Enforcement write-back
Most access-governance tools are mirrors. They read the warehouse's grants, compare them to the policy you declared, and show you the difference. The mirror is useful right up until you notice that the difference never shrinks: the report says forty-one people have access they shouldn't, someone opens a ticket, and next quarter the report says forty-three. Policy that only observes will drift from the warehouse it describes, because the warehouse is where the real decisions keep being made.
Closing the loop
We made enforcement write back. When the sweep finds drift between declared policy and actual grants, the layer computes a remediation plan (the specific grants to issue and revoke, per principal, per object) and can apply it to the warehouse itself. The interesting engineering is not the applying; warehouses have had GRANT and REVOKE for fifty years. It is everything around the applying that decides whether anyone will let the system do it.
Three properties turned out to be non-negotiable. Dry run first: every plan renders as the exact statements it would execute, against the current observed state, before anything runs; the default posture is to show, not do. Idempotence: a plan applied twice, or applied after someone fixed half of it by hand, converges to the same end state instead of erroring or over-revoking. A full account: every applied change lands in the same audit trail as agent queries do, attributed and timestamped, so the remediation is itself governed.
Knowing when not to act
The hardest part was teaching the system to refuse. Every source of access state has conditions under which its picture is stale or partial: an expired credential, a sync that hasn't completed, an adapter that can see roles but not row policies. Each adapter must declare these degraded reasons, and any degradation on a relevant source blocks enforcement outright. Writing grants against a picture you only half-trust is how governance tools become outage generators; declining loudly, with the reason attached, keeps the write-back honest.
The result changes what a compliance review looks like. Instead of a report and a backlog, there is a loop: declared policy, observed drift, a reviewable plan, an applied fix, and an audit line, with a human approval gate exactly where the risk is.
This work ships in AgentLake, the lab's production system.

