AI 底层逻辑 / 经典论文

AI Consent / Preference：目的绑定数据架构

重要说明: 本文是学习与作品集材料, 不构成法律、合规、隐私、审计或监管意见。正式项目必须由 Legal、Privacy、Compliance、Security、Data Governance、Model Risk、Product 和 Operations 共同确认适用要求。

231 行ai-foundations/papers/116-ai-consent-preference-purpose-bound-data-architecture.md

面向对象: AI Product Architect / Platform PM / Senior BA / Privacy Architect / Data Governance Lead。核心问题: AI 不能把“同意过条款”解释成任意数据复用。金融零售 AI 必须把 consent、preference、purpose limitation 变成运行时可执行、可撤销、可证明的产品和架构能力。学习目标: 能设计 purpose catalog、consent event model、preference center、data-use policy、RAG/tool enforcement、withdrawal/re-consent lifecycle 和 audit evidence。

Source Anchors

Source	Link	用途
NIST Privacy Framework	https://www.nist.gov/privacy-framework	用 privacy risk management 语言组织 purpose、control、communication 和 evidence。
NIST AI RMF	https://www.nist.gov/itl/ai-risk-management-framework	用 Govern / Map / Measure / Manage 把 consent enforcement 纳入 AI risk lifecycle。
FTC Safeguards Rule	https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know	作为金融客户信息保护、访问控制、服务提供商监督和安全计划锚点。
CFPB Personal Financial Data Rights	https://www.consumerfinance.gov/personal-financial-data-rights/	用于客户授权、数据访问、撤销和开放银行数据权利的产品架构讨论。
ISO/IEC 42001	https://www.iso.org/standard/42001	用 AI management system 的思路落地政策、角色、监控、变更和持续改进。

Consent is not a universal permission. In financial AI, it must be purpose-specific, revocable, evidence-backed, and coordinated with legal basis, product terms, privacy, security, customer trust, and operational controls.

1. Thesis

AI consent architecture answers:

Can this AI capability use this data, for this person, in this channel,
for this purpose, at this time, with this model, tool, memory, log,
vendor and evidence boundary?

Privacy-by-design asks whether personal data is collected and protected responsibly. Consent / preference / purpose-bound data architecture makes the answer executable at runtime.

It connects purpose catalog, consent/preference events, legal basis, product terms, data classification, RAG filters, tool authorization, memory/log policy, withdrawal workflow and evidence dashboards.

2. Why It Matters

AI systems multiply data-use contexts. The same transaction can appear in customer service, fraud triage, marketing personalization, RM copilot, RAG search, eval sets, prompt logs, memory and vendor telemetry.

Traditional consent records often answer only whether a customer accepted terms, an employee acknowledged a policy, or a user opted into marketing.

Production AI needs finer answers:

Question	Why it matters
Which purpose?	Dispute support does not automatically permit marketing personalization.
Which capability?	Chat explanation, eval, memory write and tool action have different risks.
Which scope?	Account summary, 90-day transactions and full customer 360 are different grants.
Which time window?	Consent expires, sessions expire, product terms change and tokens are revoked.
Which withdrawal effect?	Revocation must stop future use and trigger downstream propagation where required.
Which evidence?	A customer, auditor or regulator may ask what was shown, accepted, used or denied.

3. Core Concepts

Concept	Definition	AI architecture implication
Purpose	Business reason for data use	Catalog and map to allowed AI actions.
Consent	Recorded authorization where appropriate	Granular, versioned, revocable and auditable.
Preference	User/employee choice shaping treatment	Enforced across channels and AI features.
Legal basis	Legal/contractual processing basis	Coordinated with consent, not hidden behind it.
Scope	Data, action, object and channel boundary	Bound to token, retrieval, tool and log policy.
Expiry	Time limit for grant or preference	Affects sessions, tokens, indexes and caches.
Withdrawal	Revocation or opt-out event	Propagates to policy, AI stores and evidence.
Re-consent	Fresh authorization after material change	Triggered by new data, action, vendor, model or purpose.

Important nuance: consent can be weak if bundled, vague, coercive, stale or hard to withdraw. It does not override security controls, fair treatment obligations, legal holds or customer harm controls. Employee AI may require workforce notice, role policy and monitoring boundaries. Purpose limitation must be enforced by systems, not only by prompt instruction.

4. Purpose Catalog

The purpose catalog is the product-language bridge between privacy policy, legal basis, data governance and AI runtime controls.

Purpose ID	Business meaning	Allowed AI use	Prohibited use
`customer_service_account_help`	Help authenticated customers understand account activity	RAG policy, transaction lookup, fee explanation	Marketing targeting, training without review
`payment_dispute_support`	Prepare and manage card disputes	Selected transaction read, dispute draft, customer-confirmed submit	Automated denial, unrelated profiling
`relationship_manager_copilot`	Help RM prepare customer meeting	Portfolio summary, policy lookup, note draft	Unapproved advice, cross-client leakage
`marketing_personalization`	Tailor offers and content	Preference-aware segmentation, approved recommender	Use of opted-out data, vulnerable-customer pressure
`open_banking_data_sharing`	Share customer-authorized data with third party	Tokenized API access within authorized scope	Secondary AI training, unrelated enrichment

Purpose records need owner, risk tier, data classes, allowed channels, legal basis, consent requirement, retention, vendor boundary, eval allowance, evidence requirement and re-consent triggers.

