News Analysis
Slack’s new real-time search (RTS) API and Model Context Protocol (MCP) promise to power a new era of AI productivity, but they also raise complex questions about data control, governance and who ultimately owns the ‘truth’ in enterprise AI.
Slack announced the RTS API and MCP server updates on October 13, giving developers and partners more secure, flexible access to the conversational data stored in Slack.
The tools let AI applications and agents deliver context-aware, user-specific interactions, helping teams make faster decisions, streamline workflows and boost productivity.
Companies including Anthropic, Google, Dropbox, Notion and Vercel are already building AI solutions that operate natively within Slack, using previously siloed conversations. Agents summarize project discussions, update records or find insights, which reduces context switching and makes tools more useful in daily workflows.
The company states it supports the features with enterprise-grade security, privacy safeguards and granular access controls, to help the AI system interact with sensitive data safely and within defined permissions. The RTS API and MCP server provide controlled, real-time access to relevant information.
The result is a platform that could redefine workplace AI — or test how much trust companies are willing to place in it.
The Data Ownership Illusion
The boundaries seem clear in contractual terms. Customers own their Slack data, and third-party developers get no independent rights to it. Slack's platform policies prohibit using workspace data to train large language models, and the company provides the frameworks enterprises expect, including data processing agreements, certifications and residency options.
But focusing on whether data gets used for training misses the deeper problem, said Peter Swimm, founder of Toilville LLC. What matters more is Slack's pivot into "the provider of truth for enterprise AI" and a platform that determines how third-party systems perceive context, even without training on the data itself.
The issue isn't ownership in a legal sense — customers nominally control their data — but the practical challenge of maintaining that control as information flows outward. When applications connect to Slack's AI gateway, customers rarely see the full scope of what's granted. Access is called ephemeral, yet enforcement depends on trust rather than technical safeguards. And oversight ends the moment data leaves Slack's systems.
This is a branching problem, said Rory Bokser, head of product at Moken.io. Each new integration point creates another chain in the vendor lock-in, another moment where control slips away. Third-party access means trusting "each of their unique data supply chains,” he said. “Caching, logging, telemetry data, developer copies… these things will branch quickly.”
Slack's terms become "a moot point post-ingestion,” Bokser said. “It's the same as handing someone a bottle of water and then trying to manage how they store it, how they drink it, whether they use it to water the lawn." You can label the bottle however you like, but verification is impossible, he said.
When Slack's Data Policy Meets Reality
The architecture includes protections. Real-time search and MCP are designed to prevent bulk downloading. Slack provides admin controls such as app approval workflows, fine-grained permissions, audit logs and encryption options.
The system provides "just-in-time context without bulk export," which should provide better AI accuracy while maintaining security, said Monika Malik, AI leader at AT&T. The risk areas she identifies include app governance, scoping, shadow apps and excessive retention — and all sound manageable with proper controls.
But customers typically aren't vetting vendor-level data retention policies, Bokser points out. Slack will have zero practical visibility into whether a vendor like Dropbox complies with restrictions on creating model vectors, message embeddings or summaries that get used in downstream products.
The platform can prohibit training in developer terms and hope vendors comply or fight it out publicly after the fact. That gap between policy and enforcement isn't a minor implementation detail — it's the central vulnerability.
While Slack provides compliant infrastructure and contractual safeguards, customers remain "responsible for lawful use, transparency and third-party oversight,” agreed Zlatko Delev, head of commercial at GDPR consultancy GDPRlocal.com.
While the platform enforces API restrictions, customers must ensure third-party apps implement proper encryption, minimal permissions and deletion policies. Visibility depends entirely on customer governance practices, tracking which apps have access to what data and how they use it.
The compliance problem becomes more challenging when data subject rights enter the picture. Imagine a single message vector landing on five third-party API endpoints, three independent logging pipelines and four siloed vendor buckets, and then someone requests the right to be forgotten.
But most companies won't know from which app that vector was pulled or precisely where it lives. Without forensic tooling baked into the protocol itself, GDPR and CCPA compliance becomes what Bokser calls theater, not protection.
A Policy Without Technical Enforcement
The fundamental issue is that policy without technical enforcement is just wishful thinking. What's needed are safeguards built into the tooling such as token gating, time-limited access windows, automatic data redaction, real-time tracking of deletion requests and zero-retention API hooks, said Bokser.
Without these engineering controls, Slack's open model remains "fully usable for training misuse" regardless of what the developer terms prohibit. When app ecosystems expand faster than trust frameworks keep pace, policy has little weight.
