Agents Are Probabilistic. Your Business Can’t Be

D

Dan Lynch

Mar 4

Agents Are Probabilistic. Your Business Can’t Be

AI agents are getting good enough to do real work: generating code, wiring systems together, and executing tasks across production tools. And as Aaron Levie has been pointing out, that creates a fundamental tension: agents are inherently probabilistic, but businesses run on deterministic systems—systems of record, permissions, audit trails, and compliance constraints.

In other words: the future is not “AI replaces software.” The future is AI runs through software. Which means the systems underneath—especially databases—have to become the guardrails.

That’s the world Constructive is built for.

The coming reality: more agents than people

For most of software history, “users” meant humans. Seats. Logins. Roles. Review processes. Security models that assumed someone would eventually notice if something looked wrong.

That assumption is breaking.

Agentic workflows don’t scale linearly. Once you can spin up one agent, you can spin up ten. Or a hundred. Or thousands, each operating continuously: querying data, updating records, generating new functionality, and triggering actions that used to require human intervention.

This is why per-seat thinking starts to collapse. It’s not just that agents are faster. It’s that they’re multipliers. The volume of activity flowing through your systems—especially your backend—explodes.

And when volume explodes, the cost of “we’ll secure it later” becomes catastrophic.

Orchestration is exploding… and that’s the signal

You can see the market reacting in real time. We’re watching an entire layer of “agent orchestration” products emerge: workflow canvases, automation studios, prompt-to-workflow builders, MCP tool routers—tools designed to let agents call tools and systems reliably.

Companies like Sim are a great example of the trend: visual workflows for agents that connect models to real systems—databases, APIs, SaaS tools—and run them in production.

This is important: it’s not just “more startups.” It’s a sign that orchestration is becoming accessible.

And once orchestration becomes accessible, it becomes abundant. And once it becomes abundant, it commoditizes.

That’s not a knock on orchestration. Orchestration is necessary. It’s just not where the durable moat is.

Because when orchestration is everywhere, the question shifts from:

“How do we connect agents to systems?”

to:

“How do we prevent agents from doing the wrong thing?”

The trust boundary moves down-stack

Here’s the uncomfortable truth: orchestration layers are not your security boundary.

They can suggest what an agent should do.
They can expose tools and schemas.
They can even restrict which actions are available.

But they can’t be the final enforcement point—because orchestrators sit upstream from the thing you’re actually trying to protect.

And what you’re protecting is your data.

Your database is where the consequences live:

  • customer records
  • financial data
  • billing details
  • auth tables
  • internal operations data
  • private content and metadata

If agents are going to generate and operate backend systems, the database becomes the last system standing between your data and the outside world.

Which leads to a very simple principle:

Probabilistic systems can exist only if they run on deterministic rails.

Constructive is building those rails at the database boundary.

The old model: configure security later

The classic Postgres workflow looks like this:

  1. Create tables
  2. Ship features
  3. Add policies later
  4. Maybe remember to enable Row-Level Security
  5. Hope nothing slipped through

This worked (barely) because development moved at human speed. Humans wrote code. Humans reviewed code. Security teams had time to inspect changes. DBAs locked down the scary parts.

That world is gone.

AI tools can generate complete backends in minutes. Agents can operate them autonomously. Humans don’t have time to deeply review every table definition and access path—especially when the surface area keeps changing.

So the “gap” between data exists and data is protected becomes the most dangerous part of your system.

That gap is where breaches live.

What “secure-by-default” has to mean in the agentic era

“Secure-by-default” is an overloaded phrase. Lots of vendors use it to mean:

  • “better default passwords”
  • “encryption by default”
  • “we turned on a setting for you”

Those are good improvements. They’re also not enough.

In the agentic era, secure-by-default has to mean something stronger:

The secure state is the starting state.

Not “we enabled RLS.”
Not “there’s a checkbox.”
Not “we made it easier to configure later.”