5. Architecture Diagram

Customer / Employee UI
  -> consent and preference center
  -> consent event store
  -> purpose catalog + legal basis registry
  -> policy decision point
  -> AI orchestration layer
       -> RAG retriever with purpose and ACL filters
       -> tool gateway with scope and object checks
       -> memory service with write allowlist
       -> log/evidence service with retention policy
       -> vendor/model gateway with data-use constraints
  -> policy decision log
  -> evidence store and dashboards

Runtime decision:

identity + purpose + consent_state + preference_state + data_class
+ action + channel + model + vendor + object_scope + time
=> allow / deny / minimize / step_up / reconsent_required / human_review

Design principle:

The model can request data, but the policy plane decides whether the data, tool, memory and log use is allowed.

Minimum event fields:

Field	Example
`event_id`	`cns_evt_01H...`
`subject_id`	customer, employee or representative
`actor_id`	who captured or changed the state
`purpose_id`	`payment_dispute_support`
`scope`	accounts, transactions, channel, action
`status`	granted, denied, withdrawn, expired, superseded
`legal_basis_ref`	policy/legal register reference
`notice_version`	text and locale shown to user
`capability_version`	AI feature version at time of grant
`effective_at` / `expires_at`	authorization window
`withdrawal_effect`	stop future use, purge derived stores, retain evidence
`evidence_ref`	UI snapshot, API trace, signature, case id

Event sourcing is useful because consent is a history of what was offered, accepted, narrowed, renewed, withdrawn and enforced.

7. Financial Retail Case

Scenario: A mobile banking AI assistant helps a customer understand a card transaction and prepare a dispute.

Allowed flow:

Customer signs in with strong authentication.
Assistant explains it can read selected transactions for dispute support.
Customer grants purpose-specific access to the selected card and last 90 days of transactions.
RAG retrieves dispute policy documents filtered by region and product.
Tool gateway allows transactions.read.selected_account_90d.
Assistant drafts a dispute but cannot submit until customer confirms the exact transaction and claim.
Submission creates evidence with notice version, consent event, action hash and tool result.

Blocked flow:

The same grant cannot be reused for marketing segmentation.
The assistant cannot write persistent memory saying “customer likely fraud risk”.
A new feature that sends transaction data to a new vendor requires change review and potentially re-consent.
Withdrawal stops future AI access and triggers propagation to session, token, RAG cache and personalization store according to policy.

8. PM / BA / Architect Checklist

Role	Questions to force clarity
PM	What user value requires this data use, and what will the user believe they agreed to?
BA	Which business events create, change, expire or withdraw consent/preference state?
Architect	Where is purpose enforced: UI, token, policy engine, RAG, tool, memory, log and vendor gateway?
Privacy	Is consent appropriate, or is another legal basis and notice model required?
Security	Can a revoked grant still work through cached tokens, indexes, logs, exports or vendor paths?
Data owner	Which fields are allowed for this purpose, and which derived artifacts inherit restrictions?
Operations	How will agents handle withdrawal, complaints, disputes and re-consent conversations?

9. Code-Lite Experiment

Use this as a portfolio demo for a policy decision function.

request:
  purpose_id: payment_dispute_support
  action: transactions.read
  object_scope: {account_id: card_456, lookback_days: 90}
  ai_capability: dispute_assistant:v2
consent_state:
  status: granted
  scopes: [transactions.read.selected_account_90d, dispute.draft.create]
  expires_at: 2026-08-31T23:59:59Z
  notice_version: consent-dispute-v4

decision = policy.evaluate(request, consent_state, preference_state, data_policy)
if allow: issue purpose_bound_token(ttl=15m, scope=granted_scope)
if minimize: return masked_or_summarized_fields_only()
if reconsent_required: show_capability_change_notice()
if deny: deny_and_log(policy_reason)

Test cases: allow selected account read within 90 days; deny full customer 360 export; deny marketing after withdrawal; require re-consent for a new vendor; minimize logs with hashes and policy decisions instead of raw PAN or prompt payload.

10. Pitfalls

Pitfall	Why it fails	Better design
One global AI consent	Too vague and not purpose-specific	Purpose-specific grants with versioned notices
Prompt-only enforcement	Model can be tricked or misroute data	Policy engine plus RAG/tool enforcement
Preference center not connected to runtime	Choices look real but do not affect AI	Event-driven preference propagation
Consent without withdrawal operations	User control is cosmetic	Revocation, token invalidation, purge and evidence workflow
Consent used as legal shortcut	Conflicts with legal basis and customer expectations	Coordinate with legal, privacy and product terms
No capability-change trigger	Old consent silently covers new AI behavior	Re-consent on material data, action, vendor or model change
Evidence overcollection	Logs become a privacy risk	Manifests, hashes, encrypted vaults and retention rules

11. Interview Questions

How would you explain why consent is not a universal permission in financial AI?
How do you design a purpose catalog for customer service, marketing, RM copilot and open banking?
What fields belong in a consent/preference event schema?
How do you enforce purpose limitation in RAG and tool calls?
What happens when a customer withdraws consent while an AI workflow is running?
When does a new AI capability require re-consent?
How do you prove that AI did not use opted-out data for personalization?
How do you balance evidence retention with data minimization?

30 秒回答:

I treat consent as a runtime control, not a checkbox. For financial AI, every data use maps to a purpose, scope, subject, channel, time window, capability version and evidence record. The policy layer enforces that state across RAG, tools, memory, logs and vendors.

2 分钟回答:

I would start with a purpose catalog and a consent/preference event model. Each AI capability declares purpose, data classes, allowed actions, legal basis, consent requirement and re-consent triggers. At runtime, the orchestration layer calls a policy decision point before retrieval, tool use, memory write or logging. The decision uses identity, purpose, consent state, preference state, object scope, expiry, vendor and risk tier. Withdrawal propagates to token revocation, session controls, RAG tombstones, personalization suppression and audit evidence, so the system can prove what was allowed, denied, minimized, withdrawn or re-consented.