The DSP Is No Longer Optional

Agentic AI does not leak data only when a human pastes a secret into a chat window.

It leaks when a tool result is appended to a prompt. It leaks when memory retrieval pulls the wrong paragraph into context. It leaks when an agent escalates from a local model to a hosted model because the task looks harder than expected. It leaks when a provider route changes its data-retention posture and the application keeps treating every model endpoint as interchangeable.

That last point is now visible.

Anthropic's API retention documentation puts Claude Fable 5 and Claude Mythos 5 in a special bucket: API inputs and outputs are retained for 30 days, and Zero Data Retention is not available for those models. Anthropic also says retained API data is not used for model training without express permission.

That distinction matters.

The issue is not "training panic." The issue is operational control.

If a model route retains prompt and output data for 30 days, that is a security property. It belongs in the same decision layer as classification, budget, jurisdiction, task risk, and provider trust.

This is exactly why BlackUnicorn AI Management System has a DSP.

Vendor Policy Is Now Runtime Input

The old pattern was simple: pick a strong model, send the prompt, trust the provider paperwork.

That pattern breaks when agents become operational.

An agent does not send one clean prompt. It builds context. It retrieves memory. It calls tools. It summarizes files. It works across customers, projects, finances, strategy, security reports, and internal plans. The prompt becomes a temporary container for organizational data.

Once that data crosses an external boundary, the question is no longer only:

"Can this model answer?"

The question becomes:

• What data is inside this request?
• Who is allowed to process it?
• How long can the provider retain it?
• Can this model run under Zero Data Retention?
• Is pseudonymization enough for this class of data?
• Should the call stay on L1 local inference?
• Should the route fail closed?

BlackUnicorn AI Management System treats those questions as runtime checks, not policy notes buried in a security document.

What The DSP Does

DSP stands for Data Sanitization Proxy.

It sits between the agent fleet and model execution. Every outbound LLM request becomes a data-governance decision before it becomes a model call.

The DSP classifies the payload, sanitizes sensitive entities, chooses an allowed route, and rehydrates the response only after the model returns. It is not a decorative guardrail around the prompt. It is the traffic controller for sensitive context.

The basic flow is:

1. Classify the request.
2. Detect secrets, PII, classified identifiers, financial data, and operator-defined sensitive patterns.
3. Block data that should never reach a model.
4. Pseudonymize data that can be reasoned over safely.
5. Route the sanitized request to an allowed model tier.
6. Rehydrate the response through a bounded substitution map.
7. Audit the decision without storing the raw sensitive prompt in logs.

That flow changes the security posture.

The platform is no longer asking the provider to be the last line of defense. The platform decides what the provider is allowed to see.

Classification Before Routing

BlackUnicorn AI Management System uses classification before model selection.

Low-risk public context can route freely. Medium-risk context can be pseudonymized and sent only through approved external partners. High-risk context stays local. DSP-high work is pinned to L1 local inference.

This is where the Fable retention story becomes useful.

If a model is not eligible for Zero Data Retention, the DSP does not need a debate. The route can be marked unsuitable for sensitive payload classes. Sensitive work can stay on local models or move to a provider route with the right retention posture. If no allowed route exists, the system fails closed.

That is the point: vendor policy becomes machine-checkable infrastructure.

Pseudonymization Is The Middle Path

Security teams often get trapped between two weak choices.

One choice is to block external models entirely. That protects data, but it throws away capability.

The other choice is to send raw context to external models and rely on terms of service. That keeps capability, but it gives away control.

DSP creates a middle path.

Sensitive entities can be replaced before dispatch:

Original:
NovaBank renewal risk increased
after the Q3 margin review.

Sanitized:
ORG_014 renewal risk increased
after PERIOD_003 margin review.

The model can reason about the structure of the problem without seeing the raw organization name or period marker. When the answer returns, BlackUnicorn AI Management System rehydrates placeholders for the authorized operator.

The model sees logic.

The operator sees meaning.

