---
title: "What Is Governed Context for AI Agent Skills?"
url: "https://atlan.com/know/ai-agent/ai-agent-skills/governed-context-for-agent-skills/"
description: "A skill can pass every security scan and still be wrong. See where ungoverned data enters a skill's 3-level architecture and what closes the gap."
author: "Emily Winks"
author_role: "Data Governance Expert"
published: "2026-07-16"
updated: "2026-07-16T00:00:00.000Z"
---

---

Governed context for agent skills means the data a skill reaches for at runtime is certified, current, and lineage-traced, a different question from whether the skill's code is safe to run. A 2026 Snyk audit found 36.82% of 3,984 public skills had a security flaw; Anthropic documents the mechanics of how skills load and run; DataHub and dbt Labs make a structured-context argument of their own. None asks whether a secure, well-written skill's answer is actually true, the open question this guide takes on, and the point in a skill's architecture where Atlan's context layer closes it.

---

| Field | Value |
|---|---|
| What It Is | Certifying and tracing the lineage of data a skill reads at runtime, distinct from code safety |
| Best For | Any skill whose Level 3 resources include a script or MCP call reaching live business data |
| Where It's Governed | Level 2 (terms, via a glossary) and Level 3 (scripts and MCP calls, via lineage-attached data) |
| Related Concepts | Business glossary, data lineage, MCP, Context Development Lifecycle |

  The AI Context Stack
  See how the layers between a model and its answer, from prompt to context to skill, determine whether an agent's output can be trusted.
  Get the AI Context Stack

---

## What is governed context for agent skills?

Governed context for agent skills is the practice of certifying and tracing the lineage of data a skill reaches for at runtime, distinct from whether its code is safe to execute. [Atlan's context layer architecture](https://atlan.com/know/what-is-the-enterprise-context-layer/) treats a skill as the new primitive that does for procedural knowledge what code did for logic in software, governed alongside the [enterprise data graph](https://atlan.com/know/what-is-a-context-graph/) and a business's semantics and ontology. A skill reading ungoverned data is an incomplete implementation of that foundation, not a separate problem.

This is the fourth rung in a lineage [skill engineering](https://atlan.com/know/ai-agent/ai-agent-skills/what-is-skill-engineering/) completes: prompt, context, [harness](https://atlan.com/know/what-is-an-agent-harness/), then skill. It treats the procedure inside [an agent skill](https://atlan.com/know/ai-agent/ai-agent-skills/what-are-agent-skills/), [structured through progressive disclosure in a SKILL.md file](https://atlan.com/know/ai-agent/ai-agent-skills/skill-md-file-explained/), as portable and reusable, leaving the data it runs on as a given, the same gap [context engineering states is not a skills problem](https://atlan.com/know/context-engineering-framework/). How a skill differs from [a plain tool call](https://atlan.com/know/ai-agent/ai-agent-skills/agent-skills-vs-tools/) or [a prompt](https://atlan.com/know/ai-agent/ai-agent-skills/skill-engineering-vs-prompt-engineering/) is settled elsewhere in this series; what matters here is what it reaches for once it runs.

Atlan's own [Enterprise Skills: A Practitioner's 2026 Governance Guide](https://atlan.com/know/what-are-enterprise-skills/) argues a close version of this idea, with data trust as one concern among several. This page is entirely about one argument: correctness of execution and truth of output are different properties.

---

## Is a secure agent skill automatically a trustworthy one?

A skill can pass every scanner Snyk or OWASP runs, zero malicious code, zero prompt injection, zero credential exposure, and still confidently report a wrong number. Security, authoring quality, and data trust are three different questions the ecosystem keeps collapsing into one.

[A 2026 Snyk Security Labs audit](https://snyk.io/blog/toxicskills-malicious-ai-agent-skills-clawhub/) scanned 3,984 skills and found 36.82% had at least one security flaw, 534 a critical issue, 76 a confirmed malicious payload. A separate study of 42,447 skills found [26.1% carried at least one vulnerability pattern](https://arxiv.org/abs/2601.10338), with executable-script skills 2.12 times more likely to be vulnerable, evidence risk concentrates at the same layer as ungoverned data risk.

