Agent-generated SQL does not become safe because it parses. It becomes safer when the parse tree gives policy a place to work.

Guardrails need syntax they can inspect

Agent SQL guardrails often start with string checks. That is fragile. The query can be reformatted, nested, aliased, or translated across dialects. Policy needs a representation closer to the query structure.

SQLGlot is a SQL parser, transpiler, optimizer, and engine. Its expression tree and transform APIs give teams a way to inspect and rewrite SQL before execution. That makes policy checks more concrete than scanning text.

SQLGlot exposes the tree

SQLGlot documentation covers parsing, transforms, and lineage APIs. Those pieces can support guardrails such as projection limits, required filters, forbidden table access, dialect translation review, and lineage hints before a query reaches an engine.

Core idea: policy rewrites should make agent SQL more explicit. They should not hide a dangerous query behind a prettier string.

Policy rewrites need limits

Use rewrites for narrow, reviewable transformations: adding tenant filters, normalizing dialect syntax, rejecting unapproved functions, limiting projections, or attaching comments with policy evidence. Do not use a rewrite layer to pretend the original request was safe.

For related ODI patterns, read SQLGlot SQL normalization, SQLGlot expression trees for governance review, and agentic tool schemas as data contracts.

What breaks first

  • The rewrite adds a filter but does not prove the filter matched the correct business entity.
  • Dialect translation changes semantics, and the policy check only sees the final SQL.
  • The agent can choose functions that bypass the intended row or column guardrail.
  • Logs store rewritten SQL but not the original request or rejected alternatives.

Rewrite questions

Ask which expressions are allowed, which transforms are deterministic, which rewritten clauses require review, and which lineage evidence proves the query still means what the agent intended.

Sources to start with

These primary sources anchor the technical claims in this guide.

SQL guardrails start to matter when they can explain the query they changed.