
For nearly two decades, the enterprise data industry has optimized security for a world in which humans were the primary consumers of enterprise data. In that world, users accessed information through applications, reports, dashboards, APIs, and BI tools, so security evolved to govern those access paths. This led to the building of policy engines, semantic layers, data catalogs, API gateways, identity frameworks, and application-level controls because they served as the logical choke points between people and data.
For that world, the architecture generally worked remarkably well. Govern the application and you effectively govern the human.
Agentic AI changes that underlying assumption. The primary consumer of enterprise data is no longer always a human navigating an application. Increasingly, it is autonomous software capable of authenticating directly to a database, reasoning about schemas, generating SQL, and pursuing objectives without following predefined application workflows.
Instead, it arrives carrying a valid identity, legitimate credentials, and a mission. Then it reasons its way to the fastest path to the required data. If that means opening a direct SQL session against the database instead of navigating your application stack, that’s exactly what it will do. That’s not malicious. That’s intelligent optimization.
Unfortunately, it’s also devastating for traditional governance architectures. The dirty little secret of today’s governance market is that most products don’t actually secure the data. They secure the path humans traditionally used to reach the data. That’s a fundamentally different security problem.
The problem is no longer simply controlling who accesses the data. It’s controlling how autonomous systems access the data when they are capable of choosing their own path. Autonomous AI agents don’t care about the applications. They don’t use those carefully crafted dashboards. Nor do they click on the menus. They don’t even know those beautifully designed UIs exist.
The moment an AI agent establishes a direct database connection, every application-layer policy, semantic filter, API gateway, and UI restriction becomes advisory instead of authoritative. Security that depends on taking a particular route isn’t security, it’s traffic management.
This is why it’s likely that the biggest architectural battle of the next five years won’t be between relational and vector databases, SQL versus NoSQL, or structured versus unstructured data. Instead, it will be fought over one deceptively simple question: Where does policy actually execute?
The answer matters. Because every request, regardless of its origin, eventually reaches the database engine.
That’s why Oracle’s recent announcement is so fascinating and deserves far more attention than it’s receiving. Most observers focused on Oracle making its advanced database security capabilities and automated fleet patching available at no additional cost. That’s important and useful. But they’re missing the much bigger architectural story.
Oracle is betting that security enforcement belongs inside the database engine itself rather than primarily in the layers surrounding it. Oracle AI Database 26ai evaluates every SQL statement—whether generated by a human, application, MCP server, orchestration platform, or autonomous AI agent—against database-native security policies before execution. This includes row-level security, column-level security, data redaction. transparent data encryption (TDE), Database Vault, privilege analysis, unified auditing, and identity-aware authorization. All of which are enforced where the query actually executes. That distinction is noteworthy.
An AI agent may generate brilliant SQL. It may reason better than the human who created the agent. It may bypass five middleware layers. It may ignore every application being used.
If the database itself enforces authorization, those detours become largely irrelevant because every request still converges at the same enforcement point. That’s an architectural advantage, not simply another security feature.
Now compare that with several of the other major players in the industry.
- Microsoft emphasizes Purview, Fabric governance, Entra, and application integration.
- Snowflake promotes Horizon.
- Databricks champions Unity Catalog.
- AWS relies on IAM, Lake Formation, and service orchestration.
- Google emphasizes Dataplex and cloud governance.
- IBM builds around Watsonx governance.
These are all capable technologies that solve important governance problems. But these security efforts generally assume that policy decisions occur in layers surrounding the database rather than inside the execution engine itself. That assumption made perfect sense when applications mediated nearly every request. Agentic AI increasingly changes that access model.
Every additional layer between the AI and the data introduces another opportunity for inconsistent enforcement. Every copied dataset becomes another place where policies must be synchronized. Every governance service introduces another operational dependency. Every policy synchronization process creates another opportunity for configuration drift.
The industry has spent years building increasingly sophisticated governance ecosystems around enterprise databases. Oracle’s approach asks a different question: “Why not make the database itself the authoritative enforcement point?’
That doesn’t eliminate governance platforms. It simply changes their role.
Semantic layers remain essential for giving AI consistent business meaning. They define what “active customer,” “booked revenue,” or “qualified pipeline” actually means so agents stop inventing their own interpretations. Data catalogs remain critical for discovery, lineage, stewardship, and regulatory reporting. Governance platforms remain invaluable for defining, documenting, and managing policy across the enterprise.
But defining policy and enforcing policy are fundamentally different functions. One establishes intent. The other guarantees behavior. As AI becomes increasingly autonomous, those two responsibilities are likely to become more clearly separated.
Prognostication
Over the next five years, enterprise data platforms will increasingly divide into two architectural camps. The first camp will continue emphasizing governance frameworks above the database while progressively strengthening integration with AI applications and orchestration layers.
The other camp will increasingly move policy enforcement closer to the database execution engine, ensuring every request—whether initiated by a person, an application, or an autonomous AI agent—is evaluated at the point where the data is actually accessed.
I expect the second approach to gain momentum. Not because the technologies above the database become less important—they won’t—but because autonomous AI reduces the assumption that every access request follows a predictable application path.
Infrastructure history tends to favor moving foundational services closer to the resource they protect. Filesystems absorbed volume managers. Hypervisors absorbed virtualization functions. Databases incorporated XML, JSON, graph processing, vector search, and increasingly AI capabilities.
Security enforcement appears to be following the same trajectory. The closer policy enforcement resides to the data itself, the more consistently it can be applied regardless of how access patterns evolve.
Bottom Line
Agentic AI didn’t create a new security problem. It exposed an architectural assumption that has quietly existed for years. The industry spent decades optimizing how applications govern users. Now we, the data industry as a whole, need to optimize how databases govern autonomous software.
That is a fundamentally different challenge.
Today, Oracle appears to have a meaningful architectural head start because many of the enforcement mechanisms already reside inside the database engine rather than being distributed across multiple external governance layers. Can competitors close that gap?
Absolutely. Most eventually will. The real question is how quickly they can update their architectures that were built around application-centric access models before autonomous AI becomes the dominant consumer of enterprise data.
The vendors that successfully separate governance from enforcement—using governance tools to define policy while relying on database-native controls to enforce it consistently—are the ones most likely to define enterprise AI infrastructure over the next decade.
In the end, Agentic AI won’t reward the platforms with the longest list of AI features. It will reward the architectures that enforce trust consistently, regardless of who—or what—is asking for the data.
