There's a tension at the heart of agentic AI that nobody has cleanly resolved.
Agents need context to work. Rich context. Current task, conversation history, user preferences, relevant documents, previous actions, tool results, system state. The more context an agent has, the better it performs. Every benchmark confirms this. Every practitioner knows it.
GDPR Article 5(1)(c) says data must be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed."
Those two requirements are in tension. Deep tension.
This is the agentic AI data minimization paradox: the architecture that makes agents capable is the same architecture that GDPR treats as a violation.
What Agents Actually Need
A well-designed agent receives structured inputs:
- System prompt (role, capabilities, constraints)
- Task description (what to do)
- Relevant context (information needed for the task)
- Conversation history (prior turns that matter)
- Tool results (outputs from previous steps)
- Memory (persistent knowledge from past interactions)
The problem is "relevant context" and "conversation history." In practice, these are often implemented as:
# The common pattern (and the compliance problem)
agent.run({
'task': current_task,
'context': entire_conversation_history, # everything
'memory': user_memory_store, # everything remembered
'user_profile': full_user_object, # all attributes
})
The entire conversation history includes every prior task, every piece of information the user ever shared, every document they referenced. The user profile includes everything the system knows about them. The memory store is a growing accumulation of everything the agent has learned about this user.
None of it is limited to what's necessary. All of it is there because having more context produces better outputs.
The GDPR Test
Data minimization requires that each processing operation receive only data that is:
- Adequate — sufficient to accomplish the purpose
- Relevant — related to the purpose
- Necessary — could not accomplish the purpose with less
For most agentic context windows, the test fails on necessary.
Does an agent helping you schedule a meeting need your medical history (which you mentioned in a conversation six months ago, still in the buffer)? No.
Does an agent writing a code review need your home address (captured during account registration, included in the user profile)? No.
Does an agent answering a customer service question need the full text of 47 previous support tickets (in the conversation history)? Probably not. It needs the relevant prior tickets, which is a much smaller set.
The necessity test is strict. "Having it might help" doesn't pass. "We're not sure what the agent will need" doesn't pass. The burden is to identify what's necessary and include only that.
Why Agents Are Built the Way They Are
The current design pattern — maximum context — exists for good engineering reasons:
Reason 1: Context retrieval is hard
Selecting relevant context from a large history requires understanding what the current task needs. That's a hard retrieval problem. Giving the agent everything is simpler and more robust.
Reason 2: Missing context causes failures
If you under-provide context, the agent fails or gives inferior outputs. Users complain. The conservative choice is more context.
Reason 3: Relevance isn't known in advance
Sometimes information that seems irrelevant turns out to matter. A detail from three conversations ago suddenly becomes important. Full context preserves optionality.
Reason 4: Memory and personalization are features
Users want agents that remember their preferences, their history, their context. Amnesia is a product failure. "Why don't you remember that?" is the most common user frustration with AI assistants.
These are real concerns. The tension isn't manufactured. The data minimization requirement genuinely conflicts with good agent design — at least as currently implemented.
Resolving the Paradox: Structured Approaches
The paradox is real but solvable. Here are the patterns that maintain agent capability while satisfying data minimization.
1. Purpose-Specific Context Bundles
Instead of passing raw history, construct purpose-specific context for each task:
class PurposeLimitedContext:
def build_context(self, task_type, task_description, user_id):
"""
Build a context bundle with only data necessary for this task type.
"""
if task_type == 'code_review':
return {
'code': self.get_submitted_code(),
'language': self.get_project_language(),
'style_guide': self.get_style_preferences(),
# NOT included: name, email, billing, support history,
# health data, location, demographic info
}
elif task_type == 'customer_support':
return {
'issue_description': task_description,
'product_version': self.get_user_product_version(),
'recent_tickets': self.get_recent_relevant_tickets(task_description, limit=3),
# NOT included: payment info, personal details, full ticket history
}
elif task_type == 'meeting_scheduler':
return {
'meeting_request': task_description,
'availability': self.get_calendar_availability(),
'timezone': self.get_user_timezone(),
'meeting_preferences': self.get_meeting_preferences(),
# NOT included: health data, financial data, support tickets,
# anything not calendar-relevant
}
Each task type has a defined context schema. Only the defined fields are included. Anything not in the schema doesn't get passed to the agent.
2. Semantic Relevance Retrieval Instead of Full History
Replace full conversation history with retrieved-relevant-history:
from sentence_transformers import SentenceTransformer
import numpy as np
class SemanticContextRetriever:
def __init__(self, conversation_history):
self.history = conversation_history
self.model = SentenceTransformer('all-MiniLM-L6-v2')
self.embeddings = self.model.encode([turn['content'] for turn in history])
def get_relevant_context(self, current_task, top_k=5):
"""
Return only the most semantically relevant conversation turns.
Not the full history — just what's relevant to this task.
"""
task_embedding = self.model.encode([current_task])
similarities = np.dot(self.embeddings, task_embedding.T).flatten()
top_indices = np.argsort(similarities)[-top_k:]
return [self.history[i] for i in top_indices]
# This satisfies data minimization:
# - Agent receives relevant historical context (adequate)
# - Only semantically related turns (relevant)
# - Bounded by top_k (necessary)
# - Full history never transmitted to LLM provider
This gives the agent the context it needs without transmitting irrelevant conversation history containing personal data from unrelated interactions.
