# OrmAI > OrmAI is a policy-enforced runtime that lets AI agents query your database safely. Field-level redaction, automatic tenant isolation, query budgets, and audit logs for SQLAlchemy, Prisma, Drizzle, and more. OrmAI is an open-source (MIT) Python and TypeScript library from Neul Labs that gives AI agents safe, policy-enforced database access. It wraps an existing ORM (SQLAlchemy, Prisma, Drizzle, Tortoise, Peewee, Django, TypeORM) and exposes typed tools (db.query, db.get, db.aggregate, db.create, db.update, db.delete) compiled against a declarative policy. Capabilities include field-level redaction, automatic tenant scoping, query budgets, gated writes, and immutable audit logs. Repository: https://github.com/neul-labs/ormai API documentation: https://docs.neullabs.com/ormai Marketing site: https://ormai.neullabs.com Maintainer email: me@dipankar.name ## Core pages - [Why your AI agent shouldn't touch raw SQL](https://ormai.neullabs.com/why) — pillar article on the agent–database problem and what a safe interface looks like. - [Consulting](https://ormai.neullabs.com/consulting) — Neul Labs consulting offering: audits, integration sprints, embedded engineering. - [About](https://ormai.neullabs.com/about) — about Neul Labs and the author. ## Comparisons - [OrmAI vs. hand-rolled tools](https://ormai.neullabs.com/vs/hand-rolled-tools) — Writing one bespoke function per agent capability is safer than raw SQL, and far easier to ship than people admit. Here's where it works, and where it falls apart at scale. - [OrmAI vs. MCP database servers](https://ormai.neullabs.com/vs/mcp-database-servers) — MCP database servers expose your DB to any MCP-aware client. OrmAI is policy-first, in-process, and shipped inside your application. Here's when each is the right choice. - [OrmAI vs. raw SQL](https://ormai.neullabs.com/vs/raw-sql) — Why exposing a raw SQL handle to your AI agent is the wrong default — and what the right default looks like. - [OrmAI vs. text-to-SQL](https://ormai.neullabs.com/vs/text-to-sql) — Text-to-SQL turns natural language into SQL strings. OrmAI turns natural language into typed tool calls. Here's why that distinction matters in production. ## Guides - [Audit logs you'll actually trust](https://ormai.neullabs.com/guides/audit-logs-for-ai-agents) — What to log, where to put it, and how to query it when the security team asks 'what did the agent do?' - [OrmAI as an MCP server for Claude](https://ormai.neullabs.com/guides/claude-mcp-integration) — Expose OrmAI's policy-enforced tools as a Model Context Protocol server. Drop it into Claude Desktop, Cursor, or any MCP client. - [Field-level redaction for PII](https://ormai.neullabs.com/guides/field-level-redaction-pii) — Stop your agent from ever seeing what it shouldn't. Mask, hash, or deny columns at the policy level — without touching application code. - [OrmAI with LangGraph](https://ormai.neullabs.com/guides/langgraph-integration) — Wire OrmAI tools into a LangGraph state machine so each node has scoped, audited database access. - [Multi-tenant isolation for AI agents](https://ormai.neullabs.com/guides/multi-tenant-isolation) — How to enforce tenant scoping for every read and write your AI agent makes — and why doing it any other way leaks data. - [OrmAI with Drizzle](https://ormai.neullabs.com/guides/ormai-with-drizzle) — Drizzle is the ORM of choice for teams who want type safety without code generation. Here's how to wrap it with OrmAI's policy engine. - [OrmAI with Prisma](https://ormai.neullabs.com/guides/ormai-with-prisma) — Wrap your Prisma client with OrmAI's policy engine. Field-level redaction, tenant scoping, and audit logs over Prisma — without changing your schema. - [Production checklist for agent + database systems](https://ormai.neullabs.com/guides/production-checklist) — The 30 things to verify before letting your agent talk to a real database. Compiled from incidents, audits, and three years of shipping. - [Query budgets and runaway agents](https://ormai.neullabs.com/guides/query-budgets-and-runaway-agents) — Bound how much your agent can scan, return, mutate, and spend per minute. The patterns that keep one curious prompt from melting your database. - [Quickstart: OrmAI with FastAPI and SQLAlchemy](https://ormai.neullabs.com/guides/quickstart-fastapi-sqlalchemy) — Stand up a policy-enforced agent database layer in 5 minutes. SQLAlchemy models, FastAPI endpoints, OrmAI policy, and a working tool call you can hand to Claude or GPT. - [Write operations with approval gates](https://ormai.neullabs.com/guides/write-operations-with-approval) — How to let an agent mutate state without losing your nerve. Reason-required writes, two-person approvals, dry runs, and rollback by design. - [OrmAI with the Vercel AI SDK](https://ormai.neullabs.com/guides/vercel-ai-sdk-integration) — Expose OrmAI tools to the Vercel AI SDK so your Next.js / Hono / Sveltekit agent has type-safe, policy-enforced database access. ## Articles - [Agent–database anti-patterns: a field guide](https://ormai.neullabs.com/articles/agent-database-anti-patterns) — Eleven things we see teams do that cause production agent–database incidents, and what to do instead. Compiled from audits and incident reviews. - [Designing audit trails LLMs can't tamper with](https://ormai.neullabs.com/articles/audit-trails-llms-cant-tamper-with) — When the agent has tools, the audit log becomes a target. Here's how to design one that survives a determined LLM (or a determined attacker reaching the LLM). - [Capability-based security for AI agents](https://ormai.neullabs.com/articles/capability-based-security-for-ai-agents) — What it would mean to design agent permissions the way capability-secure operating systems were designed. A blueprint. - [Capability tokens for AI: a primer](https://ormai.neullabs.com/articles/capability-tokens-for-ai-a-primer) — An old idea from operating systems is becoming load-bearing for agent security. Here's what capability tokens are, and why your agent toolkit should think in them. - [Choosing between MCP, function calling, and policy runtimes](https://ormai.neullabs.com/articles/mcp-vs-function-calling-vs-policy-runtimes) — These three terms get conflated. They solve different problems, at different layers, and you usually want at least two of them. A practical disambiguation. - [Spider benchmark: 0 unsafe operations vs. 23 for text-to-SQL](https://ormai.neullabs.com/articles/spider-benchmark-zero-unsafe-ops) — We replayed the entire Spider benchmark — 1,034 natural-language queries across 200 databases — through OrmAI and a strong text-to-SQL baseline. Here's what we found. - [The agent–data security gap nobody is talking about](https://ormai.neullabs.com/articles/the-agent-data-security-gap) — Most AI safety attention is on the model. The next class of incidents will be at the model–database boundary, and the industry is unprepared. - [From RAG to safe writes](https://ormai.neullabs.com/articles/from-rag-to-safe-writes) — Most teams shipped a RAG-only agent in 2024. The next step — letting the agent change state — is a different category of engineering. Here's the path. - [Why text-to-SQL fails in production](https://ormai.neullabs.com/articles/why-text-to-sql-fails-in-production) — It works in demos. It works on a single user's database. It does not work as the safety story for a multi-tenant SaaS agent. Here's the failure-mode catalog. ## Optional - [Full content corpus](https://ormai.neullabs.com/llms-full.txt) — concatenated markdown of every guide, article, and comparison for ingestion. - [RSS feed](https://ormai.neullabs.com/rss.xml) - [Sitemap](https://ormai.neullabs.com/sitemap-index.xml)