AWS: Multi-Tenant AI Agent With Row-Level Security and Split-Plane SQL Cryptographic Data Boundaries
AWS described a production architecture for secure AI agents for multi-tenant SaaS platforms, developed with PAR Technology for analytics across 300+ restaurant chains. The architecture combines SigV4 cryptographic signing, semantic validation in Amazon Bedrock, and Split-Plane SQL that enforces row-level security at the database level — not at the prompt instruction level.
This article was generated using artificial intelligence from primary sources.
PAR Technology — a SaaS company for restaurant chain management — built an AI analytics agent for 300+ restaurant brands on a shared system. The requirement is deterministic: a franchise owner sees only their own sales data (e.g., $84K for two locations), while a brand manager sees total national data ($9.2M) — the same query, the same database, completely different results. The AWS ML Blog describes this system’s architecture as a production solution, not a proof of concept.
Three Layers of Protection: From Signatures to Cryptographic Boundaries
A multi-tenant environment means multiple clients share the same database infrastructure. Row-level security — a mechanism that filters database rows per user — in LLM agents is classically enforced through prompt instructions, an approach the model can ignore or bypass through prompt injection attacks.
The AWS architecture introduces three deterministic layers. Layer 1 uses AWS Signature Version 4 (SigV4): cryptographic signing that binds Tenant ID, Business ID, and Admin ID to every API call; any payload modification immediately invalidates the signature. Layer 2 uses Amazon Bedrock as a semantic validator — the model verifies that the user’s question is unambiguous and supported before the query reaches the SQL generator; non-specific requests like “Show me everything” are rejected. Layer 3 is Split-Plane SQL.
What Is Split-Plane SQL and Why Prompt Protection Isn’t Enough?
Split-Plane SQL divides query generation into two independent streams. The security stream generates SQL Common Table Expressions (CTEs) that pre-filter database tables to only authorized rows. Only then does Amazon Bedrock receive the schema of those temporary, filtered views — not the schema of the underlying tables. The LLM physically cannot reference data outside the sandbox, regardless of the content of the generated SQL. The difference from the classical approach is structural: a prompt instruction tells the model what it may do; Split-Plane SQL cryptographically enforces that boundary at the architecture level.
PAR Technology: 50,000 Queries Without a Cross-Tenant Exposure Incident
The production implementation processed more than 50,000 queries without a single data leakage incident between clients. The infrastructure includes a Databricks cluster with network isolation, TLS 1.3, AWS KMS encryption with automatic key rotation, and CloudTrail audit logs with anomaly detection. AWS summarizes the fundamental architectural principle: “The LLM sits inside the architecture, not above it.”
Frequently Asked Questions
- What is Split-Plane SQL and why is it better than prompt instructions?
- Split-Plane SQL generates SQL Common Table Expressions that pre-filter the database before the LLM sees the schema — the model physically cannot reference data outside the authorized sandbox, unlike prompt instructions that the model can ignore or bypass.
- Is this architecture production-proven or a proof of concept?
- It is a production architecture — PAR Technology processed more than 50,000 queries without a single cross-tenant data exposure incident since deployment.
Related news
arXiv:2606.28270: Agent-Native Immune System — Six-Layer Runtime Defense Built Into AI Agent Reasoning
arXiv:2606.28061: ToolPrivacyBench — Measuring 'Need-to-Know' Privacy in LLM Agents With Tools
arXiv:2606.26686: LeanGuard — fast content moderation without chain-of-thought matches heavy reasoners