When Agents Launch the Database: Why AI Governance Has to Move Beyond the Repository

Agents are now provisioning infrastructure

The headline number is striking on its own: Supabase reports that more than 60% of new databases on its platform are now started by an AI coding tool rather than by a person typing into a console — with Claude Code the single largest source. But the number is not the point. The point is what it reveals about where software work is happening.

Agents are no longer confined to generating application code that a human then reviews and commits. They provision infrastructure. They create tables, alter schemas, configure row-level security, and wire up integrations — actions that used to sit firmly on the human side of the boundary, behind a review.

The platforms are already adapting

Infrastructure vendors are responding to this shift in their product defaults. In a 2026 breaking change, Supabase made new tables in the public schema no longer automatically exposed through its Data API — explicitly because the old model assumed a human reviewed each schema change before it went live. Supabase stated plainly that agents, CLI scripts, and AI platforms now create tables, often without a human reviewing the diff, and moved to require an explicit Postgres grant before the API can see a table — enforced at the role layer regardless of how, or by whom, the table was created.

That is a vendor encoding governance into the platform because the human review step it used to rely on has quietly disappeared. It is a direct, external confirmation of the pattern: as agents act on infrastructure, safe defaults have to be enforced by the system, not assumed from a reviewer.

Why repository-level governance is not enough

Most governance for AI-assisted development today is anchored to the repository. Linters, CI checks, branch protections, and review gates all operate on code that flows through Git. That is a real and useful layer — but it has a blind spot the size of everything that happens outside the commit.

An agent operating through a database API, a cloud CLI, a dashboard integration, or an external runtime can change the system without ever producing a diff that the repository sees. The architectural decision — “all schema changes go through a migration,” “this table must have row-level security,” “no service may be granted public access by default” — is exactly the kind of invariant that repository governance was meant to protect, and exactly the kind that an agent can now bypass by acting on a different surface.

Governance has to follow the agent

The lesson is not that the repository stops mattering. It is that governance can no longer be defined only where code lands. It has to propagate to the surfaces where agents actually act — the API call, the CLI invocation, the tool execution — and apply the same architectural decisions there.

This is the difference between governing a location and governing a decision. A decision like “no table is publicly readable without an explicit, reviewed grant” should hold whether the table was created by a migration in a pull request or by an agent calling an API at 3 a.m. The constraint belongs to the architecture, not to the path the change happened to take.

What this validates

The shift to agent-provisioned infrastructure is an external proof point for a thesis that predates it: governance has to live below the prompt layer and across execution surfaces, not just in the codebase. Specifically, it validates the need for verification contracts that apply regardless of which tool made the change, deterministic enforcement that does not depend on a human being in the loop, and provenance for changes made outside the normal pull-request flow.