A report on the closed-door leadership dialogue hosted by DTQ (Data Trust Quotient), bringing together CISOs, risk advisors, and AI governance leaders to examine whether enterprises can truly delete what an AI system has learned.

About the Platform: DTQ

DTQ — the Data Trust Quotient — is a leadership dialogue platform focused on AI governance, privacy, and data security. The series brings together the people directly responsible for these decisions: Chief Information Security Officers (CISOs), data protection leads, and AI governance practitioners, for candid, closed-door conversations about where the industry is heading.

This session opened with the discussion around a real-world flashpoint: a U.S. court order compelling OpenAI to preserve all ChatGPT conversations — including those users had deleted — as part of its ongoing copyright litigation with The New York Times. The episode illustrated how, once a machine has “remembered” something, true deletion becomes a far harder problem than most organizations assume.

The Panel

The discussion was steered by a moderator and featured three senior practitioners spanning cybersecurity, enterprise IT, and risk advisory:

Role	Panelist & Profile
Moderator	Mohit Sharma — Cybersecurity Advisor, Baker Hughes. Works in industrial and operational technology, where questions of what gets logged, stored, and retained carry real operational consequences.
Panelist	Aniruddha Mehta — Partner, Risk Consulting, EY. Advises organizations on data privacy, the DPDP Act, and AI/data risk governance as regulation evolves.
Panelist	Vinod Nair — CISO, leading cybersecurity and IT infrastructure across large enterprise and SAP environments, bringing a practitioner’s view of enterprise data governance at scale.
Panelist	Rohit Ponnapalli — Global CISO, Envoy Global. Over 14 years building security from the ground up, including running information security for 30,000 people across 11 locations and architecting security operations centers for state governments and India smart-city projects.

Session Report

Opening Question: Who Wins — Privacy Law or Algorithmic Memory?

Moderator Mohit Sharma framed the central tension: privacy laws are built on the principle that individuals can be forgotten, while AI systems are built on the principle of learning from what they remember. He asked the panel directly — in one line, can a company truly forget a person today?

“This is the illusion of absolute erasure in Gen AI. The right to be forgotten, codified under Article 17 of GDPR and Section 12(3) of India’s DPDP Act, grants data principals the right to demand erasure — but generative AI systems store data in two distinct states: explicit storage and implicit parametric storage. Erasing from explicit storage (vector databases, caches, logs) is technically feasible. Erasing from implicit parametric storage — the billions of weights inside a trained model — is practically impossible, because no single data point resides in an isolated, identifiable location.”

— Aniruddha Mehta, Partner – Risk Consulting, EY

Mehta outlined four technical paths organizations can use to bridge this gap:

Exact unlearning — deleting clearly targeted data outright.
Approximate unlearning — offering no absolute guarantee of erasure, but relying on probabilistic reduction of a data point’s influence.
Concept-level / cohort unlearning — removing influence at the level of a defined group (e.g. by department or team), which is easier to isolate and action.
CSA architecture (shared, isolated, sliced, and aggregated training design) — a more efficient, consent-aligned design for targeted retraining.

His conclusion: the tension between contextual utility and legal liability is best managed not as a fight between privacy and AI, but through responsible AI design as the operating principle.

Panelist Vinod Nair added a regulatory-timeline perspective, noting that India’s IT Act 2000 was followed by the IT Rules 2021 and that the DPDP Act is expected to come into force around May 2027. He stressed the need to track evolving model architectures — autoregressive LLMs, masked language models, sequence-to-sequence and retrieval-augmented models — and to embed standard data-loss-prevention (DLP) practices directly into AI deployments.

Rohit Ponnapalli, Global CISO at Envoy Global, offered a starkly practical view: with prompts, chat histories, and retrieval-augmented (RAG) models now layered across every tool and vendor in an enterprise, organizations frequently have no reliable way of knowing where their data actually resides — making proof of deletion nearly impossible at scale.

“Every department has multiple third-party vendors, and every tool has AI built in already. Where do you even delete the data — your laptop, your AI models, or your vendor’s systems? We have no idea where the data resides with all this AI in place.”

— Rohit Ponnapalli, Global CISO, Envoy Global

Ponnapalli proposed grounding AI memory governance in privacy-by-design and zero-trust principles, layered across three planes: strategy (how long data should be retained), tactics (how AI models and third parties are onboarded), and operations (data mapping). His view: if an organization can achieve reliable data mapping, retention controls and purpose definition become possible — and roughly 90% deletion success is achievable even in the AI era.

Categorizing AI Memory by Risk

Moderator Sharma turned the discussion toward practice: should session memory, user memory, organizational memory, and training data be treated as different risk categories — and what should be kept?

Mehta proposed a four-part risk-utility framework for classifying data before deciding how it should be governed:

Data Class	AI Utility	Regulatory Risk	Recommended Action
Interaction / informal data (logs, raw text)	Low long-term value	High — unsolicited PII risk	Aggressive erasure; automated TTL protocols
Inferred / analytical data (behavioral profiles, risk flags)	High — personalization, automation	Severe	Cohort-level unlearning; purpose-bound grouping
Demographic / trend data (anonymized)	High — fairness tuning, model stability	Low, if irreversibly anonymized	Retain under audit; verify re-identification resistance
Sensitive financial / health data	Fraud detection, diagnostics	Maximum — sector and cross-border laws	Federated architecture; strict access controls; segregate memory from weights

Vinod Nair built on this with an enterprise security lens, identifying three foundational controls: a documented data inventory and classification system, enforced identity controls, and encryption that is never standardized indefinitely — since static encryption algorithms become predictable targets over time. He also called for regular red-team exercises, defined playbooks for memory abuse or model leakage, and clear deletion workflows tied to defined retention periods.

