The Room Where It Happens: An Evening at Undercote

The Conversations That Mattered

The dinner surfaced themes that Ethyca encounters regularly — but hearing them from twenty organizations in the same room sharpened the picture considerably. The problems are not primarily technical. They are architectural. And they are becoming harder to defer.

The centralization problem. Privacy technology stacks have sprawled. Point solutions multiply. Accountability diffuses. The leaders in that room are being asked to consolidate — to bring coherence to systems that were never designed to speak to each other. The complexity is real, and the organizational will required to address it is immense.

The AI governance mandate. Boardrooms have issued the mandate. Now the practitioners have to figure out what it actually means. The organizations represented at our table are not waiting for regulatory clarity before building policy frameworks — they are writing policies designed to scale, knowing the rules will continue to shift beneath them. This is governance as a first-principles engineering challenge, not a compliance checkbox.

The cross-border complexity. Expansion creates exposure. Every new market brings a new regulatory regime. Every acquisition brings a new data estate, often governed by different rules, stored in different systems, subject to different rights regimes. Cross-border data management is genuinely hard, and the organizations in that room are dealing with it at scale.

The harmonization gap. Mergers and acquisitions are privacy events. When two companies combine, their data does not simply merge — it collides. Different schemas, different retention policies, different definitions of consent, different jurisdictional requirements. Getting to a unified, governed data estate post-acquisition is work that most organizations dramatically underestimate.

These are not niche concerns. They are the operational challenges facing most large enterprises operating across borders today — and the terrain that Ethyca was built to address.

A New Architecture for a New Problem

As the evening deepened, Ethyca's Chief Architect Ethan Lo took the floor.

Ethan has spent his career operating at the intersection of data, privacy, and engineering governance. As Head of Privacy Engineering at one of the largest financial institutions in North America, as CIO and CISO of a platform operating across 140 countries, and now as the architect of Ethyca's Trusted Data Layer — he brings a practitioner's perspective that resonates with the people in the room.

The dominant model for data access has been role-based or attribute-based: you control who can touch data based on identity. It works — until it doesn't. Until the organization is large enough, fast enough, complex enough that identity-based control becomes a liability. Until AI agents need data access that no human explicitly provisioned. Until a regulatory audit asks not just who touched the data, but why.

Ethan introduced the room to Purpose-Based Access Control (PBAC) — a fundamental rethinking of the access model. Under PBAC, access is not governed by who you are. It is governed by why you need the data. Every query, every pipeline, every AI inference carries a declared purpose — and that purpose is evaluated against policy in real time.

This is what Ethyca calls Astralis: a data governance and privacy-as-code engine that sits between your data and everything that consumes it. Analytical tools. ML models. AI agents operating via MCP protocols. Business applications. It does not matter what is asking. What matters is whether the purpose of the ask is authorized.

For the privacy and legal leaders in the room, the implication was immediately legible: your policies, written in plain language, become enforceable in code. The gap between what the policy document says and what the data infrastructure does — that gap, which has always been where liability lives — closes.

Ethan also outlined Helios, Ethyca's data discovery layer. Before you can govern data, you have to know where it is. Helios crawls catalogs, schemas, API documentation, and metadata sources to construct a living data map: a continuously updated inventory of every data asset in the enterprise, classified by sensitivity and context. It is the foundation on which everything else is built.

What We Are Building

Ethyca is not a compliance vendor. Compliance is a byproduct of what we do, not the goal.

The goal is a world where organizations can move fast, operate globally, and adopt new technologies without having to choose between velocity and integrity. Where the governance layer is not a tax on engineering, but a property of the architecture itself. Where "are we allowed to use this data for this purpose?" is answered automatically, with a complete audit trail.

Executive leaders who gathered at Undercote on February 27th are not just customers or prospects. They are the practitioners whose daily work shapes what we build. We're grateful for their candor and for the quality of thinking they brought to the table.

Good dinners leave you with a clearer sense of the problems worth solving, and the people willing to work on them alongside you.

Ethyca builds the infrastructure for responsible data use. To learn more about our Trusted Data Layer and the Fides privacy engineering platform, speak with us today - we’re happy to compare notes on data, privacy and AI.