The provider never receives the raw sensitive value.

Retention-Aware Routing

The DSP is connected to the same routing philosophy as the rest of BlackUnicorn AI Management System.

The platform already uses 3-layer model routing:

• L1 local inference for confidential, DSP-high, routine, memory, and internal work.
• L2 subscription providers for approved external reasoning.
• L3 pay-per-token models for expensive escalation when policy and budget allow it.

The DSP adds a data boundary to that router.

A task can be cheap but sensitive. It stays local.

A task can be hard but not sensitive. It may escalate.

A task can be sanitized enough for a subscription route, but not suitable for a provider that retains prompt and output data.

A task can be important and still blocked because it contains secrets.

This is what a production agentic system needs. The route is not chosen only by model strength. It is chosen by data class, retention policy, budget state, and operator control.

Budget And Data Policy Belong Together

BlackUnicorn AI Management System also lets operators set budgets and auto-route agents when budget limits are hit.

That matters for DSP because risky escalation often hides inside cost escalation.

An agent starts on a local model. The output looks weak. The router considers a stronger external model. Without hard controls, that "quality upgrade" can become two failures at once: higher cost and wider data exposure.

In BlackUnicorn AI Management System, the router can check both conditions:

• Is this provider allowed for the payload classification?
• Is this spend path still inside budget?

If an L3 budget is exhausted, the agent is routed through allowed lower-cost paths. If a sensitive payload cannot leave L1, budget pressure does not push it outward. If no route satisfies the data policy and the budget policy, the system stops.

Failing closed is not a dramatic feature. It is basic operational hygiene.

Why This Matters For Agent Fleets

A single assistant can be governed by habit.

An agent fleet cannot.

Agents run in loops. They read memory. They create plans. They call tools. They retry. They summarize. They pass intermediate state through prompts. They act at odd hours when no human is watching every token.

That is why prompt security has to move from "review the message" to "control the runtime."

The DSP turns LLM egress into a managed pathway:

• Secrets are blocked before dispatch.
• PII is detected and stripped or pseudonymized.
• Classified identifiers are denied on external routes.
• DSP-high work stays local.
• Custom regex rules catch operator-specific sensitive patterns.
• Per-agent forced classification can pin selected agents to stricter handling.
• Rehydration is bounded to the substitution map created for that request.
• Output is scanned before it returns to the agent workflow.
• Audit trails record classification and routing decisions without storing raw sensitive content.

The system does not require every agent author to remember every provider policy. The runtime enforces the policy.

The Fable Lesson

The Claude Fable 5 retention discussion is not only about one vendor or one model.

It shows the future shape of AI infrastructure.

Models will keep diverging. Some will support Zero Data Retention. Some will retain inputs and outputs for abuse monitoring or safety review. Some will have better reasoning but weaker retention terms. Some will be cheap but unsuitable for confidential work. Some will be local and slower but exactly right for sensitive tasks.

Agentic systems need to adapt to that landscape automatically.

That means the model router cannot be blind to data policy.

The DSP cannot be an afterthought.

The budget layer cannot be separate from security.

The audit layer cannot depend on raw prompt logging.

BlackUnicorn AI Management System brings those controls together because operational AI is not just about getting an answer. It is about knowing what the system exposed to get that answer.

The Operating Model

The practical pattern is straightforward:

• Classify before routing.
• Sanitize before egress.
• Cache static instructions.
• Compress working context.
• Keep DSP-high and confidential work on L1 local inference.
• Use external models only when the payload and provider policy allow it.
• Treat provider retention rules as routing constraints.
• Enforce budgets before expensive escalation.
• Fail closed when data policy and execution policy cannot both be satisfied.

That is the DSP feature we built into BlackUnicorn AI Management System.

Not because every provider is hostile.

Because trust is not a routing strategy.

Sources Checked

• Anthropic API and data retention
• Anthropic commercial model-training policy
• Claude Code data usage
• The Verge: Microsoft reportedly restricts Claude Fable 5 internally