Captive Data: Who Controls the Enterprise's Data in the Age of Agentic AI
Across enterprise software, a decisive shift is underway: the major SaaS platforms are restricting systematic access to the data they hold, and reserving the richest, fastest, and cheapest access for their own AI services. We call this captive data. In roughly sixty days, Salesforce, SAP, and Microsoft have each taken concrete steps that make it harder for any AI other than the vendor's own to reach enterprise data at scale. For organizations betting on agentic AI, the strategic question is no longer "which model?" but "who controls access to our own data, and at what price?"
Executive summary
- The competitive moat has migrated from the model, to the workflow, to the data itself — and to who is permitted to use it.
- Restrictions are escalating across four layers: technical throttling, contractual bans, per-call metering, and architectural privileging of the vendor's own AI.
- Open standards, notably MCP, solve interoperability but not captivity; vendors are already turning MCP into metered gateways.
- "Agent access and data-egress rights" is becoming a first-order procurement term, on par with seat count and uptime.
The shift: from model moats to data moats
For two years, the perceived advantage in enterprise AI was the model. That advantage is commoditizing fast: any organization can call a frontier model from Anthropic, OpenAI, or Google through an API. At the same time, autonomous agents are eroding the moats traditional software relied on — user interfaces, workflow lock-in, and "ecosystem" integrations — because an agent can navigate around them. What remains defensible is proprietary data and privileged access to it. The consequence: every major SaaS vendor now aspires to be the primary AI layer over its own data, and each therefore has a direct commercial incentive to make that same data harder, slower, or costlier for any competing AI to reach.
The evidence: three moves that define 2026
Salesforce (Slack)
In late May 2026, Salesforce revised the Slack API terms to prohibit bulk export of Slack data, the creation of persistent copies or indexes, and the use of Slack data in large language models. Third-party knowledge tools that relied on this data — Glean among them — were directly affected. The sanctioned alternative is Salesforce's own Real-Time Search API, which returns results only from within Slack.
SAP
In late April 2026, SAP published an API policy prohibiting use of its APIs for interaction or integration with autonomous or generative AI systems that plan, select, or execute sequences of API calls, and barring large-scale extraction of data into non-SAP environments. Enforcement began June 9, 2026. SAP's parallel offering — an Integration Suite "MCP gateway" — exposes curated SAP data through managed servers with metering, rate limiting, and agent-identity verification. Forrester characterized the move as an attempt "to become the gatekeeper of enterprise AI."
Microsoft
Microsoft runs a more open-looking version of the same strategy. Its Work IQ intelligence layer exposes Microsoft 365 context to external agents, but access is metered per call in Copilot Credits, and its companion Copilot Retrieval API is currently scoped to files and SharePoint/OneDrive rather than mail and chat. In daily practice, third-party agents calling Microsoft Graph directly hit throttling (HTTP 429) well before the vendor's own Copilot does.
The mechanism ladder: how captivity is enforced
Captive-data strategies are best understood as four escalating layers. The fourth is the most consequential and the least visible: the same data is offered at two tiers of access, and the gap between them is the vendor's product.
| Layer | Mechanism | Representative example |
|---|---|---|
| 1. Technical | Throttling, removal of bulk export, no access to the semantic index | Microsoft Graph HTTP 429 throttling |
| 2. Contractual | Terms-of-service bans on LLM use and persistent indexing | Salesforce / Slack API terms |
| 3. Economic | Per-call metering of the access that remains (the "AI access tax") | Work IQ / Copilot Credits; SAP MCP gateway |
| 4. Architectural | The vendor's own AI gets privileged, indexed, in-tenant access; external AI gets the throttled, taxed path | Copilot vs. third-party agents |
The open-standards paradox: MCP as cure and tollbooth
The Model Context Protocol (MCP), created by Anthropic and donated to the Linux Foundation's Agentic AI Foundation in December 2025, is the leading open standard for connecting AI to tools and data — now supported by OpenAI, Google, Microsoft, AWS, and others. MCP genuinely solves the plumbing problem: one neutral way for any model to connect to any system. What it does not solve is captivity. A vendor can expose its data through an MCP server and still meter every call, rate-limit throughput, and verify agent identity — precisely what SAP's MCP gateway and Microsoft's Work IQ APIs do. The lesson for buyers: an open protocol standardizes the gate; it does not make the gate free. Interoperable is not the same as open.
