For nineteen articles this series set out to do one thing and refuse another. It described, as precisely as the evidence allowed, what enterprise architecture had quietly been depending on – properties that systems of record relied upon without anyone having designed them in. And it refused to prescribe, because a solution proposed before the diagnosis is finished is only a guess.
The diagnosis is now complete. The previous article named what the sequence had been circling: that enterprise architecture depended on humans in far more places than we realised, and that agentic AI is removing those dependencies across every architectural domain at once. The discipline that held for nineteen articles – describing the problem and withholding the answer – has run out of road. This article has to do different and harder work.
The Question That Cannot Be Deferred Any Longer
If the human presence was supplying properties nobody had specified, then removing it does not make those properties unnecessary. It leaves them unmet. The systems of record still need an actor they can see, whose intent can be recovered, whose rate of action stays inside survivable bounds, whose behaviour can be reasoned about before it reaches production and whose consequences trace back to someone accountable. None of those needs came from the human, who merely satisfied them, invisibly, for as long as nothing else acted on the data.
So the question this series kept deferring is now unavoidable. If the human met requirements nobody wrote down, what meets them now? The answer cannot be nothing, because the requirements were load-bearing. It cannot be that existing infrastructure will adapt, because that infrastructure assumed the actor was human and carries the assumption in every default it ships. The answer has to be something new: a layer between the agents and the databases that supplies on purpose the properties the human supplied by accident.
The Shape of What Has to Be Built
What follows is not a specification but the set of requirements the diagnosis implies, seen from the position of the system of record looking out at an actor it was never built to recognise. A requirement named precisely is worth more than a solution proposed vaguely.
Identity
An agent reaches a database today the way an application does: through a connection string, a service account, a pool of credentials provisioned for a system rather than an actor. To the database, the agent is whatever principal it borrowed, and access control and audit both depend on telling one principal from another. An agent arriving under a human’s or an application’s identity is indistinguishable from the identity it inherits.
What the diagnosis implies is a first-class identity the database can actually see. Not credentials inherited from the human who configured it, but an identity that answers what the database has every right to ask: what this actor is, who authorised it and what it is permitted to do. An agent is a distinct class of actor and needs to be modelled as one, not admitted through a door built for somebody else.
Intent
An audit trail records what was done. It has never recorded why, because the why lived in the head of the person doing it and could, if it mattered, be retrieved by asking them. That retrieval mechanism is exactly what agentic AI removes. An agent’s reasoning exists for the duration of the action and is then gone, unless something captured it at the moment of commit.
So the record needs a second half: alongside the trail of what happened, a record of the intent behind it, captured before the action lands and attached to it permanently. Not a compliance checkbox bolted on afterwards, but the half of the record every accountability framework already assumed was present. We built audit on the comfortable belief that intent could be reconstructed later. It cannot be, once the actor doing the reasoning no longer persists.
Rate Governance
The human was a rate limiter, and nobody thought of them that way. A person issues queries at human speed, tires, hesitates, asks a colleague before doing something irreversible… The brake was human, and now it is gone. Connection pools and query limits exist, but they were sized for human-scale concurrency and treat all load as the same kind. Agents do not.
They produce at least three kinds, each needing governing differently. There is compression: work a human spread over hours arriving in seconds. There is expansion: an agent generating far more work than a person would, exploring options, retrying, fanning out across paths nobody had time to try. And there is recursion: agents triggering agents, outputs becoming inputs, load that amplifies itself. A connection limit tuned for a room of analysts has no concept of any of this. What is needed is load governance that treats these as separate classes with separate failure modes, not a single ceiling an agent will either sit far beneath or go straight through.
Determinism Boundaries
Change management assumes determinism. You test a change, it passes and the thing you tested is the thing that runs. Every change advisory board and release gate rests on that assumption. Probabilistic systems break it. The same prompt can produce a different action, and a process designed to certify fixed behaviour has no category for an actor whose behaviour is a distribution rather than a value.
The answer is not a tick-box that pretends the certainty is still there. It has to be a real engineering control and not a disclaimer: a governance model built for the absence of determinism, one that certifies acceptable behaviour across the range of outputs a system can produce, inside bounds defined explicitly and agreed deliberately. The change apparatus has to learn to sign off on a range.
Accountability Routing
The last requirement is not a database property at all, which is why it is the easiest to miss. The people deploying agents and the people who own the systems of record are usually not the same, and increasingly not even the same part of the organisation. An agent is deployed by a line of business or an application team, while its consequences – cost, a data integrity problem, a compliance exposure – land on whoever owns the system it acted on. The people driving the agents rarely own the systems those agents overwhelm, and they almost never feel the bill.
This is structural, and structural gaps do not close through process. A recommendation to improve collaboration does nothing about an incentive structure that puts the action on one side of an organisational line and the consequence on the other. What is needed is an architectural connection between an agent’s action and its organisational consequence: something that surfaces the link while it can still be acted on, rather than after it has become a cost anomaly on someone else’s budget or a finding in someone else’s audit.
Where the Industry Actually Is
None of this has been solved, though parts of it are beginning to take shape. Agent identity frameworks are emerging, observability tooling is being extended towards autonomous systems and FinOps is starting to reckon with workloads that bill like nothing before them. The direction is real; the destination has not arrived, and pretending otherwise would be its own kind of failure. What the industry is missing is not effort but a shared model of what it is building – identity here, observability there, cost governance elsewhere, with no agreed picture of the single layer they are all pieces of. This series has tried to supply that picture: not the solution, but a description of the problem precise enough that the people building solutions know what they are aiming at.
The Layer That Has Not Been Built
The enterprise technology industry has been through transitions of this weight before. Disk to flash was not a faster disk; it demanded storage architectures built around a different medium. On-premises to cloud was not a rented data centre; it demanded new operating models. Each took an assumption left implicit in the old world and made it explicit in the new one. That is the work now – not for the AI layer, which is moving fast and in no danger of being under-built, but for the data infrastructure beneath it. The systems of record that hold what an enterprise knows about itself were built for a human actor, and the layer that governs how a non-human actor reaches them has not been built at all. The organisations best placed to build it are not the ones with the most AI, but the ones that understand in precise detail what the human presence was quietly providing and what its removal costs.
I have spent a career at the point where databases meet the infrastructure underneath them, and the instinct after enough of these transitions is to assume that the next one is merely the previous one expressed in a new vocabulary. This one is not. The previous shifts changed how data was stored and where it ran; this one changes who, or what, acts on the system of record. That is a difference in kind and not in degree, and it is the difference the whole series has been built around.
The series began by arguing that inferencing was a database problem disguised as an AI problem. What comes next is a database problem too: the one this series has spent four months describing and has not yet begun to build. Something new has to sit between the agents and the databases. The only thing worth insisting on now is that when it is built, it is built by people who understand exactly what it has to replace.
This article concludes the Databases in the Age of AI series.
flashdba 