC therefore says:

Use AI with internal knowledge consciously.
Define what AI may see.
Define what AI must not see.
Protect Operational DNA.
Audit access.
Keep revocation possible.
Keep the source of truth community-owned.

AI-NDA Boundary turns AI confidentiality from assumption into governed practice.