Pentad Labs · Reference · First Use Case
Agentic Data Enclave
An Agentic Data Enclave is a sovereign, governed space where you host someone else's AI agents to work on your data, prove what they saw, and curate what they remember of the visit before they leave.
Bring the agents to the data, not the data to the cloud.
It is the first enterprise use case for WunderOS, an autonomic agentic OS.
From the data room to the data enclave
Every enterprise knows the data room already. In a merger, an acquisition, a financing, or a diligence review, you do not mail your books to the other side. You stand up a secure room, decide who may see what, log every access, and let counsel control the door. The virtual data room turned that into routine software years ago, and the idea faded into the furniture.
What changed is the thing crossing the threshold. It is no longer a person reading documents under an agreement. It is an agent: software with memory, acting for a counterparty, that will read your data, remember it, and carry that memory back out unless something stops it. A room built for human eyes does not contain an agent.
And a room is the wrong shape for the problem in any case, because a room is a place you are shown things, while what an agent needs is a place it can work and an owner who governs what it does and what it keeps. That is an enclave rather than a room. Research computing already uses the word in this exact sense, for a bounded environment where an outsider works on sensitive data and the owner reviews what may leave.
The data room rebuilt for agents is an Agentic Data Enclave.
Bring the agents to the data, not the data to the cloud
The cloud era ran on one rule: move the data to where the computation is. Pool it, and run everything against the pool. That rule breaks the moment sovereignty matters, and in the agentic era it matters constantly, because the computation is now a foreign agent and the data is your most sensitive asset.
The agentic answer inverts the rule: move the computation to the data, not the data to the computation. When a trading partner, a supplier, or a counterparty needs to work over your information, you do not ship them the information and trust their controls. You host their agents in your enclave, give them bounded access to exactly what they need, and keep everything else, including the agents’ memory of the visit, inside your control.
Sovereignty stops being a policy you assert and becomes a boundary you own.
The enclave, not the agents
WunderOS does not supply the agents. It supplies the enclave. Bring any agent, your partner’s agent, a workload in a microVM, whatever the work requires, and the operating system gives it access to your data and governs everything it does.
What makes this possible is that in WunderOS memory is a service of the operating system, not something held inside the agent. The visiting agent does not own its memory of your data. The enclave does. That one fact is what lets the enclave do what a data room is for:
- Nothing leaks. Every tool call, every read, and every attempt to send something out crosses one governed boundary. The enclave decides what may leave, and an agent cannot take out what the boundary will not pass.
- Every access is provable. Each action traces through a bounded capability to the person who authorized it, and the record holds who asked, what ran, and what it touched. You can show a regulator or a counterparty exactly what was seen, by whom, and under what authority.
- The record replays. Every governed decision is deterministic, so the visit can be replayed and the boundary reaches the same verdicts each time. What was seen and allowed is something a regulator can re-run, not a log you ask them to take on trust.
- Mistakes unwind. Actions are reversible by the substrate, so an error inside the enclave can be undone rather than merely regretted.
- The agent leaves with what you allow. Because the memory is the enclave’s, the owner curates what a visiting agent retains of the visit, erased, edited, or supplemented at your discretion. The agent does not decide what it carries back out.
If memory lives in the agent, the agent leaves with it, and you cannot govern what it took. If memory lives in the enclave, you govern what the visit is allowed to remember.
That is the difference, and it is the one that matters most.
Why you can’t wait to build an Agentic Data Enclave
The agents are already arriving at your data. A partner wants to point its agent at your records, a vendor ships one inside its product, a business unit wires one up without asking first. This is not a scenario to plan for at leisure. It is happening across your organization now, and the pressure to say yes is only rising.
The exposure is new in kind, and it does not reverse. A person admitted under an agreement reads, forgets most of it, and is bound by the contract. An agent reads, remembers exactly, and carries that memory out the moment it leaves, into a model and an operator you do not control. Once your data has left this way you cannot recall it, and no audit after the fact undoes the transfer. Every ungoverned visit is a potential disclosure you never approved.
Today that leaves you two bad answers. Block agents and you forfeit the partnerships and the productivity the rest of the business is demanding. Allow them ungoverned and you own the breach, the regulator’s question, and the headline. The deadline is not a date on anyone’s roadmap; it is the first incident, and the first auditor who asks what governed your AI access. The enclave is how you say yes safely, and you want it standing before that day, not after it.
Who it is for
The enclave fits wherever one organization must let another’s agents touch its data: supply-chain relationships where a partner’s agent needs your records, diligence and deal work where counterparties exchange sensitive material, and any setting where digital sovereignty and cross-organization access have to hold at once. The people who own that risk, in the CIO’s organization, in compliance, in legal operations, and in corporate development, are the ones it is built to serve.
An autonomic OS, made concrete
An Agentic Data Enclave is what an autonomic agentic OS looks like put to work. The enclave is sovereign because the operating system owns the boundary. The agents stay focused because the system carries memory, identity, governance, and recovery for them. And the whole thing is provable because the system is deterministic and auditable by construction.
Read What is an autonomic agentic OS? for the category, the System Design for how it is built, and the Research Notes for the pieces behind the guarantees above.