TL;DR: The governance gap is not enforcement alone, but policy drift, hidden grantee lists, and scattered evidence across datasets, according to PlainID, whose Google BigQuery support discovers native Row Access Policies and Policy Tags across datasets and centralises them into one view, giving teams a single place to audit row and column access for applications, analysts, and AI agents.
At a glance
What this is: PlainID’s BigQuery integration centralises discovery and management of native row and column access controls so teams can audit data exposure from one place.
Why it matters: This matters because identity and access teams need consistent evidence of who can see what across datasets, especially when autonomous agents and regulated workloads query the same data.
By the numbers:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
- 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
👉 Read PlainID’s article on BigQuery native control discovery for agentic AI
Context
BigQuery already has native row and column controls, but native controls are only useful if teams can see them, compare them, and prove they still reflect the intended rule. In practice, policy drift, duplicated rules, and scattered dataset-level ownership make that harder than it should be, especially when AI agents and applications query the same governed data.
The identity governance problem here is not the absence of policy primitives. It is the absence of centralized evidence across data platforms, which leaves security, compliance, and data teams reconstructing access posture one dataset at a time. That is a familiar failure mode in modern IAM and NHI programmes, and it becomes more visible as data access grows more dynamic.
Key questions
Q: How should teams govern BigQuery row and column controls across many datasets?
A: Start by treating native dataset policies as the authoritative control source, then build a consolidated inventory of Row Access Policies, Policy Tags, and Data Policies. Governance fails when evidence is scattered across projects, so teams need one view of coverage, masking, and principal scope before they can trust the control state.
Q: Why do native data controls still create risk when they are enforced inside the platform?
A: Native enforcement reduces the chance of bypass, but it does not eliminate policy drift, stale principals, or mismatched sensitivity tags. If the live rule no longer matches the intended rule, the organisation can still be exposed even though the platform is technically enforcing something.
Q: How can security teams tell whether BigQuery policies are actually working?
A: Look for consistency between the live filter expression, the masking rule, and the principal list across all datasets. If auditors cannot answer who is covered, what is filtered, and what is masked without opening each dataset separately, the control is not operationally trustworthy.
Q: What should organisations do before connecting AI agents to sensitive BigQuery data?
A: Confirm that row and column restrictions are enforced before retrieval, not after the model has already seen the data. The agent should inherit the platform’s native limits, and the security team should verify that no alternate path can bypass those controls.
How it works in practice
How BigQuery native row and column controls work
BigQuery Row Access Policies filter query results at row level, while Policy Tags and Data Policies drive column masking. The important point is that these controls live in the data platform itself, so they affect every caller that reaches the dataset, including applications, analysts, and AI agents. That native enforcement model is different from wrapping a separate authorisation layer around the data, because the decision travels with the query target rather than the consumer. Central governance becomes valuable when teams need to see the effective policy state across many datasets at once.
Practical implication: data security teams should inventory native controls by dataset and compare them to intended access rules before relying on federated reporting alone.
Why policy drift is the real governance problem
Policy drift appears when grantee lists, filter expressions, or sensitivity tags evolve independently across datasets. In a principal-centric database, one team may update a policy while another forgets to update the tag or mask that depends on it, creating mismatched access behaviour. That is not just an administrative inconvenience. It means the environment can still be technically enforced while the documented governance story becomes untrustworthy. For regulated teams, untrustworthy evidence is often as damaging as missing control.
Practical implication: treat drift detection as part of control assurance, not as a reporting exercise after the fact.
What central policy management changes for agentic AI workloads
Agentic AI makes native data controls more important because retrieval steps can pull sensitive rows or columns directly into model context. If the data platform enforces masking and row limits before retrieval, the agent inherits those boundaries without needing a separate policy path in the model layer. That reduces exposure, but only if the governing team can confirm the controls are actually present and consistent across all relevant datasets. Central visibility is therefore an access assurance layer for AI-enabled data use, not just a convenience feature.
Practical implication: align AI retrieval architecture to the data platform’s native controls and verify that policy enforcement happens before model context is assembled.
NHI Mgmt Group analysis
Centralised visibility is now the control plane problem, not just the reporting problem. BigQuery already exposes the enforcement primitives, but distributed dataset ownership makes it difficult to prove what is live, where it applies, and whether policy intent still matches policy state. That is a governance failure in its own right, because auditors and security teams cannot rely on controls they cannot consistently reconstruct. The implication is that data access assurance must span the platform, not only individual datasets.
Identity governance for data platforms must account for the caller, not just the dataset. When the same BigQuery table serves an analyst, an application, and an AI agent, the access question becomes behavioural rather than static. The meaningful control is not whether a dataset has a policy, but whether that policy consistently governs every identity type that can reach it. Practitioners should treat agentic AI as another consumer of native controls, not as a separate exception path.
