Text-to-SQL agents can query anything — but should they? When AI agents turn natural language into executable SQL, traditional data-access guardrails are easy to bypass. The challenge becomes critical when real users, with real roles and permissions, are the ones chatting with your data.

In this talk, we explore how to decouple AI agent logic from authorization policies without sacrificing flexibility or performance. Starting from the real-world challenges of Text-to-SQL in agentic platforms, we ask: how can we ensure users see exactly the same data—no more, no less—whether they access it through a UI or via an AI agent?

We’ll present a production-ready solution combining:

• a Python package that inspects and rewrites the SQL Abstract Syntax Tree (AST), and
• partial evaluation results from Open Policy Agent (OPA) to enforce fine-grained authorization at query time.

This approach keeps authorization logic centralized, auditable, and independent from LLM prompts, while integrating seamlessly with Text-to-SQL tools.

You’ll leave with a concrete architectural pattern, open-source building blocks, and practical lessons on how to safely scale AI agents—without turning your LLM into a superuser.