He further distinguished organizational memory needs by seniority and exposure: persistent profiles tied to senior executives (e.g. a CIO or CEO) require separate, higher categorization and protection than standard user or session memory, given the greater risk of profiling or targeted leakage.

Should AI Remember Everything It Can?

Sharma posed a pointed question to Ponnapalli, whose background spans smart-city and public-sector systems: just because a system can remember something, does it mean it should?

“Just because you have unlimited data storage, you should not keep storing the data. There should be a boundary to what you want to store.”

— Rohit Ponnapalli, Global CISO, Envoy Global

Ponnapalli illustrated the point with a consumer example — automated calls nudging customers to complete abandoned cart purchases — to show how easily “customer experience” framing can stretch the boundary of acceptable data use. He recommended segregating storage by data type (PII versus service-quality or analytics data), applying regulation-driven retention periods (citing seven years as a common standard for PII in his sector), and using DLP and DSPM tooling to maintain visibility into where data is flowing and which systems are using it.

He also offered a candid status check on enterprise AI maturity: most organizations remain at the proof-of-concept stage, with AI largely permitted to read data — but not yet trusted to write, execute, or delete it autonomously.

Board-Level Governance and Accountability

As the discussion moved toward governance at the top of organizations, Mehta argued that overseeing AI memory has moved beyond a technical concern into a fiduciary duty for boards, particularly where AI informs credit decisions, financial crime monitoring, and forecasting.

“A company may execute a delete query on a relational database to satisfy a regulatory audit, but if the AI system continues to make automated decisions based on hidden patterns learned from those deleted records, the board remains exposed to severe legal, financial, and reputational jeopardy.”

— Aniruddha Mehta, Partner – Risk Consulting, EY

He set out three governance imperatives for boards:

Demand algorithmic transparency and explainability — rejecting black-box systems for critical operations, and ensuring decisions can be traced back to the parameters and data that drove them.
Implement responsible AI checkpoints — maintaining an enterprise-wide inventory of all AI models (built, deployed, or procured), with mandatory Data Protection Impact Assessments (DPIAs) before deployment and risk-tier classification across the AI lifecycle.
Enable human accountability in agentic systems — building clear boundaries, accountability mechanisms, and human-in-the-loop overrides directly into system architecture as AI moves from flagging issues to acting on them autonomously.

Audience Q&A Highlights

The moderator relayed several audience questions from the chat for rapid-fire responses:

Do we need dedicated standards for AI memory and retention, similar to information security standards? Vinod Nair: Yes — existing frameworks such as ISO/IEC 27001 and 42001 provide a starting control criteria, but organizations need specific, auditable controls mapped to applicable regulations (IT Act, DPDP, and sector-specific clauses) to track AI-specific risks such as RAG pipeline design and vector database/cache access.
How should AI data governance be embedded into vendor relationships? Aniruddha Mehta: Treat data protection policy as a core part of vendor assessment and re-assessment, the same way sectors like pharma conduct vendor risk reviews before deployment.
Is compliance ever a fixed, one-time state? Rohit Ponnapalli: No — there is no such thing as point-in-time compliance. An organization can be compliant at the moment of an audit and fall out of compliance shortly after as systems and data continue to evolve, which is why governance must be continuous and unbiased.
If advising a startup building AI with persistent memory, what is the first question founders should ask? Rohit Ponnapalli: Start with the basics — what data is being collected, and specifically what is the AI being asked to remember (PII, behavioral data, business intelligence)? Then stress-test the downside: what happens if this data leaks, and what would that cost the business in trust, customers, or survival?

Key Insights

Complete erasure from a trained AI model is not currently achievable — deleting a source record removes it from explicit storage, but its statistical “fingerprint” can remain embedded in the model’s parametric weights.
Four technical approaches — exact unlearning, approximate unlearning, cohort-level unlearning, and federated (CSA) architecture — offer practical, if imperfect, paths to manage this gap.
Not all AI memory carries equal risk. A four-tier data classification framework (interaction data, inferred/analytical data, anonymized trend data, sensitive financial/health data) helps determine the right retention and governance response for each.
Most organizations cannot currently map where their data — or its AI-driven derivatives — actually reside across departments, vendors, and embedded AI tools, making provable deletion a major operational gap.
Responsible AI governance must operate at three levels simultaneously: strategic (policy and retention limits), tactical (model and vendor onboarding), and operational (data mapping and controls).
Boards are increasingly exposed to fiduciary liability when AI systems continue to act on patterns learned from data that has technically been deleted from source systems.
As AI moves toward agentic, autonomous action, human-in-the-loop oversight and clear accountability boundaries must be designed into system architecture from the outset — not added afterward.
Compliance is not a fixed, point-in-time state; with AI systems continuously evolving, governance and audit processes must be continuous and unbiased.
Regulatory timelines are tightening — India’s DPDP Act is expected to be enforced around May 2027 — making early investment in data classification, vendor assessment, and retention controls a near-term priority rather than a future concern.

Closing Note

The session closed with the panel agreeing that the boundaries of “responsible AI” are still being actively written, and that the conversation — including several audience questions that could not be addressed live — is expected to continue in a follow-up DTQ session. The discussion underscored a consistent theme across all four speakers: as AI systems become more persistent and context-aware, remembering and forgetting are no longer purely technical actions — they are business, security, and governance decisions that boards, CISOs, and risk leaders must own together.

Blog