Papers
Topics
Authors
Recent
Search
2000 character limit reached

Data Flow Control: Data Safety Policies for AI Agents

Published 4 Jun 2026 in cs.DB and cs.AI | (2606.05679v1)

Abstract: Agents increasingly generate SQL, orchestrate pipelines, and automate data analysis on behalf of users. While recent work improves query correctness, correctness is not safety. A query may be semantically valid yet violate regulatory, privacy, or business constraints that govern how data may be combined and released. We argue that enforcing such constraints is fundamentally a data infrastructure problem. This paper introduces Data Flow Control (DFC), a framework to declaratively specify and guarantee policy enforcement over tuple-level data flows within a DBMS query. A key challenge is defining a policy language that is optimizer-invariant yet efficient to enforce at scale. We formalize data safety as aggregate predicates over provenance monomials and present Passant, a portable query rewriting layer that enforces DFC policies without materializing provenance. Across five DBMS engines -- DuckDB, Umbra, PostgreSQL, DataFusion, and SQLServer -- Passant achieves ~0% overhead and outperforms alternatives by orders of magnitude. As a result, Data Flow Control is the first step towards moving data safety from prompts and post-hoc checks into the data infrastructure. Data Flow Control is available open source at https://github.com/dataflowcontrol/data-flow-control.

Authors (2)

Summary

  • The paper introduces Data Flow Control (DFC) and the PGN language to enforce tuple-level data safety, ensuring deterministic, optimizer-invariant policy enforcement.
  • It details three enforcement strategiesโ€”Naive, Partial-Push, and Full-Pushโ€”with Full-Push achieving near-zero overhead and seamless SQL-92 integration across multiple DBMS engines.
  • Empirical evaluations demonstrate that DFC reduces enforcement overhead by up to 75,000% compared to traditional provenance materialization, offering scalable and precise data safety.

Data Flow Control: Tuple-Level Data Safety Policies for AI Agents and Relational Databases

Problem Statement and Motivation

The emergence of autonomous agents capable of producing complex SQL queries, orchestrating ETL pipelines, and making data-driven decisions underscores a new challenge: query correctness does not guarantee safety. Semantically valid queries can still produce outputs that breach regulatory, privacy, or organizational constraints. Contemporary approaches to agent safety emphasize prompt-derived guardrails or post-hoc validation, neither of which provide deterministic nor scalable enforcement, especially as the policy and data landscape grows in complexity and volume. The inadequacy of existing DBMS mechanismsโ€”access controls, integrity constraints, and provenanceโ€”lies in their failure to enforce constraints on tuple-level data flows during query execution.

Framework and Policy Language: Data Flow Control and PGN

Data Flow Control (DFC) is introduced as a DBMS-centric infrastructure approach for enforcing tuple-level data safety. DFC moves policy enforcement into the data layer, ensuring deterministic, optimizer-invariant policy guarantees agnostic to agent or query structure. Central to DFC is the PGN (Provenance Guard Notation) policy specification language, which enables declarative and expressive policies over provenance monomials. This optimizer-invariant design ensures that policy semantics are preserved independent of the query execution plan, mitigating ambiguities associated with physical plan variations.

PGN policies are defined as constraintsโ€”aggregate predicates over the set of provenance monomials for each output tuple. The language admits references to any accessible relation as context (catalogs, roles, system state), and supports user-defined functions and LLM calls if desired, but does not rely on probabilistic AI enforcement.

Enforcement Strategies: Passant and Query Rewriting

The enforcement architecture, Passant, sidesteps the prohibitive overhead of full provenance materialization by leveraging novel query rewriting. Three principal enforcement strategies are presented:

  1. Naive/Post-process: Materializes the full provenance polynomial for every output tuple and applies policies as a separate pass. Incurs orders-of-magnitude performance overhead.
  2. Partial-Push: Pushes policy aggregates below the final join but still requires materializing intermediate provenance state, limiting scalability to complex or nested queries.
  3. Full-Push: Exploits semiring properties to inline policy aggregation with base query execution, eliminating the need for provenance materialization. Policy aggregates propagate through execution operators, achieving minimal overhead and full composability with SQL-92 and multiple DBMS engines. Figure 1

    Figure 2: The naive approach for DFC relies on provenance materialization, while Passant rewrites queries to enforce policy logic inline.

