Colrows
Start free
Two side-by-side panels showing code-based access rules on the left and semantic-graph-bound policies on the right.
Governance·05 Apr 2026·By Yogendra Sharma·All posts

Governance as Code -> Governance as Semantics

Governance has spent the last decade being rewritten as code. Access policies, masking rules, redaction, classification - all moved from spreadsheets and tickets into version-controlled YAML and policy-as-code engines. That was a real win. But it is incomplete. Code-based governance enforces structure; it does not enforce meaning. And as enterprise AI starts compiling its own queries, that gap is the one that breaks audits.

What does governance as code actually govern?

Governance as code answers a small, useful set of questions. Who can read the orders table? Which columns are masked for the analyst role? Which rows are filtered when a query originates in the EU? It binds rules to physical artefacts - tables, columns, schemas, datasets - and it does that well.

The problem is not what it gets right. The problem is what it cannot see. It does not know what the data means. It does not know which definition of "active customer" the analyst was trying to compute. It does not know whether revenue in this query refers to gross or net. It does not know that the join the agent just emitted bypasses the line of business that owns the metric. The rule layer is structurally blind to the semantic layer.

Why does that gap matter more now?

Because the consumers have changed. When humans wrote SQL, the gap was tolerable - the analyst knew what "revenue" meant before they typed the query, and the policy engine just had to verify they were allowed to read the table. The semantic check happened in the analyst's head; the system only checked structure.

An LLM does not have that head. When an autonomous agent generates SQL, every assumption about meaning has to be made explicit somewhere - because the agent does not bring intent with it. An access-compliant query can still be a wrong query. The agent reads the right table, joins to the right column, and returns a number that is calculated with the wrong definition. Audit logs say everything is fine. The number is still wrong.

What does "governance as semantics" mean in practice?

It means the policy lives on the concept, not on the table. Revenue as defined by the finance team carries its formula, its inclusion rules, its scope, and its access predicates as part of the concept itself. Whoever queries revenue - analyst, dashboard, AI agent - resolves to that concept first, and the policy that travels with it gets injected into the SQL before the planner emits anything.

This is the same shift you see in every layer of the platform stack. Networking moved from per-port firewall rules to identity-and-intent policies. Build systems moved from per-script permissions to artefact-bound supply-chain policies. Governance is making the same move: from "what is this object" to "what does this object mean, and what does that meaning permit."

How is policy attached to a concept rather than a table?

In the Colrows semantic graph, every entity, metric, and relationship is a typed first-class object. Policies attach to those objects with the same lifecycle - they are versioned with the concept, propagate to its derivatives, and resolve under the requesting identity, persona, and scope.

  • Entity-level RBAC. Read-write access to Customer applies to every metric, dashboard, and agent query that resolves through it.
  • Metric-level masking. Definitions can declare which dimensions are visible by persona, and that masking travels with the metric into every consumer.
  • Relationship-level row predicates. When the planner proves a join path, the policies on each edge of the graph contribute their predicates to the emitted SQL.
  • Compile-time enforcement. Unauthorised resolutions fail compilation. The data is never read. There is no post-query filter to be bypassed.

What changes for the auditor?

Audit becomes point-in-time reproducible. Every query carries the graph version, the resolved entities, the proven join paths, and the policies that fired. A historical query can be replayed against the graph version that was in force at the moment the question was asked. The auditor does not chase logs across five tools; the audit is the runtime.

For regulated industries - BFSI, healthcare, retail - this is the actual product. Code-based governance produced a compliance posture; semantic governance produces evidence.

Does this replace governance as code?

No. It absorbs it. Code-based rules become the structural floor. Semantic governance sits above them and binds intent to meaning. The policy engine still enforces "no PII to anonymous callers"; the semantic layer adds "no customer-acquisition cost to a finance persona using last quarter's definition." Both fire at compile time. Neither is optional.

The shift is unavoidable because the workload is changing. AI agents do not consume tables; they consume meaning. Governance has to follow the consumer. If the consumer is a graph traversal, the policy lives on the graph. If the policy lives on the graph, the runtime is the audit. That is what governance as semantics actually delivers.

Related reading

Fine-grained access control schematic.
Governance21 Apr 2026

Fine-Grained Data Access Control

Row-level, column-level, and persona-scoped access enforced at compile time.

Read more
Data authorization architecture diagram.
Governance25 Apr 2026

Data Authorization: The Problems and the Solution

What goes wrong with patchwork authorization - and what fixes it.

Read more
Governance07 May 2026

How to Add Governance to AI Agents

A 7-step checklist for making an enterprise AI agent safe in production.

Read more

Compile-time governance. Not after-the-fact.

Book a demoMore posts