A third study measured a different axis: UC Irvine researchers sampled 238 SKILL.md files and found [over 99% contained at least one "skill smell,"](https://arxiv.org/html/2607.01456v1) an authoring flaw like an unclear trigger, measuring structure, not data truth. A skill can score cleanly on all three and still read a stale table.

| Question | Who's asking it | What they miss |
|---|---|---|
| Is the code safe to execute? | Snyk, OWASP | Whether a clean scan means correct output |
| Is the skill well-structured? | The UC Irvine skill-smells study | Whether clean structure means current data |
| Is the data actually true? | No source in the open literature | This is the question this guide answers |

Paul Dudley of Streamkap put it plainly: ["the agent gives a perfectly calculated answer using perfectly defined metrics on perfectly stale data."](https://streamkap.com/resources-and-guides/why-ai-agents-wrong-answers) The rest of this guide narrows that pattern to the skill primitive.

---

## Where in a skill's 3-level architecture does ungoverned data enter?

Agent Skills load in three stages, metadata at startup, instructions on match, resources on demand, and each stage carries a different data-trust risk no existing guide has mapped end to end. [Anthropic's design rationale for progressive disclosure](https://www.anthropic.com/engineering/equipping-agents-for-the-real-world-with-agent-skills) is this efficiency: an agent doesn't read a skill's full body until its description matches the task; that's why Level 3's on-demand loading is where ungoverned data enters.

| Level | What it does | Where ungoverned data enters | What governs it |
|---|---|---|---|
| Level 1: Metadata | Advertises the skill at startup | Low risk, no data read yet | Not applicable |
| Level 2: Instructions | Names business terms | A term like "net revenue" has no single certified definition | A business glossary resolves it first |
| Level 3: Resources | Executes queries, calls live systems | A script queries a stale table, or gets data with no provenance | Lineage-attached data via MCP |

### Level 2: where a business term becomes a silent risk

A skill's SKILL.md body says "calculate active customers." Two teams' warehouses define "active" differently, one counts a login in 30 days, the other a paid transaction. The skill executes flawlessly against whichever table its author pointed it at, and a confident, wrong number lands in a Slack thread, the same 2.12x-riskier surface, now handed an undefined term with no correction step.

### Level 3: where a script's query becomes a silent risk

A bundled script queries a table deprecated six weeks ago and still returns a perfectly formatted, wrong answer, because nothing checks whether it's current. A table in a catalog isn't automatically governed; [a catalog and a context layer answer different questions](https://atlan.com/know/data-catalog-vs-context-layer/). [Moveworks, via Promethium](https://promethium.ai/guides/signs-data-stack-not-ready-ai-agents-2026/), found bare schema queries run at 10 to 31% accuracy, versus 94 to 99% for governed context, the gap [a data engineering team's context layer](https://atlan.com/know/context-layer-for-data-engineering-teams/) closes.

---

## How does a business glossary govern a skill's Level 2 instructions?

When a skill's SKILL.md body references a business term like "active customer," a [business glossary](https://atlan.com/know/business-context-layer/) resolves it to one certified, owner-approved definition before it enters the skill's reasoning, the mechanism that closes the Level 2 gap above, one [Atlan's Enterprise Skills guide](https://atlan.com/know/what-are-enterprise-skills/) names as a flat capability without showing where it intercepts.

The glossary sits between a skill's instructions and the term those instructions name, intercepting "calculate active customers" and resolving it to one owner-approved definition, rather than letting whichever table gets queried pick its own version. This is [semantics and ontology](https://atlan.com/know/business-context-for-ai/) doing for a skill's vocabulary what [certified lineage](https://atlan.com/know/training-data-lineage-for-llms/) does for its data, the same step [a semantic layer for AI agents](https://atlan.com/know/ai-agent/semantic-layer-for-ai-agents/) performs for any consuming system.

That step is governed, not incidental: an unreviewed term is equivalent to an unreviewed skill in [Atlan's Context Development Lifecycle](https://atlan.com/know/how-to/implement-enterprise-context-layer-for-ai/), a Build, Test, Review, Approve, Deploy, Learn sequence applying to a metric and a skill's procedure alike, the same review a [data governance team](https://atlan.com/know/ai-agent/context-layer-for-data-governance-teams/) runs for policies and lineage.

---

## How does MCP deliver certified data to a skill's Level 3 resources?

A skill's Level 3 resources, bundled scripts, reference files, live queries, reach governed data through [MCP](https://atlan.com/know/mcp/why-mcp-matters-for-ai-agents/), one of several protocols a context layer uses to serve consuming systems. An MCP call instead of a raw schema query returns certified, [access-controlled context](https://atlan.com/know/zero-trust-data-governance/), not a raw dump. The skill doesn't have to guess whether a table is stale, since the response carries [certification and lineage metadata](https://atlan.com/know/mcp/mcp-for-data-lineage/), letting a team [trace a wrong answer back to its source table](https://atlan.com/know/mcp/data-lineage-rca-with-mcp/), not just the prompt.

