To be fair to them, the architecture description said that each datasource had a unique agent, so the orchestrator AI didn't have direct data access, and that they specifically only allow access to data the user has permissions for.

Unclear if each datasource agent is ALSO AI based though, in which case it has just pushed the same concern down the line one hop.