Policy drift is the named concept that explains why native controls fail at scale. Policy drift is the slow divergence between intended access rules and the live state spread across grantees, tags, filters, and masks. It does not require a breach to matter. It silently weakens the evidentiary basis for compliance and operational trust, which is often the real operational cost in regulated data programmes.
BigQuery governance is becoming part of the wider NHI problem space. Data platform identities, service-linked access, and AI retrieval paths all sit inside the same governance envelope. As AI systems query native controls directly, teams can no longer separate data authorisation from identity governance. The practical conclusion is that NHI and data security teams need one shared view of who or what can consume protected data and under what rule.
Consolidation of policy views is a prerequisite for scaling AI workflows safely. The control that matters is not a new enforcement engine, but trustworthy cross-platform evidence of what already governs the data. Without that, teams are scaling access uncertainty rather than scaling retrieval. Practitioners should treat central policy visibility as a baseline requirement before expanding AI use against regulated datasets.
From our research:
- 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- That same lifecycle gap is why Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs is the next resource to review when policy evidence is scattered.
What this signals
Policy drift is likely to become the dominant operational risk in governed data platforms. As more workloads and AI systems query the same datasets, teams will need evidence that the live control state still matches the intended access model. Central visibility is no longer a reporting preference, it is the only scalable way to keep authorisation evidence trustworthy.
The organisations that will struggle most are the ones still treating data authorisation as a dataset-by-dataset admin task. With only 5.7% of organisations having full visibility into their service accounts, the broader lesson is that identity governance without consolidated evidence does not scale to regulated analytics or AI retrieval.
Access assurance for AI will increasingly depend on native platform controls. As retrieval pipelines expand, teams should expect security architecture reviews to ask where policy is enforced, who can prove it, and how drift is detected across projects. The governance question is shifting from can the agent access the data to can you prove the data was governed before the agent saw it.
For practitioners
- Inventory native BigQuery policies across all datasets Map Row Access Policies, Policy Tags, and Data Policies to each dataset, then compare live state with the intended access model. Use that inventory to identify where ownership, masking, or grantee lists diverge across projects.
- Validate policy drift against compliance evidence Check whether the documented rule still matches the live filter expression, masking rule, and principal list. Focus on datasets with shared ownership, recent changes, or manually maintained tags because those are the most common drift points.
- Align AI retrieval paths to native data enforcement Confirm that retrieval-augmented workflows only consume data after BigQuery has applied the row and column rules. If model prompts can reach data outside the governed path, the AI layer is bypassing the control you think you have.
- Create a single evidence view for auditors and security reviews Build reporting that shows who is covered, what is filtered, what is masked, and which policy produces that result. That evidence should be generated from the platform state, not reconstructed manually from each dataset.
Key takeaways
- BigQuery’s native row and column controls are only useful when teams can prove their live state across every dataset.
- Policy drift, not missing enforcement primitives, is the governance gap that most often undermines trust in distributed data platforms.
- Security and identity teams should treat centralized evidence of native controls as a prerequisite for safe AI retrieval and regulated access.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Native data access controls map to identity governance for non-human and workload identities. |
| NIST CSF 2.0 | PR.AC-4 | This article is about consistent access control enforcement across data platforms. |
| NIST Zero Trust (SP 800-207) | section 3.5 | Centralised policy visibility supports zero trust data access decisions. |
| MITRE ATT&CK | TA0007 , Discovery; TA0009 , Collection | The threat pattern involves discovering and collecting data beyond intended scope. |
| NIST AI RMF | MANAGE | Agentic retrieval over protected data requires managed risk controls and monitoring. |
Map dataset policies to PR.AC-4 and verify that access rules are consistently enforced across all projects.
Key terms
- Row Access Policy: A Row Access Policy limits which rows a principal can see when querying a dataset. In BigQuery, it is enforced at query time, so the policy applies to every consumer of the data, including analysts, applications, and AI agents that reach the table directly.
- Policy Tag: A Policy Tag classifies a column by sensitivity so that downstream access rules can be applied consistently. It is part of the data platform’s native control plane, which means the tag becomes governance evidence only when teams can see where it is used and whether it still matches the intended classification.
- Policy Drift: Policy drift is the slow mismatch between intended access rules and the live control state across systems or datasets. In data governance, it shows up when grantees, masks, or classification tags change independently and teams can no longer trust the documented posture without manual reconstruction.
- Native Enforcement: Native enforcement means access decisions are made by the data platform itself rather than by a separate overlay or proxy. That matters because every caller reaches the same enforced rule set, but it also means governance must focus on visibility, consistency, and evidence across the platform state.
What's in the full announcement
PlainID’s full article covers the operational detail this post intentionally leaves for the source:
- How the Google BigQuery Authorizer discovers row policies, policy tags, and masking rules across connected datasets.
- What the native control view shows for who is covered, what is filtered, and what is masked.
- How the integration supports distributed deployment across applications, APIs, data platforms, and agentic development platforms.
- Where the platform positions centralized authorization management relative to BigQuery’s internal policy engines.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM or identity governance programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-07-07.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org