The security community already asks this on the code axis: [one in four MCP servers reportedly opens AI agent security to code-execution risk](https://www.helpnetsecurity.com/2026/05/05/ai-agent-security-skills-blind-spots/), per Help Net Security. This guide asks it on the data axis instead.

Atlan has measured this one layer down: in a text-to-SQL evaluation across 145 queries, agents querying live, governed metadata through MCP hit roughly 3x the accuracy of agents querying bare schemas, the same pattern when a skill's script calls MCP. [Agent Skills vs MCP](https://atlan.com/know/ai-agent/ai-agent-skills/agent-skills-vs-mcp/) covers the full boundary; [when to use MCP vs. a plain API](https://atlan.com/know/when-to-use-mcp-vs-api/) or [MCP vs. function calling](https://atlan.com/know/mcp-vs-function-calling/) cover adjacent decisions.

![Business glossary at Level 2 and MCP-certified data at Level 3 converging into reliable, governed agent skill output](https://website-assets.atlan.com/img/governed-context-for-agent-skills-1-two-mechanism-governance-flow.webp "Business glossary meaning + MCP-certified data converging into one governed skill")

  AI Agent Context Readiness Checklist
  Check whether the tables and resources your skills already query are certified, current, and lineage-traced, before the next confidently wrong answer ships.
  Check Readiness

---

## When does a skill need governed context, and how do you check?

Nearly every production skill needs governed context. Any skill whose Level 3 resources include a script or MCP call reaching live business data carries this exposure, whether or not its code has been scanned. [Production RAG systems become confidently wrong about a third of what users ask within three months](https://glenrhodes.com/data-freshness-rot-as-the-silent-failure-mode-in-production-rag-systems-and-treating-document-shelf-life-as-a-first-class-reliability-concern/), per Glen Rhodes' analysis of freshness rot. A skill's bundled files and MCP-retrieved resources are exposed to the same decay.

| Check | Why it matters | Where |
|---|---|---|
| Terms resolve to a certified glossary definition | Prevents teams disagreeing on what "active customer" means | Level 2 |
| Queried tables carry certification metadata | Distinguishes "trusted" from "exists" | Level 3 |
| Lineage is attached for anything a resource touches | Lets you trace a wrong answer to its source | Level 3 |
| Data reaches the skill through MCP, not a static file | A bundled file goes stale silently; a governed call guarantees freshness | Level 3 |
| A freshness timestamp is checked at runtime | Closes the gap where fresh-at-authoring data goes stale | Level 3 |

This checklist is deliberately narrow, not a vendor scorecard; that full evaluation is [Atlan's Enterprise Skills guide](https://atlan.com/know/what-are-enterprise-skills/)'s job. The step-by-step lives in [How to Write an Agent Skill](https://atlan.com/know/ai-agent/ai-agent-skills/how-to-write-an-agent-skill/); the broader roundup, with this check as one practice among several, lives in [Agent Skill Best Practices](https://atlan.com/know/ai-agent/ai-agent-skills/agent-skill-best-practices/).

---

## Real stories from real customers: context behind every skill's answer



      "We're excited to build the future of AI governance with Atlan. All of the work that we did to get to a shared language at Workday can be leveraged by AI via Atlan's MCP server…as part of Atlan's AI Labs, we're co-building the semantic layer that AI needs with new constructs, like context products."


      — Joe DosSantos, VP of Enterprise Data & Analytics, Workday




    Watch Now




      "Atlan is much more than a catalog of catalogs. It's more of a context operating system…Atlan enabled us to easily activate metadata for everything from discovery in the marketplace to AI governance to data quality to an MCP server delivering context to AI models."


      — Sridher Arumugham, Chief Data & Analytics Officer, DigiKey




    Watch Now


Neither quote names a skill, since both predate "agent skill" as common vocabulary. Both describe the same shift mapped onto the skill primitive: a shared vocabulary and an MCP server delivering governed context are what a procedure actually depends on.