    Figure 3

    Figure 4: Overview of enforcement strategies showing how policy predicates are incorporated into the base query plan.

Full-Push extends seamlessly to templated policies (e.g., parameterized aggregation constraints for k-anonymity) and handles millions of per-user or per-tenant policies with algebraic optimization, collapsing redundant constraints and enabling sublinear enforcement.

Empirical Evaluation

The empirical section demonstrates DFC enforcement overhead, policy scalability, and cross-engine compatibility across five DBMS backends: DuckDB, Umbra, PostgreSQL, DataFusion, and SQLServer. The key findings include:

  • Full-Push achieves near-zero overhead across all benchmarked TPC-H queries, often outperforming the base (unenforced) query.
  • Logical and physical provenance approaches are prohibitively expensive, with slowdowns from 300% to 75,000% depending on query complexity.
  • Partial-Push is competitive and sometimes preferable when policy aggregate propagation increases intermediate result cardinality and degrades cache locality.
  • Enforcement performance is robust to scaling the number of sources, policy complexity, and is highly amenable to algebraic optimization for templated policy families. Figure 5

    Figure 6: Relative overhead of policy enforcement: Full-Push maintains โ‰ˆ0% overhead, while Logical and Physical modes are infeasible for interactive workloads.

    Figure 7

    Figure 1: Cross-engine evaluation: Full-Push consistently dominates in overhead, and in many cases policy enforcement is even faster than no enforcement.

    Figure 8

    Figure 3: Scalability in number of policies and self-joins, showcasing enforcement linearity under common optimization patterns.

Policy Semantics and Theoretical Contributions

DFC policies are defined over the normalized bag of provenance monomials, ensuring optimizer-invariance and decisiveness. The formal model supports policy application under monotonic SQL-92 queries and is modular with respect to resolution function (filter, kill, transformation). Dimensionsโ€”the capacity to reference auxiliary relations and external contextโ€”enable developers to craft policies that are simultaneously expressive (e.g., legal compliance, workload-dependent, LLM-based attribute judgments) and efficient.

Notably, DFC elevates provenance from a passive auditing tool to an active enforcement mechanism, bridging the gap between theoretical guarantees and operational cost. Figure 6

Figure 5: Provenance polynomial structure varies by query plan; monomial-based semantics ensure optimizer invariance for policy enforcement.

DFC is differentiated from traditional information-flow control by its fine granularity, optimizer-invariant enforcement, and focus on data transformation and combination rather than only access. Unlike access control or triggers, DFC provides declarative, composable policies that operate directly over data flows. Compared to previous systems such as DataLawyer, DFC demonstrates orders-of-magnitude improvement in enforcement cost and generality due to PGN and Passant.

Recent work on agent guardrails, LLM risk management, or prompt-injection defenses are largely orthogonal, providing coarse-grained, tool- or prompt-level filters. DFC complements these by offering precise, deterministic, and efficient enforcement for high-stakes, data-centric use cases.

Practical and Theoretical Implications

DFC fundamentally changes the DBMS policy landscape, allowing organizations to shift from brittle prompt- or application-level enforcement to safe-by-default, infrastructure-embedded data policies. This is particularly significant as agentic systems proliferate in regulated domains (finance, healthcare, education), where the legal and reputational risks of data misuse are acute. The use of semiring-structured propagation, algebraic policy reduction, and inline enforcement enables DFC to scale to modern workload demands without incurring the provenance tax.

Looking ahead, avenues for research include extending DFC to non-monotonic queries, multi-query and multi-agent trajectories, and coordination of enforcement across federated or multi-tenant infrastructures.

Conclusion

Data Flow Control as presented in this work offers a principled, scalable, and expressive framework for enforcing data safety at the heart of relational data processing. Coupled with the Passant rewriting engine and the PGN policy language, DFC achieves deterministic, optimizer-invariant enforcement with negligible overhead across diverse engines and workloads. DFC enables organizations to operationalize regulatory, privacy, and business rules at the finest granularity, facilitating AI agent integration in sensitive environments while retaining rigorous data safety guarantees (2606.05679).

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.