The problem with direct access
Most multi-agent systems let agents query data sources directly. The agent gets a connection string or an API key, writes a query, and gets results. Access control, if it exists, is implemented inside the agent’s own code or delegated to whatever the data source provides natively.
This fails in three ways that get worse as the system scales. There is no central view of who accessed what — each agent maintains its own logs, if it logs at all. There is no cumulative tracking across agents working on the same task, so the system cannot detect when individually harmless queries compose into something regulated. And there is no way to prove compliance after the fact, because the access decisions were scattered across agent codebases instead of recorded at a single enforcement point.
Three personas, one broker
Nautilus handles data access through three personas that operate on every request. The Librarian determines which data sources are relevant based on the agent’s declared intent and the data types it is requesting — not which tables the agent asks for, but what kind of information it needs. The Curator maintains an evolving model of data relationships across sources and proposes routing rules over time, so the system gets smarter about where data lives without requiring manual catalog maintenance.
The Gatekeeper runs CLIPS rules to enforce policy. It is deterministic, fail-closed, and auditable. Every access decision produces a fact record: the agent, the intent, the data types requested, the rules evaluated, and the outcome. If the Gatekeeper denies a request, the denial includes the specific rule that fired. If it approves, the approval is logged with the same specificity. There is no silent pass-through.
Why policy-first matters
Policy-first means the broker evaluates access rules before routing, not after. The Gatekeeper checks clearance, purpose, and cumulative exposure before any adapter touches a data source. A denied request never reaches the database. The data source never knows the request existed.
This is structurally different from policy-bolted-on, where enforcement happens after the data has already been accessed and the question becomes whether to let the agent keep the results. By that point you are in damage-control territory — the data has crossed the boundary, it may already be in the agent’s context window, and “revoking” it is a fiction. Policy-first means the boundary holds before the data moves.
Sessions as the unit of governance
A session in Nautilus spans multiple agents working on the same logical task. When three agents collaborate on a customer support case, their data requests are tracked under a single session, not as three independent streams. The broker tracks cumulative data type exposure across the session, not per-agent.
This is how you catch the mosaic effect. Agent A reads medical records for a patient lookup. Agent B reads financial records for a billing question. Individually, both requests are authorized. But the session now contains both medical and financial data for the same individual, and without session-scoped tracking, nobody notices that the composite is a regulated dossier under HIPAA. Nautilus notices, because the Gatekeeper’s rules pattern-match across all facts accumulated in the session — not just the current request.