The Security Case Against Text-to-SQL — and the Governed API Pattern That Replaces It
Paper: “Beyond Text-to-SQL: An Agentic LLM System for Enterprise Analytics”
arXiv: 2605.21027
Published: May 2026
Researchers: Gundeep Singh, Parsa Kavehzadeh, Jing Xia, Xue-Yong Fu, Julien Bouvier Tremblay, Md Tahmid Rahman Laskar, Vincent Lum, Shashi Bhushan TN
The morning article on this paper focused on what Chief Data Officers and Heads of Business Intelligence should build next — the architecture and strategy of governed API orchestration. This article addresses a more urgent audience: the Chief Information Security Officer, the compliance officer, and the internal auditor.
Because the same architecture that delivers 92 percent task success on enterprise analytics also solves a security problem that has quietly worried every CISO who has been asked to approve an LLM data query tool. The problem is simple: every Text-to-SQL system needs direct database access to do its job. Direct database access bypasses every access control, audit trail, and business rule that protects enterprise data.
The paper documents the gap empirically. Traditional Text-to-SQL systems achieve 18 percent task success on real enterprise analytics tasks — not because the SQL is wrong, but because the system cannot navigate permissions, governance, and organizational context. The 18 percent failure rate is not a model problem. It is a security problem that has been miscast as a software engineering problem.
Dialpad’s Analytic Agent replaces direct database access with governed API orchestration — and in doing so, creates something that has not existed in enterprise AI analytics: an auditable, permission-controlled, retry-aware query pipeline that security teams can actually approve.

