On dynamic ontologies for agent access in regulated estates.
Abstract
Working draft. This paper concerns the routing of declarative agent intent across legacy systems of record by meaning, rather than by endpoint. We treat the dynamic ontology as the load-bearing primitive that determines whether an agentic system can be deployed at all in settings where the underlying data estate was never normalised. The note sets out the structure of the problem, the constraints any candidate solution must satisfy, and the consequences for retrieval, governance, and proof.
The systems of record inside a regulated institution were not built to be addressed coherently. They were built, separately, by different vendors, at different times, against different conceptions of what a customer, a counterparty, or a position is. The schema is not the problem. The absence of a shared schema is the problem.
An agent acting against this estate inherits the fragmentation. Retrieval becomes a matter of plumbing: one integration per system, each with its own semantics, its own access pattern, its own failure mode. The work scales with the number of systems, not with the value of the question being asked.
The dynamic ontology.
By dynamic ontology we mean a layer that resolves a declarative request, expressed in the institution’s own vocabulary, against the underlying systems at the moment the request is made. It is dynamic in two senses. The mapping from concept to source is versioned and may change. And the resolution is performed at request time, not baked into a pipeline.
The argument of the paper is that this layer is not a convenience. It is a precondition. Without it, the institution does not have a stable referent for what an agent has actually retrieved, and therefore does not have a stable record of what the agent has acted upon. The accountability surface depends on the access surface being legible.
The ontology is the surface a regulator can read. Everything downstream of it is plumbing.
What the layer must do.
Three properties follow from treating the ontology as load-bearing. First, resolution must be deterministic. Given the same request and the same ontology version, the same underlying records must be addressed. Second, resolution must be auditable. The mapping from concept to source must itself be a recorded artefact. Third, resolution must be revocable. A concept can be deprecated; an institution must be able to state, in its own vocabulary, what is no longer in scope.
Determinism.
Determinism is the property that allows a record of agent action to be reconstructed. If the same request resolved differently on different days, the record would not survive a supervisory question.
Auditability.
Auditability is the property that makes the ontology itself a regulated artefact, rather than a configuration buried inside a vendor system. Changes to the ontology are versioned changes; they leave traces.
Revocability.
Revocability is the property that allows the institution to retain authority over the meaning of its own data. An ontology that can only grow is not, in the regulated sense, controlled.
Open questions.
Several questions remain open and are the subject of further work in this programme. The first is the locus of authority for ontology evolution: the institution, the runtime, or a body that sits between them. The second is the interaction between ontology versioning and the long tail of historical decisions whose record refers to a previous version. The third is the cost structure of resolution at scale. The note here is intended as a first sketch.
References
- Regulation (EU) 2024/1689 on Artificial Intelligence, Articles 12 and 14.
- DORA — Regulation (EU) 2022/2554, Article 28 on third-party risk and Article 30 on contractual arrangements.
- NIST AI Risk Management Framework 1.0, January 2023.
- Working notes from the DSI research programme, 2026.