Rewrite, don’t validate
Policy is compiled directly into each query. After the rewrite, arbitrarily clever SQL — joins, windows, CTEs — cannot see past the fence, because the fence is part of the query.
Agent Governor sits in front of the databases you already run and gives every AI agent a key with a scope. Instead of screening an agent’s SQL against a blocklist and hoping, the governor compiles your policy into the query itself — so it cannot reach what the policy doesn’t grant. Agents ground themselves with one request: their visible schema, with verified, runnable examples. Postgres first; warehouses next.
Policy is compiled directly into each query. After the rewrite, arbitrarily clever SQL — joins, windows, CTEs — cannot see past the fence, because the fence is part of the query.
One policy language for sources, tables, columns, and rows. An empty policy grants nothing; every grant is explicit.
Row filters confine every result to the agent’s slice — one tenant, one region. Sensitive columns come back masked without changing the query the agent wrote.
INSERT, UPDATE, and DELETE run under the same scope: a write that would move a row outside the agent’s slice is rejected, and nothing changes.
A Postgres wire listener, native MCP tools, and REST — psql, drivers, and agent frameworks connect with zero custom integration. Same enforcement on every path.
Every statement — allowed or denied — lands in a durable audit trail with what was rewritten, masked, or clamped. Per-agent egress budgets cap how much any key can pull.