At Privacy Across Borders (PAB), we are fortunate to be connected with a multitude of experts who bring many years of experience in law, technology, privacy, cybersecurity, cross-border data issues, and more. I am excited to share a new series, Diving In, that I am starting with PAB. This series highlights the insights and research of leaders in the field that contribute to important conversations on the state of AI, privacy, and digital governance.
As Agentic AI is increasingly adopted across industries such as finance, marketing, manufacturing, sales, and more, it is important to understand the implications of its implementation. A Senior Fellow with PAB, Prem Trivedi, Director of New America’s Open Technology Institute (OTI), and Matt Steinberg, a Tech and Public Policy Scholar at Georgetown University’s McCourt School of Public Policy, wrote a paper discussing how AI agents and Model Context Protocol (MCP) work, the associated risks, and an analysis of current guardrails in AI Agents and Memory: Privacy and Power in the Model Context Protocol Era. I thought this rapidly evolving AI would be the perfect launchpad for our series, with future posts exploring additional topics. This transcript has been edited lightly for clarity.
Shanzay: What motivated you to write this paper?
Matt: So in 2025, there was a lot of hype in the news around AI agents, especially within Silicon Valley and tech circles. In moments like this, hype cycles can be tricky to navigate. However, they also create a good opportunity to apply an OTI lens to cut through the noise. At OTI, the goal is to demystify emerging technologies, looking beyond a purely commercial lens, and also considering the public interest perspectives. That means thinking carefully about outcomes, potential benefits and risks, and how to maximize the net value to society. With this paper, we were thinking about what those early risks could be.
Prem: To add a little bit to what Matt said, we wanted to understand how agents operate and in alignment with OTI’s values of developing, deploying, and governing democratically accountable AI: privacy, openness, and human agency. We were seeing agents introduced into new open protocols, like the Model Context Protocol (MCP), connecting with one another and with services across the internet. It became increasingly clear that they added important complications to concerns around agents. This paper is an analytical starter to this issue, and is by no means the final chapter, it is just the beginning.
Shanzay: I’ll ask a series of background questions and move into more specific questions about the paper. First, what is an AI agent?
Matt: In many ways, this is a complicated question and a simple one at the same time. You’ll hear that term get used somewhat broadly these days, but there isn’t one consensus definition of an AI agent. With that being said, the simplest way to think about it, I would say, is unlike a passive chatbot that simply responds to prompts, an AI agent can act autonomously to varying degrees, so they can plan what steps to take, execute those multi-step actions, and evaluate how those actions went and adjust accordingly, all by themselves. A lot of these agents are built on top of traditional large language models (LLMs) like ChatGPT or Claude, and they include an additional layer called an orchestrator, which helps them plan and coordinate across tools and sequence tasks to achieve the final goal. Then, these tools are connected via Application Programming Interfaces (APIs), which are increasingly standardized by standards such as MCP.
The final analogy we use in the paper, which, for me, is really helpful, is that a chatbot is sort of like a copilot. It does this single task, and an agent works more like autopilot: the system manages all these different multi-step workflows on its own with minimal oversight.
Shanzay: What is important for people to understand about model context protocols?
Prem: The way we talk about it in the paper is that MCP is an emergent core infrastructure. It is part of an important infrastructure layer that really standardizes how AI systems connect to external tools and data and to each other. And so it’s a little bit similar, we think, to what TCP/IP is, which is the basic routing protocol on the internet. It is also similar in some ways to HTTP.
We also talk about USB-C, as all these analogies are instructive, but it is the plumbing that makes things interoperable in the agentic world. MCP is not a product itself; it’s not a model. It is a protocol that facilitates interaction. It is an infrastructure of interoperability, and it’s really important because it’s what’s turning the single-user chatbot interactions that Matt was describing earlier, and contrasting them with real agents that are acting with, if not full autonomy, along a spectrum of autonomy. So, when you give AI systems the tools to talk to one another and to exchange information that allows them to plan and execute multi-step tasks across services, as opposed to just responding to prompts in the ways that Matt was describing.
Shanzay: How would you explain AI memory to someone without a technical background?
Matt: I would sum up AI memory as the agents’ ability to remember information about you and your past interactions over time, rather than just responding directly to a single question or prompt in the moment – and memory plays a critical part in the data and privacy conversation. MCP also plays a role when it comes to AI memory because it is what allows these systems to access and store more data from places like your calendar, messages, and email. And so it just makes something like AI memory that much more potentially useful, or on the other hand, more risky.
Shanzay: The next question is, what is the difference between context and memory?
Matt: While memory is kind of a long-term, persistent set of data that the system carries with it, context is the information that the AI system is using in the moment – often a single conversation. A rough analogy is that context is similar to RAM, and memory is like what’s stored in a database. Context is more temporary and task-specific, and memory is persistent and reused later, over time. Ultimately, context and memory do work together, but it is helpful to separate those terms when you’re talking about data privacy and related topics, and within a lot of these conversations, those two concepts are often at play.
Shanzay: To connect some of these issues to our work at Privacy Across Borders, can you expand more on the cross-border issues that arise when regulating agentic AI?
Prem: I think trying to take privacy and data protection as a lens, given what the Privacy Across Borders program does, we already know that cross-border data regulation and navigating that landscape is difficult.
