RBAC was built for humans clicking pages. Agents fire hundreds of retrievals per session across permission domains the role-to-resource map never reconciled. The fix lives in the pipeline, not the prompt: pre-retrieval filters, delegated identity, RLS, audit trails that outlive ACL changes.
Most enterprise AI failures are not model failures. They are retrieval failures. Chunking, embeddings, vector stores, knowledge graphs, and the context budget — what actually breaks at scale and how to build the memory layer that holds.
Forty entries scored 1-5 in a SharePoint folder is not governance. It is theater. A risk register the board acts on has five entries, dollar ranges, named owners, and a regulatory deadline next to each one.
The MCP spec describes a protocol, not a security posture. Most production deployments shipped with a static secret in a header, no identity propagation, and error messages that leak internals. Four enforcement layers, executable, before the next incident review.