Why This Paper Matters for Security and Compliance Leaders
Every enterprise deploying AI for internal analytics confronts the same tension. The business wants democratized data access — let product managers, marketing teams, and operations staff ask questions in plain English and get answers from the data warehouse. Security teams want controlled, auditable, permission-aware data access. These two objectives have appeared incompatible.
Text-to-SQL systems resolve the tension by ignoring security. They request direct read access to the database. They hope the LLM only queries approved tables. They produce no audit trail of what the LLM actually queried, against which tables, with what filters. For a CISO, approving a Text-to-SQL deployment means approving a black box with database access and no governance layer.
This is why Text-to-SQL has failed in enterprise. Not because the SQL is wrong. Because CISOs, compliance officers, and internal auditors say no.
The paper’s contribution is proving that the tension is false. Governed API orchestration delivers better analytics outcomes (92 percent vs 18 percent) while simultaneously solving every security concern that kills Text-to-SQL deployments.
Permission validation happens before data access, not after. The paper’s architecture validates user permissions at Stage 2 — before the system makes any API call. If the user does not have permission to see data for the target team or department, the system stops. It does not query. It does not return partial data. It does not silently return empty results. It denies the request explicitly and returns an explanation to the user.
Every query produces an audit trail. Because the system routes all queries through governed APIs, every query is logged at the API layer. Who asked. What they asked. Which endpoint it hit. Whether it succeeded or failed. What data was returned. A compliance officer can audit any query in the system. A Text-to-SQL system with direct database access cannot provide this trail because the query hits the database directly — there is no intermediary that logs what happened.
Retry logic is not just a reliability feature — it is a security feature. The paper’s retry loop (Stage 4 back to Stage 3) handles failed API calls by correcting parameters and re-executing. From a security perspective, the retry loop means the system never needs escalated permissions. If an API call fails because the user lacks access, the system does not escalate privileges — it reports the denial and, in some cases, falls back to a simpler endpoint that the user can access. The system works within existing permissions. It does not request new ones.
The LLM never sees raw data. The paper’s architecture ensures that the LLM never has access to the underlying database. It sees API responses — pre-aggregated, filtered, and shaped by the governed API layer. This is the fundamental security advantage. An LLM with direct database access can hallucinate queries that return unintended data. An LLM that calls governed APIs can only return what the API allows. The surface area for data leakage collapses.
How the Architecture Creates Auditability
The paper does not present itself as a security architecture paper. But its system diagram (Figure 2) maps directly onto a security controls framework:
Stage 2 is an access control gateway. The Target Search Agent does two things: it resolves what the user is asking about, and it checks whether the user is permitted to ask about it. The permission validation step is embedded in the architecture, not bolted on afterward. This is what security teams call “policy enforcement at the request layer” — and it is the correct place for it.
Stage 3 is a purpose-built query interface. The Database Querying Agent selects from a known set of analytics API endpoints — not arbitrary SQL tables. The endpoint set is finite, documented, and permission-scoped. There is no way for the LLM to construct a query against an endpoint that does not exist or that the user should not access. The query construction is constrained by the API surface, not by the model’s imagination.
Stage 4 is a policy enforcement point. The execution and validation step checks the constructed query against business rules before it runs. If the query violates a rule — requesting a metric the user should not see, querying a date range that exceeds policy limits — the system blocks it and retries with corrected parameters. The validation is programmatic and deterministic, not LLM judgment.
Stage 5 has no data access at all. The Visualization Agent generates chart configurations from already-returned data. It never touches the database. It never makes API calls. It sees aggregated results, not raw rows.
For a CISO reviewing this architecture against a standard security control framework, the pattern is clean: authentication at the entry point, authorization at the entity resolution layer, policy enforcement at the execution layer, data minimization at the API layer, and full audit logging throughout.
The Compliance Advantages of Governed API Orchestration
The paper’s architecture also addresses several regulatory requirements that are becoming material for enterprises deploying AI for internal use.
GDPR and CCPA data subject access rights. An employee asks the analytics system “show me my team’s sales data.” Under governed API orchestration, the system checks: does this user have permission to see this data? Does the team consent to having their aggregate data surfaced? Are any of the underlying records subject to data subject deletion requests? The API layer can answer each of these questions before the data is retrieved. A direct SQL system cannot.
SOX and financial reporting controls. A controller asks “what was Q4 revenue by product line?” The governed API endpoint for revenue reporting includes the business rules that ensure the calculation matches the official financial reporting methodology. The LLM cannot construct a different SQL query that produces a different revenue number. The answer is always consistent with the sanctioned definition.
Industry-specific data segregation. In healthcare, insurance, or financial services, data is segregated by business line, by regulation, and by jurisdiction. The governed API layer enforces these boundaries. A query from a US claims analyst about the same company’s UK policyholders hits a UK-specific API endpoint or is blocked entirely. The LLM does not need to understand regulatory boundaries — the API layer enforces them.
The paper demonstrates at two Fortune 500 companies that this architecture works at scale: 90 expert-curated enterprise analytics tasks, 300 person-hours of evaluation, 94.44 percent execution success with the production model, and a retry loop that handles the edge cases that break demos.
What Security Leaders Should Do Now
Audit any Text-to-SQL pilot in your organization against this paper’s findings. If your data team is running a Text-to-SQL pilot with direct database access, the paper provides the framework for asking the right questions: who validated permissions? What audit trail exists? What stops the LLM from querying restricted tables? The baseline failure rate in the paper suggests the pilot will fail for operational reasons before security becomes the deciding factor — but security should not wait for operational failure.
Include the retry loop in your security review criteria. A system that retries failed API calls by escalating privileges is a security risk. A system that retries by correcting parameters within existing permissions is not. The paper’s two-tier retry design — programmatic recovery for predictable errors, LLM-powered recovery for ambiguous ones — is the pattern to require.
Evaluate governed API orchestration as an alternative to data masking. Some enterprises address the Text-to-SQL security problem by masking or redacting sensitive data in database query results. This creates a false sense of security. The LLM has still queried the data. The masking layer is an additional failure point. Governed API orchestration eliminates the need for masking by ensuring the LLM never touches raw data.
Require a permission-validation layer at the request level, not the database level. The paper’s architecture validates permissions before the query runs. Most enterprise data access controls validate permissions at the database level — after the query has been constructed and submitted. The difference is between “stop the car before the intersection” and “stop the car after it has entered the intersection and let it coast to a halt.” Both stop the car. One is safer.
Key Takeaways for Security, Compliance, and Audit Leaders
The permission validation pattern is the single most important architectural decision an enterprise can make for AI analytics. Validate before the query, not after. Embed it as a dedicated agent stage, not a middleware filter.
The retry loop is a security enclosure, not just an engineering convenience. By keeping retries within the existing permission framework, the system never needs to request escalated access. This is the production security pattern for LLM-based data access.
The architecture eliminates the LLM data leakage debate. An LLM that calls governed APIs cannot leak data it never sees. The data stays behind the API layer. The conversation about “can we trust the model not to leak data?” becomes irrelevant.
Two Fortune 500 deployments prove the pattern is real. The paper is not theoretical. Dialpad deployed this at two large enterprises. The 90-task evaluation is the most practical enterprise analytics evaluation published.

Thanks to All Authors
Gundeep Singh — Dialpad Inc., San Francisco, CA
Parsa Kavehzadeh — Dialpad Inc., San Francisco, CA
Jing Xia — Dialpad Inc., San Francisco, CA
Xue-Yong Fu — Dialpad Inc., San Francisco, CA
Julien Bouvier Tremblay — Dialpad Inc., San Francisco, CA
Md Tahmid Rahman Laskar — Dialpad Inc., San Francisco, CA
Vincent Lum — Dialpad Inc., San Francisco, CA
Shashi Bhushan TN — Dialpad Inc., San Francisco, CA

Want to know how this applies to your company?
At Silicon Valley Certification Hub, we help you align AI + Strategy. Our team works directly with your directors and teams to assess AI readiness, identify gaps, and build a clear path forward — tailored to your business context.
Book a time with our CEO, Alejandro Cuauhtemoc-Mejia:
https://calendar.app.google/2ihQf2JH3D9uJBe68
Silicon Valley Certification Hub
3000 El Camino Real, Building 4, Palo Alto, CA