Data Analytics AI: Preventing Unauthorized Data Access Through AI Queries
Natural-language analytics is attractive because it promises self-service answers without requiring every employee to learn SQL, dashboard design, or warehouse structure. The same feature can also become a new access channel that bypasses the discipline already built into the analytics stack. If users can ask a model for “all churned enterprise customers with contact details,” the important question is not whether the output is helpful. The question is whether the route respects the same authorization and data-minimization rules the warehouse is supposed to enforce.
Keeptrusts gives analytics teams a practical edge control for that problem. RBAC can require stable identity and enforce role-specific sensitivity ceilings, Tool Validation can keep the assistant on declared data tools, DLP Filter can block known restricted identifiers or export terms, and Data Routing Policy can keep queries off providers that do not meet retention requirements. That makes AI query access an extension of the data platform, not a side door around it.
Use this page when
- You are adding natural-language query, AI summaries, or warehouse copilots to analytics workflows.
- You need role-aware controls for who can ask for what level of data.
- You want AI query access to follow the same governance model as the rest of the data stack.
Primary audience
- Primary: Technical Engineers
- Secondary: Technical Leaders, Data platform owners
The problem
Analytics assistants create a subtle failure mode: they make it easy to ask for data a user would never have been allowed to export directly. A dashboard permission model may be well understood, but once a model can translate broad natural-language intent into queries or summaries, the route needs its own authorization story. Otherwise, the assistant becomes a convenience layer that quietly widens access.
There is also a tooling problem. Many analytics copilots use a database-query tool, a semantic layer, or an export function behind the scenes. If the route can request undeclared tools or if role boundaries are not explicit, a useful assistant can drift into an overpowered one. That drift is especially common in internal platforms where engineers reuse existing tool bridges because it is faster than defining a narrower surface.
Finally, organizations often underestimate provider risk. Even if a user is entitled to see a metric, that does not mean the raw query context or identifiers should flow to any provider target. Analytics assistants routinely touch revenue numbers, employee data, customer segments, and internal project names. The route should treat those as governed data flows, not as generic prompts.
The solution
The cleanest pattern is to separate three decisions. First, determine whether the caller is allowed to ask for the requested class of data. RBAC handles that with required identity headers, role mappings, and data_access ceilings tied to keeptrusts.data_sensitivity.
Second, declare the tool surface. Tool Validation is valuable because it blocks undeclared tool names and ensures schemas compile. It does not validate every argument in this module, so you still need authorization in the underlying query or semantic-layer service, but it prevents the route from quietly expanding in ways the platform did not approve.
Third, filter for obvious bad destinations and content. DLP Filter is useful for structured account identifiers, internal export handles, or known restricted dataset names. Data Routing Policy narrows the eligible providers based on retention and training controls. Together, those controls turn the AI query route into a governed consumer of the analytics platform rather than an exception to it.
This design aligns well with Data Pipeline Governance and Prevent Data Leaks: the assistant is helpful, but it is still subject to the same organizational boundary model as any other data consumer.
Implementation
This example shows an analytics route for business users who can ask questions and retrieve summaries but should not turn the assistant into a raw-data export path.
pack:
name: analytics-query-governance
version: 1.0.0
enabled: true
providers:
targets:
- id: analytics-zdr
provider: openai
model: gpt-5.4-mini-mini
secret_key_ref:
env: OPENAI_API_KEY
data_policy:
zero_data_retention: true
training_opt_out: true
retention_days: 0
policies:
chain:
- rbac
- tool-validation
- dlp-filter
- data-routing-policy
- audit-logger
policy:
rbac:
deny_if_missing:
- X-User-ID
- X-User-Role
- X-Org-ID
require_auth: true
roles:
analyst:
allowed_tools:
- query_metric
- summarize_result
denied_tools:
- export_raw_table
executive:
allowed_tools:
- query_metric
- summarize_result
denied_tools:
- export_raw_table
data_access:
analyst:
max_sensitivity: confidential
executive:
max_sensitivity: restricted
tool-validation:
declared_tools:
- query_metric
- summarize_result
schemas:
query_metric:
type: object
properties:
dataset:
type: string
metric:
type: string
period:
type: string
required:
- dataset
- metric
allow_undeclared: false
dlp-filter:
detect_patterns:
- 'ACCT-\d{8,12}'
- 'EMP-\d{6}'
blocked_terms:
- payroll_raw
- customer_support_full_export
action: block
data-routing-policy:
require_zero_data_retention: true
require_no_training: true
max_retention_days: 0
on_no_compliant_provider: block
log_provider_selection: true
audit-logger: {}
Two implementation notes matter. First, tool-validation is a declaration boundary, not a replacement for warehouse authorization. The downstream query or semantic-layer service still needs its own access checks. Second, the request should carry a correct keeptrusts.data_sensitivity value so rbac can enforce the role ceiling you intended.
That combination is what keeps the route honest. The assistant can summarize and explain approved data, but it cannot silently become a raw-data export tool or an unrestricted query endpoint.
Results and impact
Teams usually see two immediate improvements. The first is better control clarity. Data-platform owners know where AI access is enforced, and product teams know which metadata they must provide for the route to work. The second is fewer edge-case exceptions because the assistant is aligned with existing data-governance concepts such as roles, sensitivity labels, and approved consumer tools.
This also makes adoption easier. Business users are more likely to trust AI analytics when the platform can explain the guardrails in concrete terms. That matters because analytics assistants often fail politically before they fail technically. People need confidence that the tool is not a backdoor to data they were never meant to see.
Key takeaways
- Natural-language query is still a data-access path and should be governed like one.
- RBAC should enforce identity and sensitivity ceilings on analytics routes.
- Tool Validation keeps the assistant on a declared query surface.
- DLP Filter helps block obvious restricted identifiers and export patterns.
- Data Routing Policy keeps analytics prompts on approved provider targets.