TL;DR: Measurable validation, not manual review, becomes the scalable control for complex data workflows, according to SecurityScorecard. Its scoring pipeline uses Great Expectations, DataHub, and Apache Airflow to standardize data quality checks across ingest, compute, database sync, and customer-facing release stages, replacing ad hoc validation with repeatable controls and observable results.
At a glance
What this is: This is an operational data engineering post showing how stage-by-stage validation, centralized observability, and orchestration controls make data quality more consistent in a large Airflow pipeline.
Why it matters: For practitioners running identity, security, or customer data pipelines, the lesson is that validation must be enforced at each handoff if you want trustworthy downstream decisions and defensible operational control.
👉 Read SecurityScorecard's article on stage-by-stage data quality validation in Airflow
Context
Data quality breaks down when teams treat validation as a one-time test instead of a control that follows the workflow. In multi-stage pipelines, problems often appear after ingest, during transformation, or at the final database sync, which means the only useful model is stage-specific validation with clear ownership and visible results.
That matters to identity and security teams because bad pipeline data can distort access decisions, monitoring, fraud signals, and customer-facing outcomes. The governance question is not whether the pipeline runs, but whether its checks are repeatable, auditable, and visible enough to support reliable downstream action.
Key questions
Q: How should teams implement data quality checks in multi-stage pipelines?
A: Teams should attach checks to each meaningful boundary, not just to the start and end of the workflow. Validate inputs before compute, outputs before sync, and final database states before release. That approach catches upstream drift early, keeps failures close to the source, and prevents bad records from flowing into customer-facing systems.
Q: When do row-by-row validation checks become a bad design choice?
A: Row-by-row validation becomes a bad choice when the dataset is large enough that Python or application memory becomes the bottleneck. At that point, set-based database queries are faster, cheaper to operate, and easier to keep within pipeline timing targets. The right control is the one that can run continuously without slowing the workflow.
Q: What do security and data teams get wrong about validation observability?
A: They often treat observability as a log viewer instead of a governance control. Real observability should show pass and fail history, expected versus actual values, execution metadata, and dataset context in one place. Without that, teams can detect a failure, but they cannot prove whether the control is improving over time.
Q: Who is accountable when bad data reaches a downstream system?
A: Accountability should sit with the team that owns the final gate before the data is exposed to users or dependent systems. If that gate only reports errors and does not stop release, the control is incomplete. Effective governance requires clear owners, automatic blocking, and a visible record of why the pipeline was paused.
Technical breakdown
Stage-gated validation in Airflow pipelines
Airflow provides orchestration, but it does not guarantee data correctness. The technical pattern here is to attach validation to meaningful workflow boundaries: before compute-heavy jobs, after transformation, after database writes, and before customer-facing release. Great Expectations supplies a consistent validation language for schema checks, null checks, and range assertions, while direct SQL is used where table-scale business rules would be too slow in Python. The important architectural point is that validation is not a separate QA phase. It is part of the pipeline control plane, with each stage able to pause or fail fast when results fall outside policy.
Practical implication: define validation gates at every handoff where bad data can create downstream cost or customer impact.
Great Expectations and DataHub for data quality observability
Great Expectations standardizes what a check looks like, but standardization alone does not make quality governable. DataHub adds the observability layer by capturing assertions, execution metadata, expected versus actual values, and status over time. That makes data quality measurable across teams and projects instead of trapped inside individual repositories. This is the difference between a validation script and an operational control. When results are published centrally, teams can compare patterns, spot recurring failures, and trace which dataset or rule changed. The control becomes visible enough to support ownership and escalation.
Practical implication: pair validation with a shared results store so quality trends can be reviewed, not just one-off failures.
Why database-side checks outperform row-by-row validation
The post highlights a common pipeline failure mode: pulling millions of rows into application memory and validating them one by one. That approach is technically elegant but operationally expensive, because it turns a database problem into a Python performance problem. Moving business-rule checks to database-side SQL lets the engine do set-based evaluation, reducing runtime and pressure on the orchestration layer. This is a classic example of choosing the right control location. Schema checks and lightweight assertions fit Great Expectations well, but large-scale conditional logic belongs as close to the data as possible.
Practical implication: push high-volume business rules into the database so validation remains fast enough to run continuously.
NHI Mgmt Group analysis
Validation debt is the real risk in complex data pipelines. Teams often accumulate ad hoc checks that work in one repository but fail to scale across orchestration, databases, and release stages. That creates hidden governance debt: controls exist, but they are inconsistent, hard to compare, and easy to bypass. The operational answer is not more testing in the abstract, but standardised validation that travels with the workflow.
