IT Brief Canada - Technology news for CIOs & IT decision-makers
Canada
Vivek Kumar unveils framework for AI connector risks

Vivek Kumar unveils framework for AI connector risks

Tue, 30th Jun 2026 (Today)
Joseph Gabriel Lagonsin
JOSEPH GABRIEL LAGONSIN News Editor

Vivek Kumar has published a framework for assessing privacy and security risks in the AI connector layer, focusing on how AI systems access organisational data.

Kumar, an independent AI governance, cybersecurity and privacy consultant, calls the framework PAARA, short for Privacy-Aware AI Risk Architecture. It is designed to treat connectors such as OAuth scopes, Microsoft Graph permissions, API links and retrieval pipelines as a distinct subject for governance review rather than a secondary technical issue.

The work addresses a part of enterprise AI deployment that often falls between privacy reviews and IT configuration. In many organisations, teams assess an AI supplier and set up access routes separately, leaving limited scrutiny of how a tool can reach, combine and act on internal data once a connector is enabled.

Kumar argues that this gap concentrates several risks. These include overly broad access granted at the outset and not reviewed again, retrieval failures that allow an AI tool to surface records a user could not directly open, and a heightened insider threat because natural language prompts can assemble information far faster than manual searches.

He said the issue is not the creation of a new right to access data, but a change in the speed and ease with which existing permissions can be used. That, in turn, can make misuse harder to distinguish from routine work.

Connector focus

Kumar's analysis compares the issue with established privacy and AI governance approaches from bodies including the European Data Protection Board, the UK Information Commissioner's Office, France's CNIL, the US National Institute of Standards and Technology and Singapore's Infocomm Media Development Authority. His research finds that these frameworks do not yet treat the connector layer operationally as a distinct object of assessment.

He also argues that the Article 29 Working Party's nine-criteria data protection impact assessment test fits connector deployments, although regulators have not specifically applied it in that context.

The topic is particularly relevant in India, where banks, IT services companies and global capability centres are rolling out enterprise AI tools while handling data for overseas clients. These deployments can involve obligations under the General Data Protection Regulation and other overseas regimes, as well as India's Digital Personal Data Protection Act.

Kumar has published the PAARA methodology on SSRN, where it carries a DOI for citation. Related research has also been peer reviewed and accepted by IEEE and Springer publications, while his practitioner writing on connector governance has appeared in the International Association of Privacy Professionals' Privacy Perspectives.

Policy submissions

Beyond publishing the framework, Kumar said he has provided input and case studies through consultation channels in the UK, France, the United States, Australia and Singapore. He also submitted a PAARA case study to Singapore's Infocomm Media Development Authority through its feedback process on the Model AI Governance Framework for Agentic AI.

His framework centres on five questions for governance teams before they enable an AI connector widely across a business. The questions cover which data sources a connector can reach, whether sensitive data is accessible, whether permission scopes follow least privilege, whether retrieved records can be reconstructed for a given AI output, and how the connector changes insider risk.

That structure reflects a broader debate over enterprise AI controls as businesses move from pilot projects to wider deployment. Much public discussion has focused on model behaviour, training data, transparency and compliance, while the mechanics of data access inside live business systems have received less attention.

For organisations using products such as Microsoft 365 Copilot or Google Gemini alongside internal repositories, connectors can determine the practical limits of what an AI service sees. They can also shape whether access controls are preserved, widened or obscured once information is retrieved through natural language requests rather than direct application use.

In Kumar's view, governance teams should be able to explain these access paths before deployment rather than after a problem emerges. That includes identifying what an AI tool can reach, why that access exists, what constraints apply and who accepted any residual risk.

"AI governance has largely focused on models, algorithms, and compliance," said Vivek Kumar, independent AI governance, cybersecurity, and privacy consultant. "The under-examined layer is the connector: what enterprise data an AI system can actually access, combine, and act on. PAARA was built to help organisations assess that layer before they deploy AI at scale."

He described the practical challenge in a second statement. "If an AI system can retrieve enterprise data," said Kumar, "the organisation has to be able to explain what it can reach, why, how it's constrained, how misuse is detected, and who accepted the residual risk. Most organisations deploying connectors today can't answer all five. That's the work."