Researchers introduce Data Flow Control (DFC), a framework that enforces data safety policies within database management systems to prevent AI agents from executing semantically correct but policy-violating queries. The open-source solution, called Passant, achieves near-zero overhead across five major DBMS engines while outperforming alternatives by orders of magnitude, moving data governance from application prompts into infrastructure.
The emergence of AI agents that autonomously generate SQL queries and orchestrate data pipelines creates a critical safety gap: a query can be technically correct yet violate regulatory, privacy, or business constraints. Traditional approaches rely on post-hoc validation or prompt engineering, leaving enforcement fragile and inconsistent. Data Flow Control addresses this by embedding policy enforcement directly into the database infrastructure layer, treating data safety as a first-class infrastructure concern rather than an afterthought.
This work builds on growing recognition that AI systems require robust guardrails beyond model-level interventions. As enterprises deploy agentic systems for data analysis and automation, compliance violations carry significant legal and financial consequences. The research demonstrates that performance need not be sacrificed for safety—Passant achieves negligible overhead by using aggregate predicates over provenance monomials, avoiding expensive materialization of data lineage.
The framework's portability across DuckDB, Umbra, PostgreSQL, DataFusion, and SQL Server signals broad applicability. Organizations deploying AI agents face mounting pressure to demonstrate data governance compliance, especially under regulations like GDPR, HIPAA, and evolving AI liability frameworks. By shifting enforcement to infrastructure, teams gain consistent policy application regardless of how queries are generated or optimized.
The open-source release accelerates adoption and sets a precedent for treating data safety as infrastructure-level concern. Future developments likely include integration with vector databases and expanding policy expressiveness. This work demonstrates that responsible AI deployment requires systemic rather than ad-hoc solutions.
- →Data Flow Control embeds policy enforcement directly into DBMS query execution, preventing policy violations at the infrastructure level rather than application level.
- →Passant query rewriting achieves near-zero performance overhead across five major database engines, making safety enforcement practically viable at scale.
- →The framework treats data safety as aggregate predicates over provenance, enabling efficient policy evaluation without materializing expensive data lineage.
- →Open-source availability accelerates enterprise adoption of infrastructure-level data governance for AI agent systems.
- →Moving safety enforcement from prompts into infrastructure addresses a critical gap in autonomous data system deployments.