Platform Fundamentals · Lesson 04

Guardrails: Real-Time Query Policy Enforcement

Block destructive queries at the protocol layer before they hit your database

5 min·intermediate·Platform Engineer

intermediate
guardrails
policy
ai-agents
compliance
postgres

Chapters

6 sections

01
Where guardrails fit
Recap of the access-governance arc so far and intro to the three-act demo: configure, attempt, audit.
02
Configuring a mass-deletion guardrail
Walkthrough of the guardrails interface: name, resource assignment, preset versus custom rule, save.
03
Inspecting the database before the attempt
As a non-admin in the Postgres demo, viewing users, customers, and orders to set baseline state.
04
The destructive query gets blocked
Running the destructive query and watching it return: blocked by the following guardrail rules. User-facing message, no database impact.
05
How protocol-layer enforcement works
Why guardrails apply equally to humans and AI agents and how pattern matching evaluates queries before execution.
06
Audit trail review
Reviewing the blocked attempt in sessions: query attempted, rule triggered, user, timestamp. SOC 2, HIPAA, and PCI DSS evidence generated automatically.

What you’ll learn

Outcomes and concepts.

Learning objectives

01Create a custom guardrail rule and assign it to one or more resources
02Choose between preset rules and custom pattern-matching rules
03Demonstrate that a destructive query is blocked at the protocol layer with a clear user-facing message
04Confirm that blocked queries leave the underlying database unchanged
05Inspect the audit trail to see the blocked query, the user, the triggered rule, and the timestamp
06Map guardrail logs to SOC 2, HIPAA, and PCI DSS evidence requirements
07Understand that guardrails apply equally to queries from human engineers and AI agents

Key concepts

Guardrail

A real-time execution policy that sits at the protocol layer and evaluates every query before it executes. If a query matches the rule, it is blocked instantly.

Pattern matching

A guardrail rule type that compares incoming queries against a defined pattern. Matching queries are blocked at the protocol layer before reaching the database.

Preset rules

Built-in guardrail templates available out of the box, intended to cover common destructive query patterns without requiring custom configuration.

Custom rules

User-defined guardrail rules. The host uses one to prevent mass deletion in this lesson.

Resource scoping

Each guardrail rule is assigned to one or more specific resources. The rule only enforces on those resources.

Equal coverage for humans and AI agents

Guardrails evaluate queries regardless of origin. A query from an AI agent goes through the same protocol-layer policy check as a query from a human engineer.

Block-and-log

When a guardrail blocks a query, the user receives a clear message, the database is not touched, and the attempt is logged in the session audit trail.

Watch this lesson

Guardrails: Real-Time Query Policy Enforcement

Outcomes and concepts.

4 questions. No score, no clock.

You finished the lesson.