But: your tables are created with real, enforceable access rules from the moment your data exists.

That’s the core inversion Constructive is making.

Constructive’s thesis: move trust from authorship to guarantees

When software was written by humans slowly enough to review, “who wrote the code” was a decent proxy for trust.

Now it’s not.

When agents generate code and operate systems, trust has to shift from authorship to guarantees—what the system can prove and enforce regardless of how it was created.

That’s why Constructive is built around a policy-first workflow:

1) You choose an access model first

Before you create your schema, you decide how your system should be authorized: who can read, write, and modify what data.

2) Constructive compiles enforcement into Postgres at creation time

Constructive compiles your access model into PostgreSQL enforcement—Row-Level Security policies, role configuration, and permission grants—and applies them when the table is created.

Not after. At creation.

So there is no insecure phase. No “we’ll come back to it.” No permission vacuum.

3) The guarantees stay deterministic as you evolve

Secure-by-default is meaningless if it only works on day one. As schemas evolve, migrations must preserve guarantees.

That’s why Constructive treats migrations as deterministic: same inputs, same outputs, across environments. What you review is what you run.

4) Authorization becomes testable

Database security has historically been powerful and opaque. You can’t trust what you can’t test.

Constructive makes authorization testable end-to-end—so you can simulate users and roles and validate RLS behavior in CI/CD before anything hits production.

5) Execution inherits the permission model

Backends aren’t just tables. They’re functions, jobs, and services running across languages and runtimes.

Constructive extends database-enforced security into a language-agnostic execution layer so code running in TypeScript, Python, Rust, C, or containerized runtimes inherits the same permission model automatically.

Why this matters specifically for agents

Agents don’t understand your org chart.
They don’t know your compliance framework.
They don’t know which tables are sensitive.
They don’t know that the billing table should not be readable by every authenticated user.

This isn’t a flaw. It’s a characteristic.

Agents optimize for completion. They don’t naturally optimize for governance.

So if agents are going to operate production systems, the system itself must enforce boundaries they can’t accidentally cross.

That’s the difference between:

  • guardrails as guidelines (prompts, suggestions, “please don’t do X”)

and

  • guardrails as constraints (enforcement at the database boundary)

In the agentic era, you want constraints.

The next category: trust infrastructure for agentic backends

This is the bigger positioning point.

As orchestration tools proliferate, the layer that matters most becomes the trust layer:

  • policy enforcement
  • deterministic change control
  • testable authorization
  • auditability
  • multi-tenant isolation you can prove

Orchestration will compete on UX, connectors, and developer delight. That’s great. It will also commoditize.

But trust won’t.

Trust gets more valuable as the number of agents increases, because the blast radius of mistakes gets larger.

This is why the explosion of orchestration products is not a threat to Constructive—it’s a market signal.

It says: Agents will touch real systems everywhere.

And that means the database boundary has to become the enforcement point everywhere.

A simple pass/fail checklist for the agentic era

If you’re building agentic backends, here are five questions that define whether your foundation is “secure-by-default” or “secure-by-assumption”:

  1. When a table is created, does it already have explicit access rules?
  2. Can you prove authorization behavior with automated tests in CI/CD?
  3. Do migrations produce reproducible security guarantees across environments?
  4. Is there a single source of truth for permissions across tables and functions?
  5. Can agents operate within constraints that are enforced at the database layer—not just suggested?

If you can’t answer “yes” across the board, you’re relying on the old model: configure security later.

Later doesn’t exist anymore.

The bottom line

Agents will become abundant. Orchestration will become ubiquitous. And the number of autonomous operations touching your data will explode.

In that world, the winner isn’t the tool that connects agents to systems.

The winner is the infrastructure that makes those connections safe—by construction, not by hope.

Constructive is building secure-by-default Postgres for the agentic era so the secure state is the starting state—no matter who (or what) wrote the code.

If you’re building with agents, we’d love to show you the commercial beta.