Where Does AI Classification Custody Attach?

I encounter this question on a daily basis recently, even when I am not actively thinking about AI: Assume an AI reads compartmented information and produces a lower-control (a lower-classification output you could genuinely publish!). Where should classification custody attach? To the File, to the Prompt, to the Memory, to the Output, or the whole Workflow?

The short answer is that classification custody should not attach to just one artifact. It should attach to the information state across the workflow, with each artifacts inheritng controls based on the information it contains or can reconstruct.

A useful way to think about it is as a chain of custody rather than a property of a single file.

Source file — Yes. The original classified document retains its classification.

Prompt — Sometimes. If the prompt contains classified information or reveals sensitive details, it becomes classified too.

Model memory (context window) — Yes. While the AI is processing the information, its active context is effectively holding classified material.

Output — According to its content. The summary should be classified based on what it actually reveals—not automatically according to the source document’s classification.

Entire workflow — Absolutely. The workflow determines how information moves, who can access it, and whether it can safely cross security boundaries.

The central governance problem

Traditional security models assume that classification belngs primarily to documents.

Large language models break this assumption because information exists in multiple transient forms:

  • document
  • token stream
  • model context window
  • internal reasoning state (not observable)
  • generated output
  • cached conversation history
  • vector memory
  • downstream API calls

Why custody cannot attach only to the output?

Because, even if the output is downgraded, the processing environment remains within the higher classification domain: the AI could have processed compartmented sources, the model context could have containd compartmented information, and last but not the least, logs may contain fragments of the source.

Why custody cannot attach only to memory

Custody has to extend beyond transient memory. One could argue that the model’s context window temporarily “owns” the classification, but memory disappears. If custody vanished with the context, organizations would lose accountability for audit trails, access records, provenance, and authorization decisions.

Why workflows become the security boundary

Modern AI systems increasingly operate as workflows rather than isolated prompts. The workflow—not any individual artifact—defines who can access each stage, what information may be transformed and which controls apply. This aligns with established information-flow control principles, where the primary concern is preventing unauthorized movement of information between security domains.


A useful governance principle

Classification custody attaches to every computational state that contains, derives from, or can materially reconstruct classified information, and persists across the information-processing workflwos until an authorized downgrading or declassification decision is completed.


Implications for AI risk management

This shifts governance from a document-centric model to a state-centric or workflow-centric model. Instead of asking, “What is the classification of this file?”, organizations ask, “What is the highest sensitivtiy of information present anywhere in this processing states, and what controls are required until that state is safely transformed?”

For AI systems, this perspective is more robust because it recognizes that sensitive information can exist simultaneously in prompts, runtime context, memory, logs, outputs, and orchestration logic. The security boundary is therefore the end-to-end information-processing workflow, with each artifact inheriting controls appropriate to the information it contains while the workflow as a whole preserves continuous custody until an authorized release decision is made.

Published by szarghani

I am a C#/Java developer. I live and work in Germany.

Leave a comment