The horizontal players: where Anthropic and Claude fit
Anthropic occupies an unusual position — a horizontal AI layer with no captive data of its own. That is both a credibility advantage (it is not trying to lock customers into a data platform) and a structural vulnerability (it depends on data that others increasingly fence off). It pursues two counter-strategies. The first is presentation-layer access: Claude in Chrome drives a browser the way a person would, reaching any web application the user is entitled to see, no API or bulk export required. This delivers remarkable breadth but not systematic depth; it is comparatively slow, brittle to interface changes, and unsuited to high-volume extraction — and vendors are beginning to prohibit UI automation as well. The second is the standards play: by authoring and open-sourcing MCP, Anthropic commoditizes connectivity so Claude can plug into anything cooperative. The net effect is that the fight runs on two layers — the data/API layer, where platform vendors hold the advantage, and the UI layer, where horizontal agents push back, imperfectly.
Vendor scorecard
A snapshot of how today's major platforms treat external AI access. "Net access" reflects what a third-party agent can practically achieve at scale, after restrictions and metering.
| Vendor | What is restricted | Sanctioned path for external AI | Net access |
|---|---|---|---|
| Salesforce / Slack | Bulk export, persistent indexes, LLM use of Slack data | Real-Time Search API (in-Slack results only) | Low |
| SAP | Agentic API orchestration; large-scale extraction to non-SAP systems | Integration Suite "MCP gateway" (managed, metered) | Low–Moderate (metered) |
| Microsoft 365 | Direct Graph at scale (throttled); semantic index reserved for Copilot | Work IQ APIs; Retrieval API (files/SharePoint only) | Moderate (metered) |
| Anthropic / Claude | None — horizontal layer, no captive data of its own | MCP + Claude in Chrome (uses the user's own entitlements) | High where permitted; bounded by others' limits |
Implications for enterprise buyers
The likely market equilibrium is not "open versus walled" but tiered access. Your licensed AI, or the vendor's own, receives cheap, rich, in-tenant access; horizontal AI receives metered, rate-limited, terms-bound access through gateways; and UI automation persists as a gray-market fallback for everything else. The enterprise pays a toll on every path; the only variable is its size. This reframes procurement: data-access and agent-access rights now belong in the contract alongside price and service levels. The decisive question to put to every SaaS vendor is simple — can the AI we choose reach our own data systematically, at what rate limit, under what terms, and at what per-call cost, or is that data effectively captive to your AI alone?
Recommended actions
- Inventory captivity. For each major SaaS platform, document what your own and third-party AI can access, at what rate limits, under what terms, and at what cost.
- Put it in the contract. Negotiate explicit data-egress and agent-access rights at renewal; treat them like seat count or uptime SLAs.
- Design for portability. Favor standards (MCP) and a governed data store you control, so access is not hostage to a single vendor.
- Right-size the access path. Use indexed / retrieval APIs instead of raw enumeration to control both cost and throttling; reserve UI automation for genuinely closed sources.
- Model the toll. Fold per-call and credit metering into AI total-cost-of-ownership forecasts — at scale, usage-based access can dwarf seat licensing.
- Watch the regulatory track. Data portability and interoperability are becoming contested; factor potential remedies into multi-year planning.
Outlook
Captive-data strategies are intensifying, not relaxing, and they are starting to draw legal and regulatory attention — Celonis's litigation against SAP over data access is an early signal. Expect continued tension between vendors' incentive to monetize access and customers' demand for portability, with open standards adopted at the protocol layer even as access is metered at the business layer. Organizations that treat data-access rights as a deliberate, negotiated part of their AI strategy — rather than a technical afterthought — will retain materially more freedom of action.
Selected sources
- Computerworld — Salesforce changes Slack API terms to block bulk data access for LLMs
- Kai Waehner — Data ownership in the age of agentic AI: SAP's API policy
- Forrester — SAP is attempting to become the gatekeeper of enterprise AI
- The Register — SAP's AI strategy: come for the openness, stay because you have to
- Microsoft 365 Blog — Announcing the new Work IQ APIs
- WorkOS — Everything your team needs to know about MCP in 2026
- a16z — Is Software Losing Its Head?
An independent briefing from Stewart Consulting, published for discussion. Questions or feedback are welcome — see Connect. This briefing synthesizes public reporting as of June 2026 and is provided for informational purposes; it is not legal advice. Verify vendor terms against primary sources before acting.