Data observability becomes a control only when results are centralised. A pass or fail signal inside one job is useful, but it does not create programme-level visibility. Publishing assertions into a shared platform turns local checks into reusable evidence, which is what makes data quality auditable across teams. For security and identity programmes, that same pattern applies to lifecycle events, entitlement changes, and trust signals.
Set-based validation should replace row-by-row ceremony wherever scale matters. The article’s performance lesson is broader than data engineering: controls must be implemented at the right layer or they become too slow to operate. Large-scale validation is a governance design problem as much as a tooling problem. Practitioners should treat control placement as part of architecture, not an afterthought.
Data quality controls are only credible when failure stops release. The strongest pattern in the post is the final gate that pauses the pipeline and alerts on-call before customer-facing syncs continue. That is what turns quality checks into enforcement rather than reporting. Organisations that cannot stop bad data at the boundary do not have a control system, they have documentation.
What this signals
Validation discipline is becoming a governance expectation, not a data-engineering nicety. As pipelines span more stages and more owners, the organisations that can prove where checks run, what they caught, and who owns failures will have a clearer audit trail than teams relying on manual review. For identity and access programmes, the same logic applies to entitlement drift and lifecycle events: if you cannot show the control boundary, you do not really control it.
Visibility is the point where pipeline controls become decision support. Once assertions are centralised, teams can distinguish isolated defects from recurring control weaknesses and can decide whether to tune rules, move them closer to the data, or change ownership. That is why the most useful operating model is not more checks, but better evidence from the checks you already run.
Control placement matters more than control volume. A well-placed database-side rule can outperform a larger set of slow application checks, and the same principle holds across security governance. Practitioners should build systems that can fail fast, report clearly, and stay usable under scale rather than adding layers that only look stronger on paper.
For practitioners
- Map validation to workflow boundaries Place checks before expensive compute, after transformation, before database sync, and at the final release gate so failures are caught where they matter most.
- Standardise validation definitions Use one repeatable format for schema checks, null checks, and range assertions so teams can reuse logic across repositories instead of maintaining one-off scripts.
- Centralise assertion results Publish pass or fail outcomes, timestamps, expected versus actual values, and run metadata into a shared observability layer so trends are visible across the programme.
- Push large-scale rules into the database Move high-volume business-rule checks to SQL or equivalent set-based queries when Python validation starts creating memory pressure or slow runs.
- Make failed validation block release Configure the pipeline so policy breaches pause downstream movement and send actionable alerts before customer-facing systems receive the data.
Key takeaways
- Stage-specific validation is more effective than relying on end-of-pipeline checks or manual review.
- Centralised assertion results turn data quality into an observable control rather than a collection of local scripts.
- The strongest pipelines stop bad data before release and place expensive checks where the data actually lives.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.DS-6 | The article focuses on validating data integrity across pipeline stages. |
| NIST SP 800-53 Rev 5 | SI-7 | Integrity checks and fail-fast controls align directly to system integrity monitoring. |
| CIS Controls v8 | CIS-3 , Data Protection | The post is about protecting data quality and downstream trust in pipelines. |
| MITRE ATT&CK | TA0007 , Discovery; TA0009 , Collection | The article addresses how pipeline validation reduces exposure to bad or manipulated data. |
Use ATT&CK mappings to test whether collection and downstream data handling controls are preserving integrity.
Key terms
- Data Quality Validation: Data quality validation is the set of automated checks used to confirm that data is complete, consistent, and within expected bounds before it is allowed to move downstream. In practice, it combines schema checks, value checks, and business-rule checks so pipeline failures are caught early and handled consistently.
- Assertion: An assertion is a recorded result that a dataset or pipeline step met a defined expectation at a specific point in time. In observability platforms, assertions provide evidence of what was checked, when it ran, and whether the result matched policy, which makes quality measurable over time.
- Stage Gate: A stage gate is a control point in a workflow where processing stops unless defined checks pass. It is useful in data pipelines because it prevents bad inputs, invalid outputs, or failed syncs from reaching later systems, where correction would be slower and more expensive.
- Set-Based Validation: Set-based validation evaluates data in bulk using database logic rather than checking one row at a time in application code. It is the preferred pattern for large tables because it reduces memory pressure, improves runtime, and keeps the control close to the data it is judging.
What's in the full article
SecurityScorecard's full article covers the implementation detail this post intentionally leaves at a higher level:
- How the team structured Great Expectations checks across input, output, and database stages
- How DataHub stores assertions, timestamps, and expected versus actual values for review
- How the Airflow workflow pauses on failed validation and routes alerts to on-call teams
- How database-side SQL replaced slower Python validation for large business-rule checks
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, identity lifecycle, secrets management, and workload identity. It is suited to practitioners who need a stronger control model for identity-led systems and operational risk.
Published by the NHIMG editorial team on 2026-05-15.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org