3. PII-Scrubbed Memory with Entity Restoration
For persistent agent memory (the hardest case), store memories in pseudonymized form:
class PrivacyAwareMemory:
def store(self, content, user_id):
"""Store memory with PII scrubbed."""
scrub_result = requests.post(
'https://tiamat.live/api/scrub',
json={'text': content}
).json()
self.memory_store.save({
'content': scrub_result['scrubbed'], # No PII
'entity_map': scrub_result['entities'], # PII stored separately
'user_id': user_id,
'purpose': self.current_purpose,
'expiry': self.calculate_expiry(),
})
def recall(self, query, user_id):
"""Recall memories, restoring PII only if necessary for current task."""
memories = self.memory_store.search(query, user_id)
# Determine if PII restoration is needed for this task
if self.current_task_requires_pii():
return [self._restore_entities(m) for m in memories]
else:
return [m['content'] for m in memories] # Pseudonymized only
Personal data is stored once (with GDPR controls applied). Memories are scrubbed versions. PII is only restored when the specific task requires it — not by default.
4. Retention Limits and Automatic Expiry
GDPR Article 5(1)(e) requires data be kept "no longer than is necessary." For agent memory, this means implementing retention policies:
class RetentionAwareMemory:
RETENTION_POLICIES = {
'conversation_history': timedelta(days=90),
'user_preferences': timedelta(days=365),
'task_context': timedelta(days=7),
'session_data': timedelta(hours=24),
'pii_entity_maps': timedelta(days=30), # Separate from scrubbed content
}
def cleanup_expired(self):
for data_type, retention in self.RETENTION_POLICIES.items():
cutoff = datetime.now() - retention
self.memory_store.delete_where(
data_type=data_type,
created_before=cutoff
)
Automatic expiry removes the accumulation problem. Data that's no longer necessary is deleted, not retained indefinitely because deletion requires engineering effort.
5. Differential Privacy for Aggregate Memory
For agents that learn from aggregate user behavior (preference learning, personalization models), differential privacy prevents individual-level information leakage:
import numpy as np
def aggregate_preferences_with_dp(user_preferences_list, epsilon=1.0):
"""
Aggregate user preferences with differential privacy.
Individual preferences are protected; aggregate signal is preserved.
"""
aggregate = np.mean(user_preferences_list, axis=0)
# Add calibrated Laplace noise
sensitivity = 1.0 # Max change one user can cause
noise_scale = sensitivity / epsilon
noise = np.random.laplace(0, noise_scale, size=aggregate.shape)
return aggregate + noise
# Result: useful signal about user population preferences
# Individual users cannot be reconstructed from the aggregate
The Least Privilege Context Principle
The unified principle that resolves the paradox:
Give agents the least context required to accomplish the specific task, not the maximum context available.
This requires:
- Task taxonomy — classify tasks by context requirements
- Context schemas — define what each task type needs
- Retrieval instead of inclusion — fetch relevant history, don't pass all history
- PII separation — scrub PII from stored context, restore only when needed
- Expiry enforcement — automatically delete what's no longer necessary
- Purpose limitation — don't use context from task A to inform task B if the purposes are unrelated
This is harder than passing everything. It requires more engineering. It produces slightly less performant agents in the short term.
It also makes your agentic AI product GDPR-compliant, defensible to auditors, and trustworthy to users who know their data won't accumulate forever in an opaque memory system.
Practical Checklist
Context window design:
- [ ] Context bundles are task-specific, not full-history by default
- [ ] Semantic retrieval used for relevant history (not full conversation dump)
- [ ] PII scrubbed from context before transmission to LLM providers
- [ ] User profile data included only when task explicitly requires identity
Memory architecture:
- [ ] Memories stored in pseudonymized form (PII scrubbed at storage time)
- [ ] Entity maps stored separately from memory content
- [ ] Retention policies defined for each memory type
- [ ] Automatic expiry enforced (not just documented)
- [ ] User can request deletion of their memory data
Agent dispatch:
- [ ] Subagents receive only context necessary for their specific subtask
- [ ] Context is not forwarded wholesale between agents
- [ ] External agent data handling policies verified before dispatch
Logging:
- [ ] Agent context windows not logged by default
- [ ] If logged for debugging, logs are scrubbed before storage
- [ ] Log retention policy defined and enforced
The data minimization paradox is real. Agents perform better with more context. GDPR requires less.
But the paradox dissolves when you reframe the design goal: the challenge isn't "how do we give agents less context" — it's "how do we give agents precisely the right context." Relevant retrieval, purpose-limited bundles, and PII-scrubbed memory stores can give agents what they need without requiring them to receive everything available.
The AI systems that solve this will be the ones that enterprises can actually deploy. That's the real market.
TIAMAT builds privacy infrastructure for the AI age. Scrub PII from agent context before transmission: POST https://tiamat.live/api/scrub. Privacy-preserving proxy for agent inference calls: POST https://tiamat.live/api/proxy. Zero-log policy. Full docs: tiamat.live/docs.
Top comments (0)