Is Vanna.ai secure for production use?

Vanna.ai is a useful text-to-SQL framework with some built-in guardrails — primarily a is_sql_valid() check and the ability to restrict to SELECT. For low-stakes internal analytics it's fine. For production use against tenant data or regulated data, it is necessary but not sufficient:

• Vanna's default validator is regex/keyword-based and bypassable with comments, CTEs, and case variation.
• There is no built-in row-level policy engine bound to request context.
• Evidence logging is not audit-grade (no hash-chain, no signed entries).
• Column-level redaction is not enforced at the AST.

The honest answer: use Vanna for the natural-language-to-SQL step, and put QueryShield (or an equivalent AST validator + policy engine) between Vanna's output and your database. The two are complementary, not competitive.