'There Is No Boss': How Postgres Decides Its Future In Public

Everyone Is Handing AI Agents The Keys To Production Postgres. POSETTE’s Sharpest Talks Were About The Brakes.

The Best Lesson From POSETTE’s Vendor Day: When Your Postgres Feels Slow, It's Rarely Postgres

What A Morning With Postgres’ Maintainers Reveals About How The Database Really Gets Made

POSETTE '26: Postgres Has Stopped Trying To Prove It Belongs And Started Absorbing The Stack Around It

How Postgres' Rise To Enterprise Default Is Outpacing The Operational Model Behind It

What Happens To Agent Memory When You Swap The Model? Two Practitioners Are Building The Answer In The Database Layer.

The Line Between The Database And AI Memory Layer Is Getting Blurry. The Trick Is Making Sure Your Schemas Are Not Paying For It.

To Stop AI Amplifying Security Issues, Some Experts Are Grounding Security In Hardware

How a Laid-Off Atlassian Engineer's Sovereign Breakdown Started a Timer On Every Vibe-Coded Codebase

Authorization Has Always Been Hard, and a New Generation of Builders Is Discovering Why

What Does a Compiler Look Like When Its Audience Isn't Human? Vercel's Zero Just Soft-Launched the Answer

After pgBackRest's Close Call, Postgres Shops Are Drafting New Runbooks For Continuity

pgBackRest Is Back, But Open Source Has a Stewardship Problem It Can't Keep Ignoring

AI-Generated Pull Requests Are Crashing Postgres Instances Daily, And the Only Way Through Is Architectural

Decoding 'Architecture As An Algorithm' and Production AI Explainability In Regulated Industries

The Case Of 'A Billion APIs': Overcoming AI-Induced Monolithic Tech Debt No One Can Maintain

Tell One AI Model Another Will Review Its Work, and Output Quality Jumps 1.5x

Old-School Speccing Makes a Comeback As Devs Find The Limits of Natural Language LLM Interactions

How Mississippi Built The Nation's First Statewide AI Initiative For Education And Workforce Readiness

From Banking to Blackboard: An Engineer's Case For CI/CD-Level Governance Of AI Code

Why The Success Of AI In Regulated Industries Depends On Compliance-As-Architecture

AI Parallelized Biomedical Research, But The Verification Layer Needs To Match The Throughput

Grainger's MarTech Lead On How Disciplined AI Governance Prevents Expensive Shelfware

You Can't 'Write Off' AI QA Tax at the Read/Write Layer, You Can Only Move When The Bill Comes Due

What Happens When Read-Only Access is the Only AI Guardrail That Actually Holds?

When AI Agents Go 'God Mode,' the Security Perimeter Must Move to the Database

One Layer Away, Always: A Framework for AI in Production Data Systems

You Can't Vibe Code A Payments Platform, But Even Regulated Industries Are Rethinking Writing By Hand

AI Readiness Starts With the Queries Nobody Bothered to Optimize

Agents Collapsed The Wall Between Analytics And Operations, And Postgres Is What's On The Other Side

A Financial Service Engineer's Search For Provability Amid The MCPification Of Everything

You Can't Outrun Governance, but Reducing Hurdles to Production-Readiness Starts With Condensing AI Pipelines

Let The Agents Cook. But First, Secure The Infrastructure.

The Traditional OLTP Playbook Breaks RAG. Here's What Replaces It.

Same IDE, Two Developers: One Shipped A Month Of Front-End In An Afternoon. The Other Wiped The Drive.

Six Agents, One Pull Request, and the Emerging Art of 'Skills-as-Infrastructure'

Latest News

The signal, once a week
Reporting, contributor perspectives and sharp notes from the people building with Supabase in the real world. No noise, no spam.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

All articles

Data at Scale

June 19, 2026

Everyone Is Handing AI Agents The Keys To Production Postgres. POSETTE’s Sharpest Talks Were About The Brakes.

AI agents are getting write access to production databases, and the sharpest talks at POSETTE 2026 argued the only safety that holds is enforced in the data layer. It's the same discipline Supabase CEO Paul Copplestone was teaching the conference back in 2024.

