- Home
- The Thinking Wire
- Your Exception Log Is the Moat: Governed Data Access as Competitive Strategy
Your Exception Log Is the Moat: Governed Data Access as Competitive Strategy
Two Berkeley researchers put a number on the strategy shift this month: “data is your only moat.” Vikram Sreekanti and Joseph Gonzalez argue that model quality converges fast enough that anything built purely on top of a frontier model is, in their words, “easy to adopt also means easy to displace.” What survives that convergence is not the model layer. It is the data a competitor is contractually and technically barred from touching.
That reframes defensibility as an access-control problem before it is a data-quality problem. The moat is not “we have more data.” The moat is “we are permitted to train on this data and you are not,” backed by contracts, IAM boundaries, and audit trails that make the permission real rather than aspirational.
The Access Gate, Not the Data Pile
Enterprises are getting sharper about what they let vendors and partners train on. That is the mechanism Sreekanti and Gonzalez point to: contractual restriction on training use is now a standard negotiating line, not a footnote. A company that has spent a decade accumulating proprietary operational data gets to decide who is permitted to learn from it. A company that has not built the governance layer to enforce that decision has a data pile, not a moat. The pile is copyable the moment someone gets export access. The moat is the enforcement.
James Betker, who worked on model training at OpenAI, states the underlying mechanism plainly: “model behavior is determined by your dataset, nothing else.” If that is true, then the entity that controls which datasets get near which models controls the ceiling on what any given model can become. Data spend in the industry is already running around $7 billion and is projected, per industry estimates surfaced by MBI Deep Dives, to exceed $100 billion by 2030. Those figures come from secondary reporting on data behind a paywall, so treat them as directional, not precise. The direction itself is the point: the money is moving toward acquiring and controlling data access, not toward marginal model gains.
Why the Exception Log Is the Sharpest Slice
Most proprietary data is valuable in aggregate: transaction histories, usage logs, customer records. But per a thread from Jaya Gupta on AI’s value capture problem, the most sensitive slice of company knowledge does not live in the aggregate tables. It lives in the exception and override log: when the company bends the rule for a broker, when a fraud pattern gets flagged for escalation instead of auto-denial, which underwriter’s judgment gets trusted over the model’s, which edge case turns into a paid claim instead of a denial.
That log encodes something no standard operational dataset does. It encodes the company’s actual risk tolerance, expressed as a sequence of individual decisions rather than a stated policy. A policy manual says what the company claims it does. The exception log says what the company actually does when the policy runs out of coverage. That is the training signal a competitor would pay the most to see, and it is also the signal an enterprise has the strongest incentive to lock down, because it exposes judgment calls that were never meant to be legible outside the room where they were made.
This is a hedge worth stating directly, since the source for the framing is a thread that could not be deep-read beyond its summary: the specific claim here is the framing itself (exception logs as the sensitive core), not a verified data point about any particular company’s practices. Treat it as a lens, not a citation of fact.
The Insurance and Finance Cross-Domain Read
Insurance and finance are the sharpest test cases because both industries already run on documented exceptions. Underwriting has always had a formal override process: a human underwriter can approve a policy the rules engine would reject, and that override gets logged, because regulators require it. Claims adjustment has the same shape: an adjuster’s decision to pay a borderline claim, or to escalate a suspicious pattern instead of auto-processing it, is a data point with a paper trail by design.
That existing documentation habit means insurance and finance firms are sitting on years of exactly the data described above, already structured, already timestamped, already tied to an identified decision-maker. Most of them have never treated it as a training asset. It has been treated as a compliance artifact, something you produce for an auditor, not something you protect as a strategic input. That framing is the gap. The same log that satisfies a regulator’s audit request is the log that would let a model learn how a fifteen-year underwriter actually prices risk at the margin, which is precisely the judgment a rules engine cannot encode from policy documents alone.
The firms that get this first will do two things at once: keep the exception log as rigorous as the regulator requires, and separately govern who is permitted to train models on it, at what granularity, under what retention terms. Those are two different governance regimes layered on the same data, and most compliance functions are only built to run the first one.
What This Changes About Where the Moat Sits
The practical shift is that data-access governance stops being the tax you pay to satisfy legal and starts being the asset that determines who can build a defensible model on top of your operations. A company that lets any vendor export its exception log for “product improvement” has handed away the one dataset a competitor cannot replicate through public data or synthetic generation. A company that scopes, logs, and can revoke that access has kept the input that makes its own eventual model, or its chosen vendor’s model, structurally better than what a fast-follower can build from public sources.
This does not mean locking everything down uniformly. Aggregate operational data may be fine to share broadly; it commoditizes anyway. The exception log deserves the tightest scope: named approvers, purpose-limited training grants, expiration dates, and an audit trail that can prove, after the fact, exactly which model saw which override and when.
Do This Now
Pull your exception and override logs, across underwriting, claims, fraud escalation, pricing exceptions, or the equivalent in your domain. Ask three questions this week. Who currently has export or training access to that data, and was that access ever explicitly granted for training use, or did it ride along with a broader integration? Is there a retention and revocation mechanism, or does access persist indefinitely once granted? And is the log itself as complete as your compliance function believes, or does it only capture exceptions that were escalated, missing the informal overrides that never got written down? Answer those three, and you know whether your exception log is a moat or an open door.
This analysis synthesizes Data Is Your Only Moat (The AI Frontier, July 2026), AI’s Value Capture Problem (Jaya Gupta, July 2026), The Salience of Data (MBI Deep Dives, July 2026).
Victorino Group helps teams turn data-access governance into a defensible moat rather than a compliance cost. Let’s talk.
All articles on The Thinking Wire are written with the assistance of Anthropic's Opus LLM. Each piece goes through multi-agent research to verify facts and surface contradictions, followed by human review and approval before publication. If you find any inaccurate information or wish to contact our editorial team, please reach out at editorial@victorinollc.com . About The Thinking Wire →
If this resonates, let's talk
We help companies implement AI without losing control.
Schedule a Conversation