This stands in contrast to Microsoft's approach. Teams keeps most data within its own ecosystem using Graph API and Copilot privacy controls. Where Microsoft's approach feels walled and controlled with fewer wildcards in the model, Slack is building a marketplace with hundreds of access points.
Conference
Nov
17
KMWorld Washington 2025
Register
Webinar
On demand
AI in Customer Service: Faster Resolutions, Happier Customers
Don’t let rising demand burn out your team. See how to build a smarter, more resilient support org.
Watch Now
Webinar
On demand
Accelerating Healthcare Ops with AI
Sign up to see how your peers are putting AI to work — and making it stick.
Watch Now
Webinar
On demand
From Nice-to-Have to Non-Negotiable: Prove the Value of Your EX Stack
Transform your tech stack: prove its value, secure your future.
Watch Now
Webinar
On demand
The Great Workforce Breakdown (And How to Stop It)
Disconnected employees. Failing communication. It’s time to turn things around.
Watch Now
Webinar
On demand
Maximize Your Intranet’s Value: Enhance the Employee Experience for Greater Adoption
Learn practical strategies to enhance usability, boost adoption and ensure your intranet becomes a true productivity hub.
Watch Now
Slack promotes real-time secure access while prohibiting training, whereas Teams relies on graph and Copilot governance, Malik said. Or as Bokser put it more bluntly, you can be Microsoft and go slow and controlled, or you can be Slack and go big and risky.
The strategic choice is deliberate. Slack offers flexibility and integration breadth that Microsoft's walled garden cannot match. But that flexibility carries what Delev described as "higher data-governance risk."
The architecture prioritizes ecosystem growth over enforcement capability, betting that contractual obligations and vendor reputation will be sufficient guardrails. History suggests this is an optimistic assumption.
What Happens When One Company Acts as Gatekeeper?
What makes this particularly concerning is Slack's emerging role as the context layer for enterprise AI, a transformation from communications tool into the nervous system feeding artificial intelligence across the enterprise stack. This gives extraordinary power to whoever controls that layer.
Salesforce, Slack's parent company, becomes what Swimm called "its primary arbiter." The real risk lies not in downstream suppliers but in platforms such as Salesforce that serve as gatekeepers for enterprise data.
Whoever controls this layer defines what an organization's AI perceives as real, Swimm said. The danger isn't that conversations become training data, but that they become the material for someone else's truth engine.
When Slack determines which context gets found for which AI systems, and when it mediates the relationship between workplace communication and machine understanding, it gains influence that extends beyond a messaging platform. Customers have limited ability to verify what happens behind that curtain or challenge the interpretations being constructed from their data.
Slack's competitive advantage becomes its greatest liability. The platform is positioned to power enterprise AI with rich conversational context, but as Bokser warned, if data is the fuel for these models, then context is the accelerant.
In an ecosystem with hundreds of integration points and minimal technical enforcement, Slack's edge is raw scale, but the price for that is risk.
Slack's Identity Verification Problem
For organizations considering Slack's AI capabilities, Swimm provides a checklist for the minimum requirements:
- Visibility through logs showing who accessed what and when.
- Written limits on data reuse or storage.
- Audit rights to verify compliance.
- Guaranteed export or deletion upon request.
- Confirmation that Salesforce isn't feeding metadata into its broader AI stack.
Malik similarly recommends rigorous controls:
- Vet vendors carefully.
- Mirror platform rules in contracts.
- Implement least-privilege scopes.
- Stream audit logs to security systems.
- Enable customer-managed encryption.
But these measures assume a level of visibility and verification that the architecture may not actually support. Slack has struggled to transition from chat platform to context infrastructure, yet that shift is increasingly plausible.
What remains unclear is if trust frameworks will keep pace with technical reality or verification will remain impossible for the customers told they own and control their data.
The architecture is impressive, Malik said. The policies are comprehensive. The disclaimers are abundant. But between what's promised and what's provable, between contractual rights and practical enforcement, lies the gap that makes accountability challenging.
Editor's Note: Catch up on more Slack news:
- Salesforce's Slack API Restrictions Sparks Broader Questions on Future of AI — The Slack API decision is more than a product tweak: it’s a signal. It reflects deep tensions playing out across the digital workplace.
- Salesforce Bets on Agents Replacing Apps at Dreamforce '25 — At Dreamforce, Marc Benioff unveiled Agentforce 360 and the next vision for agentic AI, where Slack, data and AI agents redefine how work gets done.
- Agentforce in Slack Turns the Comms Tool Into an AI-Powered Workplace Hub — Agentforce 2.0 for Slack entered general availability earlier this month. A look at what it does and what's to come for the agentic AI platform.