Share:
Credit: Read Replica

Make The Read Replica one of your go-to sources on Google

Add The Read Replica on Google

A few thousand engineers just spent their working hours inside a Postgres conference, watching talk after talk about a database that has become the default place the AI industry keeps its data. POSETTE is run by Microsoft, and the 2026 program had the confident sprawl of a project at its peak, with sessions on graph queries, vector search, and a dozen new ways to make the database do more. Underneath the demos of AI agents reading and writing production data, though, a less comfortable question kept surfacing. The talks that drew the room were the ones willing to name it: once you let an autonomous agent into your database, what stops it from doing something catastrophic?

Mohsin Ejaz answered by breaking a database on purpose. Ejaz is a benchmarking engineer at DBtune, which builds software that tunes Postgres automatically. In his POSETTE talk, he showed what an automated system does when it reaches into a live database and changes the wrong thing. On a real astrophysics workload, a single altered planner setting pushed a routine query's runtime to nearly seven seconds. That's the kind of regression that pages an on-call engineer at three in the morning. His argument was that any agent near production needs a rollback path, a record of what it tried, and a hard ceiling on how far it can push. "Don't hand over your keys to your safe," he said, "which is actually your production data."

The danger is sharper because the models themselves can't be trusted to be careful. In a separate session on giving agents a safe interface to Postgres, Pamela Fox, who works on Python developer tooling at Microsoft, asked two leading AI models in plain English to clean up some rows. One paused to ask for confirmation before deleting roughly twenty thousand records. The other just deleted them. "You cannot rely on the safety of models," she told the room. The protocols now wiring those models into databases don't fix it either: a flag that tells an agent a tool is read-only is, as she put it, only a hint, not a contract. Politeness isn't a control. Whatever is going to stop the agent has to live below it, in the database itself.

An old idea, suddenly everyone's problem

That conclusion would have sounded familiar to anyone who sat through POSETTE two years ago. In 2024, Supabase CEO Paul Copplestone spent his slot walking through row-level security, the Postgres feature that decides who can see and change which rows inside the database rather than in the application in front of it. Back then, it was a discipline that lived mostly in the heads of people building multi-tenant software. The agent era has taken that fairly specialized topic and made it everyone's problem at once, because an agent writing its own queries is exactly the case the application layer was never built to police.

Where the brakes have to live

That's the shift underneath all of it. For most of the cloud era, access control was an application concern: the database trusted whatever connected to it, and the rules about who could touch what were enforced in code the application ran. An autonomous agent dissolves that arrangement, because it composes its own queries and there's no application in the middle left to vet them. The response taking shape across the field is to move the rules down into the data, so that an agent connecting as a deliberately narrow role can read what it needs and stay structurally unable to drop a table or read a column it was never granted. The talks that landed at POSETTE were the ones supplying the operational detail that makes that real: read-only roles, rollback paths, rejection logs, enforcement that lives at the data layer rather than the agent layer.

None of this is the story the AI market is selling, which is part of why it's worth telling. The conference had no shortage of demos of agents doing impressive things. The talks people will remember are the ones that assumed the agent is already here and asked how to be certain it can be told 'no.' After thirty years, the most valuable thing Postgres may offer the AI era is the ability to refuse.

The signal, once a week

Reporting, contributor perspectives and sharp notes from the people building with Supabase in the real world. No noise, no spam.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

related

What A Morning With Postgres’ Maintainers Reveals About How The Database Really Gets Made

POSETTE '26: Postgres Has Stopped Trying To Prove It Belongs And Started Absorbing The Stack Around It

'There Is No Boss': How Postgres Decides Its Future In Public

How Postgres' Rise To Enterprise Default Is Outpacing The Operational Model Behind It

What Happens To Agent Memory When You Swap The Model? Two Practitioners Are Building The Answer In The Database Layer.

Powered by Supabase
Deep dives into Postgres, database engineering, and the modern developer stack.

Enterprise Innovators

The Future of Code

Security, Governance, & Deployment

Data at Scale

Voices
Events

The Read Replica

The Read Replica | Powered by Supabase ©