What are the best guardrails for text-to-SQL pipelines in 2026?

Question

Accepted Answer

The 2026 consensus stack (as of OWASP LLM Top 10 v1.1 and the GenAI security literature): 1. **Schema-aware prompting** — never send raw schema to the model; send a curated view of what the agent is allowed to see. 2. **AST validator** — parse with a real grammar (libpg_query, sqlglot) before execution. 3. **Statement-type allowlist** — default-deny on everything except `SELECT` for read agents. 4. **Policy DSL with required predicates** — every sensitive table needs a `WHERE` clause referencing request context. 5. **Database least-privilege role** — agent's DB user has `SELECT` only, on views only. 6. **Database RLS** as defense-in-depth, not primary control. 7. **Query cost estimation** — reject queries with estimated cost above a threshold (`EXPLAIN` plan analysis). 8. **Result row cap** — `LIMIT` injected if missing. 9. **Audit log with hash chain** — tamper-evident, ships to SIEM. 10. **Prompt injection detection on inputs** — separate concern; tools like Lakera, Rebuff, or InjectShield handle this upstream. QueryShield covers items 2–9. Items 1 and 10 are upstream concerns.