A governed-agent demonstration
Point an LLM at a real database and it will answer your questions — and, given the chance, leak the data or wreck it. The left panel is how most agents ship today: a model holding a run-SQL tool. The right is the same request through a semantic-layer gateway. Pick a request and watch both sides.
The ungoverned agent isn't badly built — it's the default. It fails because a run-SQL tool trusts whatever the model writes, and inspects for bad output after the fact. sql-steward removes the tool. Queries are compiled from a semantic layer you control, blocked fields are refused before a row is read, and a write has no compiled form to hijack. Read-only and PII refusal hold by construction, not by inspection — and every call lands on a tamper-evident record.
Synthetic data, on-prem, no cloud. Part of the governed agent stack · sql-steward