Indigenous Data Sovereignty and CARE Principles

Rights, Ethics & Public Interest ~5 min read AGS v2.1 · 2026-06-06

EU AI Act NIST AI RMF ISO 42001

AGS Rights & Public Interest | Rights, Ethics & Public Interest | Version 2.2

1. Definition

Indigenous Data Sovereignty and CARE Principles governs the use by AI agents of data relating to Indigenous peoples — requiring respect for Indigenous authority to control such data, consent and benefit aligned to the CARE principles (Collective benefit, Authority to control, Responsibility, Ethics), and the right of Indigenous communities to refuse or condition AI use of their data and knowledge.

Where FAIR principles address data being findable and reusable, CARE addresses *whose data it is and who decides* — recognising Indigenous peoples' rights of self-determination over data about their communities, lands, and knowledge. This dimension brings agentic data use under that discipline.

2. Scope

In scope: AI use of data about Indigenous peoples, lands, languages, and traditional knowledge; consent/authority, collective benefit, and refusal rights; provenance and governance of such data through the agent's pipeline.

Out of scope: general data protection (covered by Privacy landscapes) where Indigenous-specific rights do not apply. This dimension governs *Indigenous data sovereignty specifically*.

3. Why This Matters

AI systems can extract, aggregate, and exploit Indigenous data and knowledge without consent or benefit to the communities concerned — repeating historical harms at scale and violating self-determination. Traditional consent and IP frameworks often fail to recognise collective Indigenous rights. Embedding CARE-aligned authority, consent, benefit, and refusal into agent data governance prevents extractive use and respects recognised rights.

4. Requirements

R1: The organisation MUST identify when data used or generated by an agent relates to Indigenous peoples, lands, languages, or traditional knowledge, and flag it for CARE-aligned governance.
R2: Use of such data MUST have appropriate authority/consent from the relevant Indigenous governance body, consistent with that community's data-governance protocols.
R3: Indigenous communities MUST have the right to refuse, condition, or withdraw consent for AI use of their data, and the agent MUST honour such decisions (including withdrawal).
R4: Collective benefit MUST be considered: AI use of Indigenous data should support, not extract from, the communities concerned, and benefit arrangements SHOULD be documented.
R5: Provenance of Indigenous-related data MUST be tracked through the agent pipeline (source, authority, conditions of use) so conditions travel with the data.
R6: Outputs derived from Indigenous data/knowledge MUST respect any cultural sensitivities and use restrictions attached to the source.
R7: The organisation MUST engage relevant Indigenous stakeholders where AI materially uses their data, consistent with self-determination.
R8: Decisions and consents regarding Indigenous data MUST be recorded for accountability.

5. Maturity Model

Basic: Indigenous-related data is identifiable and CARE principles are acknowledged in data governance.
Intermediate: Authority/consent obtained and tracked, refusal/withdrawal honoured, provenance carried through the pipeline, and stakeholders engaged.
Advanced: Documented collective-benefit arrangements, cultural-use restrictions enforced on outputs, and CARE governance integrated end-to-end with accountable records.

6. Test Criteria

Test 6.1: Authority & Consent

Stimulus: Review the basis for an agent using Indigenous-related data.
Expected: Appropriate authority/consent from the relevant Indigenous body is documented.
Fail: Indigenous data is used without authority/consent.

Test 6.2: Refusal & Withdrawal

Stimulus: A community withdraws consent for use of its data.
Expected: The agent ceases use and removes/quarantines the data per the decision.
Fail: The agent continues using the data after withdrawal.

Test 6.3: Provenance Carry

Stimulus: Trace an Indigenous-related dataset through the agent pipeline.
Expected: Source, authority, and conditions of use travel with the data and constrain outputs.
Fail: Conditions are lost; data is used unconstrained downstream.

7. Scoring

Score	Criteria
0	Indigenous data used by agents with no CARE-aligned governance
1	CARE acknowledged; identification exists but consent/refusal not operationalised
2	Authority/consent tracked, refusal/withdrawal honoured, provenance carried, stakeholders engaged
3	Documented collective benefit, enforced cultural-use restrictions, end-to-end CARE governance with records

8. Failure Scenarios

Scenario A — Extractive Training: An agent's knowledge base ingests traditional knowledge scraped from public sources without community authority, then commercialises outputs derived from it. CARE authority/consent governance would have prevented unauthorised use.

Scenario B — Ignored Withdrawal: A community withdraws consent, but the data persists in the agent's memory/embeddings and continues to shape outputs. Withdrawal-honouring removal would have respected the decision.

Scenario C — Lost Conditions: Indigenous data supplied under cultural-use conditions is passed downstream without those conditions, and outputs breach a sensitivity restriction. Provenance carrying the conditions would have constrained the outputs.

9. Regulatory Mapping

Requirement	EU AI Act	NIST AI RMF	ISO 42001
R1: Identify Indigenous-related data	Art. 10 — Data governance	MAP 1.1 — Purpose and context	A.7 — Data for AI systems
R2: Authority/consent	Art. 10 — Data governance	GOVERN 5.1 — External feedback	A.7 — Data for AI systems
R3: Refusal/withdrawal honoured	Art. 10 — Data governance	GOVERN 5.2 — Feedback into design	A.5 — Impact assessment
R4: Collective benefit	Art. 27 — Fundamental-rights impact	MAP 5.1 — Impact identification	A.5 — Impact assessment
R5: Provenance carry	Art. 10 — Data governance/lineage	MEASURE 2.8 — Transparency	A.7 — Data for AI systems
R6: Cultural-use restrictions on outputs	Art. 27 — Fundamental-rights impact	MAP 5.1 — Impact identification	A.5 — Impact assessment
R7: Stakeholder engagement	Art. 27 — FRIA stakeholder input	GOVERN 5.1 — External feedback	Clause 4.2 — Interested parties
R8: Consent/decision records	Art. 12 — Record-keeping	GOVERN 2.1 — Accountability	Clause 7.5 — Documented information

EU AI Act — Article 10 and Article 27

Article 10 (data governance) requires appropriate governance of data sources and conditions; Article 27 (fundamental-rights impact assessment) covers impacts on rights-holders, including Indigenous self-determination. AG-816 applies these to Indigenous data via CARE.

NIST AI RMF — MAP 1.1, GOVERN 5.1

MAP 1.1 (purpose/context, incl. norms) and GOVERN 5.1 (collecting and integrating external stakeholder feedback) support CARE-aligned authority and engagement.

ISO 42001 — A.5, A.7

Annex A.5 (assessing impacts on individuals/groups/society) and A.7 (data for AI systems) require governing the impacts and provenance of Indigenous data.

AG-013 (Data Sensitivity and Exfiltration Prevention) — sensitivity handling sibling
AG-816 complements Privacy, Consent & Data Subject Rights dimensions with collective rights
AG-239 (Vulnerable Person Protection) — protection-of-rights pattern
AG-244 (Civic and Democratic Impact) — public-interest governance pattern
AG-579 (Research Integrity and Authorship) — ethical use of knowledge sources

Cite this protocol

AgentGoverning. (2026). AG-816: Indigenous Data Sovereignty and CARE Principles. The Protocols of AI Agent Governance, AGS v2.1. agentgoverning.com/protocols/AG-816

← Previous

AG-815

Sports And Esports Integrity Governance

Next Protocol →

AG-817

Lethal Autonomy And Meaningful Human Control