So the classic internet scenario that demonstrates that is, let’s say there’s a user in Kenya somewhere, using software that comes from a UK company, but there’s cloud hosting and cloud infrastructure in the United States. That’s the kind of classic legal complexity. There are a few jurisdictions and multiple regulatory regimes, but it’s still pretty static, because you know the players, you can map the data flows, and then you know the lawyers and the other compliance folks are able to navigate that landscape.
But agentic AI really challenges those assumptions because the jurisdictional picture is very dynamic, and it is not necessarily knowable in advance. In fact, it’s often not knowable in advance. So, for example, you’ve got a developer in the US who built an agent, and there’s someone in Mexico who wants to use it. They say, “Hey, design me an app, here are the parameters for it, and [now] complete the task.” To complete that task, the agent might then go and spin up some sub-agents. It might call some different tools and interact with MCP servers that could be distributed all across the world, India, Germany, Brazil, etc. And the agents make decisions in real time, with some consultation, or not, back with that user in Mexico.
So, basically, the jurisdictions that are implicated in these agentic task completions are not a priori choices. They’re dynamically implicated as some tasks are being completed. So, you can start to see where the cross-border issues come in, because each of those jurisdictions is going to have different rules about what data can be collected, transferred, or processed for what purpose.
Shanzay: Are there existing or pending regulatory developments or frameworks you feel are sufficient in addressing the privacy and security risks with agentic AI outlining the paper, or anything you feel might be a step in the right direction?
Prem: I think there are some promising developments with the US and Singapore, which have two interesting models approaching this.
In the United States, NIST had an initial draft out for comments for benchmarking evaluations that are relevant to agentic AI. They had some requests for information that closed last month, focusing on agentic security vulnerabilities. So I think they’re building some kind of threat taxonomy now, and we probably are going to see, as a result, some kind of sector-specific agentic guidance emerge.
Singapore is really interesting because they seem to be quite advanced and leading much of the global pack here. Singapore’s regulator IMDA issued a governance framework in January 2026, which struck me as particularly sophisticated. The framework has four pillars: (1) assess and bound the risks upfront; (2) make humans meaningfully accountable; (3) implement technical controls and processes; and (4) enable end-user responsibility. I think the framework is helpful because it addresses both customers as external-facing users and workers as internal users in a company who are integrating agents into their workflows.
Shanzay: Thank you for bringing this up. I am curious about the second point in the framework, and connecting it to what you had mentioned in the paper. I know that integrating human-in-the-loop processes when thinking about regulating agentic AI may not always be sufficient. I’m curious if there’s more you want to speak to in the Singapore framework, as compared to what already exists in the US and other countries around the world, in terms of having human intervention as a mechanism for additional oversight.
Prem: My sense is that their framework anticipates this with some helpful nuance. The framework requires organizations to audit whether human oversight remains effective. It’s not a checkbox that says, make sure humans are in the loop, which, as we pointed out in our paper, often just doesn’t make sense to the problems of scale and speed. It is important. But the question is, what structure does that take? What nuances exist around it?
They’re not just saying you need a procedural requirement for human oversight. They’re saying, think about whether it’s still effective and how it should evolve. They’re also pretty specific about the question of human capacity, like, what kind of capacity is required to provide effective oversight, and some of the risks that happen when agents get integrated into workflows. The framework discusses the loss of basic operational knowledge for users when agents take over entry-level tasks, and it addresses this issue by emphasizing the importance of providing sufficient training and work exposure so users, or workers, retain foundational skills. This struck me as really interesting and impressive.
Shanzay: The Agentic AI governance framework from Singapore is really interesting from a values perspective. They appear to be exploring a framework for helping workers incorporate agentic AI, in contrast to the U.S., where the current trend in many industries is that AI adoption is being used to reduce the workforce.
Prem: I did think that, too, while reading. There’s some interesting analysis on how they’re thinking about workforce impact and exactly where they need folks who are engaging with these tools to stay in their jobs.
Shanzay: The last question is, what incentives do incumbents such as Microsoft, OpenAI, and Google have to adopt context and memory portability?
Matt: This is one of my favorite parts of our paper, because I think when you’re looking at things like privacy and security, and the underlying economic and market incentives, it can get lost in the equation when we talk about how these things fit together.
The short answer to this question is, if you believe your model wins on quality, and you think you have the best model, then the incentive is that portability would be a growth lever. Users can try your product without abandoning their context elsewhere, and then ideally, they will stay with you. So, if you’re sitting in one of these C-suites in one of these companies, you want an ecosystem that favors portability. It gives users a chance to try your product, and it brings more users to you. So, I think one interesting aspect to this right now is that there’s this consensus that a lot of the leading models generally are of a similar high quality.
There are also trade-offs because there are potential security and liability issues that come when data is moving more freely and quickly; things like prompt injections, authentication gaps, etc., but I think for the most part, portability is a way to ensure a much more competitive market and ecosystem.
Prem: I think the other thing I would say is it would be interesting to encourage, by economists and others, the market research that looks at which sectors and which types of users specifically are demanding the use of multiple tools simultaneously, and then [to map] which of those specifically want portability among them. So, I’m very curious to know who, right now, and who in the coming years is going to be pushing portability the hardest.
Matt: And one last thing to tie it back to the paper is that MCP does play a role here. It plays up the tension, that MCP can be a technology that that enhances portability, and this idea that with standardization, and the ability for all these different systems to have equal access, to plug into all these different tools, it gets at that idea of a competitive ecosystem that access to data can level the playing field and gives smaller systems a chance to have the same access that the leading frontier systems do.
