RLS
Tenant isolation lives at the row level inside the database engine — below the API, below the LLM, below anything a prompt can reach. The agent can be told to lie; the engine won't lie back.
Born for the Agentic AI Era
“Through 2026, organizations will abandon 60% of AI projects unsupported by AI-ready data.”
The world today
An AI agent is only as good as the data it can reach. So every squad wires its own — a connector here, a cleaning script there, a bespoke auth handshake for each source. Connect N agents to M systems the old way and you get N×M brittle pipes, each re-deduplicating, re-cleaning, re-securing the same records a slightly different way.
By late 2025 analysts had a name for it — MCP sprawl: every business unit shipping its own Model Context Protocol server, the same déjà vu as microservices proliferation, except the surface area is your customer data. The protocol was meant to collapse N×M integrations to N+M — but a protocol standardizes the wire, not the data. MCP · the N×M problem
The risk
Point an autonomous agent straight at an operational database and two things are now true at once: it carries credentials a human never would, and a single crafted prompt can redirect it. Prompt injection has been OWASP's #1 LLM risk two years running. The incidents are already on the record.
The common thread: the agent could reach more than the person driving it. Governance was a policy document, not a wall in the data path. Why agents need governance in the path
The cost
Hand a fleet of agents raw access to your systems — however they reach it, no scope, no masking — and that machine-scale reach fails three ways at once. The worst is exfiltration: an agent can read every record it's permitted to, so a single poisoned input pours customer data straight out to an attacker. The meter never stops beside it — consumption pricing that was sane for human analysts redlines when agents fire calls non-stop, full scans and cross-tenant joins, syntactically valid and semantically a wrecking ball. And the answers come back fabricated — confident, binding, invented from whatever the agent happened to reach. The damage scales with the agents, not with the value.
The fix is not “rate-limit the agents.” It is to never let them reach your systems directly at all — and serve every call from one governed layer built for it.
The inversion
The One sits in front of your systems — not beside them. Every agent asks one endpoint; The One reads, reconciles, governs and returns a single canonical answer: cleaned · standardized · deduplicated — quality-scored against your rules, merged into one golden record, every value lineage-traced to its origin, and governed (RLS · RBAC · ABAC · masking) to exactly what the caller may see. And every access is written to an append-only audit log — which agent asked, what it received, exactly when — so you can always answer who did what. Your systems of record are never in the agents' path. The chaos doesn't get managed. It gets inverted.
Same six agents as the tangle above — now one ordered topology. No agent ever touches the warehouse. The One syncs from your systems of record on a schedule or in real time, governs every result, records who received what, and hands each agent only the data it's entitled to — one trusted source for the entire data plane.
The payoff
Validated, governed data to any app or agent your teams build, without disturbing the systems of record and without a single caller querying a warehouse directly. Whether the call arrives over the REST API or the MCP endpoint, the same four enforcement layers run server-side on every read — a value the caller isn't entitled to never enters the response.
Tenant isolation lives at the row level inside the database engine — below the API, below the LLM, below anything a prompt can reach. The agent can be told to lie; the engine won't lie back.
No shared service account. The agent acts with the user's own identity — it can never hold more permission than the human who signed in. "Drop the patient table" is refused, and the audit says who tried.
“Steward, but only customers from her branch.” “Researcher, but only her IRB cohort.” Context isn't a role — The One evaluates subject · resource · action · environment on every read.
Fields are masked server-side before the response ever leaves the API. Your marketing AI writes 10,000 emails from firstName + city — it never sees ssn or dob. By construction, not by policy.
Every value sourced. Every merge reversible. Every read masked to the caller. Every access in an append-only audit the database engine itself won't let anyone rewrite — discoverable, unbroken, to a name.
The evidence