  See the Context Layer in Action
  Watch a live walkthrough of how Atlan certifies the data your agent skills read at runtime.
  Watch the Demo

---

## Why a skill is only as reliable as the context it runs against

Teams shipping their first agent skills report the skill "working." It loads, follows the procedure, produces formatted output. The answer is wrong anyway, because the skill can't know if the table its script just queried is stale, deprecated, or uncertified. That's not a flaw in the skill; it's a gap in what it was ever asked to check.

Atlan doesn't treat a skill as an external category to react to. Its architecture names skills as one of three integrated parts of the context foundation, governed by the same lifecycle as a metric or policy, underpinning [AI readiness](https://atlan.com/know/ai-readiness-vs-knowledge-graphs/) more broadly. [Procedural memory](https://atlan.com/know/semantic-memory-vs-procedural-memory-ai-agents/), one of four memory types in Atlan's compounding learning loops, is where a skill lives. A skill never promoted through review stays uncertified indefinitely, no matter how many times it runs.

That certification pipeline isn't hypothetical. Atlan's **Context Agents** have generated more than 1.7 million description updates, 90% accepted, 87% rated on par with or better than human-written ones, saving more than 209,000 hours of manual work, the same pipeline governing a skill's Level 2 terms and Level 3 data before it reads from them.

Security research answers whether a skill's code is safe. Authoring research answers whether it's well-structured. Neither answers whether its output is true, the gap governed context exists to close. The principle extends to [how an organization governs its agents overall](https://atlan.com/know/ai-agent-governance/): a fleet of skills is only as trustworthy as its weakest data source.

Book a Demo

---

## FAQs about governed context for agent skills

### 1. Can an agent skill be secure but still produce wrong output?

Yes. Security scanning from Snyk and OWASP checks a skill's code, not the data it reads at runtime. A skill can pass every scanner and still query a stale table, producing a confident, wrong answer.

### 2. What is the ToxicSkills audit from Snyk?

A 2026 Snyk audit of 3,984 public-registry skills found 36.82% had a security flaw and 76 held confirmed malicious payloads. It addresses code safety, not whether a clean skill's data is trustworthy.

### 3. How does MCP relate to data governance for AI agents?

MCP is one of several protocols a context layer uses to deliver governed data. A skill querying through MCP instead of a raw connection can receive certification and lineage metadata alongside the answer.

### 4. What is the difference between a skill's procedure and the data it reads?

The procedure is the portable instructions in a SKILL.md file. The data is whatever live table, document, or API its resources query at runtime. Each can be correct or wrong independent of the other.

### 5. What is data freshness rot in AI systems?

The gradual staleness of the data a system depends on, causing an unchanged, correct procedure to produce increasingly wrong answers, with no change to the model or code.

### 6. Does Atlan's context layer work with agent skills?

Yes. A business glossary resolves ambiguous terms before they reach a skill's Level 2 instructions, and MCP delivers certified data to its Level 3 scripts, the two points where ungoverned data enters.

---

## Sources

1. ToxicSkills: Malicious AI Agent Skills Supply Chain Compromise, Snyk. https://snyk.io/blog/toxicskills-malicious-ai-agent-skills-clawhub/
2. Agent Skills in the Wild: An Empirical Study of Security Vulnerabilities at Scale, arXiv. https://arxiv.org/abs/2601.10338
3. From Anatomy to Smells: An Empirical Study of SKILL.md in Agent Skills, arXiv. https://arxiv.org/html/2607.01456v1
4. Why Your AI Agents Keep Getting the Wrong Answer, Streamkap. https://streamkap.com/resources-and-guides/why-ai-agents-wrong-answers
5. Data Freshness Rot as the Silent Failure Mode in Production RAG Systems, Glen Rhodes. https://glenrhodes.com/data-freshness-rot-as-the-silent-failure-mode-in-production-rag-systems-and-treating-document-shelf-life-as-a-first-class-reliability-concern/
6. 7 Signs Your Data Stack Isn't Ready for AI Agents in 2026, Promethium. https://promethium.ai/guides/signs-data-stack-not-ready-ai-agents-2026/
7. Equipping Agents for the Real World with Agent Skills, Anthropic. https://www.anthropic.com/engineering/equipping-agents-for-the-real-world-with-agent-skills
8. One in Four MCP Servers Opens AI Agent Security to Code Execution Risk, Help Net Security. https://www.helpnetsecurity.com/2026/05/05/ai-agent-security-skills-blind-spots/
9. OWASP Agentic Skills Top 10, OWASP. https://owasp.org/www-project-agentic-skills-top-10/