Why isn't a data catalog enough for AI agent governance?

Data catalogs define policy — they classify assets, set sensitivity labels, and document lineage. But they do not enforce those policies at runtime. When an AI agent queries a production data source, the catalog has no mechanism to intercept that access, evaluate it against the defined policy, or block it. AutoPIL is the enforcement layer that makes catalog governance technically enforceable at the retrieval call.

How does AutoPIL integrate with existing data catalogs?

AutoPIL connects to Databricks Unity Catalog, Collibra, Microsoft Purview, Alation, and Informatica as classification sources. Sensitivity labels and data class tags sync into AutoPIL's source registry and drive the enforcement rules — so the policy you defined in your catalog is the policy AutoPIL enforces at retrieval.

What makes AutoPIL's audit log tamper-evident?

Every audit event in AutoPIL is chained with a SHA-256 hash that includes the previous event's hash. This means any retroactive modification of a record breaks the chain and is detectable. The chain integrity can be verified at any time via the API or dashboard.

Can AutoPIL govern multi-agent and agentic pipelines?

Yes. AutoPIL enforces policy at every retrieval call regardless of how many agents are in the pipeline. Each agent is registered independently, bound to its own policy, and isolated at the session level. Cross-agent data flows are tracked in the lineage graph and surfaced in the dashboard.

Why AutoPIL

Your catalog defines governance.
Nothing enforces it.

Collibra, Databricks Unity Catalog, Alation, Purview — your team has spent years classifying data and defining policy. The moment an AI agent retrieves that data, none of it applies. AutoPIL closes that gap.

Without AutoPIL

Data catalog Classifications defined. Sensitivity labels assigned. Policies documented.

↓ sync stops here

no retrieval-layer enforcement

↓ unguarded

Agent retrieves data LangChain, LlamaIndex, OpenAI Agents, MCP — policy-blind by default. Whatever matches the query enters the context window.

↓ no audit record

Agent makes a decision Compliance team can reconstruct the query. They cannot reconstruct what data shaped the answer.

With AutoPIL

Data catalog Classifications, sensitivity labels, and access policies — already defined, already authoritative.

↓ policy sync via REST / MCP

AutoPIL policy engine Inherits your catalog's classifications. Enforces them in milliseconds at retrieval time — no reclassification, no duplicate work.

↓ evaluated before context assembly

Agent retrieves governed data Every retrieval call evaluated against policy. Violations blocked or redacted before they reach the context window.

↓ append-only audit

Enforcement log Every decision recorded with policy matched, reason, and context hash. Regulator-ready on demand.

↓ continuous measurement

PIL Score A 0–100 governance health index updated daily from your audit activity. Governed, Monitored, At Risk, Critical. The answer your board is asking for — without a quarterly review cycle.

How it fits

One enforcement layer.
Every framework. Every catalog.

AutoPIL sits between your catalog governance and your agent frameworks. Policy flows in from the catalog. Enforcement decisions flow out to the audit log. Agents never need to know governance exists.

Policy sources (catalogs)

Databricks Unity Catalog

Collibra

Alation

Microsoft Purview

Informatica IDMC

Immuta

DataHub

Apache Polaris

Snowflake Horizon (coming soon)

Ataccama ONE (coming soon)

AWS Glue + Lake Formation (coming soon)

Atlan (coming soon)

Sync mechanism

REST API (batch sync)

MCP server (real-time)

Webhook (event-driven)

AutoPIL

Policy Engine

↑ sync ↓ enforce

Evaluates every
retrieval call against
catalog-sourced policy

↓ audit

Append-only log

Agent frameworks (enforced)

MCP (Model Context Protocol)

LangChain

LlamaIndex

OpenAI Agents SDK

Gemini · AWS Bedrock

Python decorator · REST · ASGI

What agents never see

Restricted context (blocked)

PII fields (redacted)

Cross-agent context leakage

All channels

Every integration. One audit log.

Channel	source_type	Use case
Python Decorator	sdk	Python microservices, scripts, notebooks
Async Decorator	sdk	Async Python agents (FastAPI, async frameworks)
MCP Server	mcp	Claude Desktop, any MCP-compatible agent
REST API	rest	Any language: Go, Java, Ruby, PHP, .NET
ASGI Middleware	api	FastAPI / Starlette apps — HTTP-layer enforcement
LangChain	langchain	LangChain agents, chains, and LCEL pipelines
LlamaIndex	llamaindex	LlamaIndex query engines and retrievers
Gemini	gemini	Google Gemini function-calling agents
OpenAI Agents	openai_agents	OpenAI Agents SDK function tools
AWS Bedrock	bedrock	Bedrock Agents via boto3 / aioboto3

Enforcement flow

What happens on every retrieval

Session isolation

Each request is bound to a session ID and agent role. The session TTL is resolved from the policy YAML, with a global fallback. Concurrent requests never bleed context — async variants use ContextVar for safe isolation.

Policy evaluation

The policy engine evaluates role, source, sensitivity level, and session age. Sensitivity decay rules tighten the effective ceiling as the session ages — no operator action required. Decision is ALLOW or DENY — no partial access.

Audit event recorded

Every decision — ALLOW and DENY — is written to the audit log immediately. Event includes role, user, source, decision, policy name, timestamp, and event ID.

Alert rules evaluated

After the audit write, alert rules run against the event. Violations trigger configurable alerts via webhook or email delivery — compatible with Slack, PagerDuty, Teams, and any HTTP endpoint.

PIL Score updated

Every enforcement decision contributes to the PIL Score — a 0–100 governance health index computed over the rolling 30-day window. Scope Integrity, Governance Coverage, Isolation Safety, Source Registration, and Trend. The score, its band, and a 30-day sparkline are visible in the dashboard and queryable via API.

Alternatives

Where other approaches
stop short.

Most tools govern data before agents exist or after they've already run. AutoPIL is the enforcement point in between — at the moment of retrieval, before context is assembled.

Approach	Governs at	Enforces at retrieval	Framework-agnostic	AutoPIL
Data catalog Collibra, Alation, Purview	Metadata & classification layer	No	No	Yes — extends catalog policy into enforcement
IAM / RBAC AWS IAM, Azure RBAC, Okta	Identity & query access	No	No	Yes — operates after IAM, at context assembly
Output filters LLM guardrails, response scanning	Model response layer	No	Partial	Yes — blocks before data enters context, not after
Prompt guards Input sanitization, injection detection	User input layer	No	Partial	Yes — governs data retrieval, not prompt text
Vector DB permissions Pinecone namespaces, Weaviate RBAC	Single store, at query time	Partial	No	Yes — cross-store, cross-framework, policy-consistent
Platform-native governance Databricks Unity Catalog policies	Data platform query layer	Partial	No	Yes — extends platform policy to any agent framework

Your catalog defines governance.Nothing enforces it.

One enforcement layer.Every framework. Every catalog.