Policy-Conditioned Constrained Decoding for Column-Level Access Control in Text-to-SQL

📅 2026-07-14
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses the challenge of deploying Text-to-SQL systems across trust boundaries, where existing approaches struggle to simultaneously ensure policy compliance, answer coverage, and computational efficiency while precisely controlling the semantic roles of column usage. We propose a syntax-aware constrained decoding mechanism that aligns column usage policies—such as for output, filtering, or aggregation—with SQL grammar productions, dynamically applying token-level logits masking during decoding to deterministically prevent unauthorized column usage within a single generation pass. Our method elevates column-level access control from mere existence checks to fine-grained semantic role enforcement, achieving zero leakage without sacrificing coverage. Evaluated on Spider-CU and two other benchmarks, it attains 0% leakage, up to 88.7% coverage, and incurs less than a 10% token overhead over the baseline, with execution accuracy confirming effective semantic alignment.
📝 Abstract
Text-to-SQL is increasingly deployed across trust boundaries between data providers and users. Such deployment must balance three competing requirements: policy compliance, answer coverage, and bounded cost. Existing approaches typically decide refusal based on which columns a query mentions and enforce it stochastically. Whether a query is compliant, however, depends not only on which columns appear but on how they are used, and stochastic enforcement cannot deterministically rule out violations. We formalize this requirement as a column-use policy over semantic use: output, filter condition, and aggregation argument. We integrate the policy by aligning each role with grammar productions tracked by the decoder. The resulting system, PCC-SQL, applies a per-token logits mask that deterministically eliminates single-query column-use violations on the supported SQL fragment in a single decoding pass. Across three benchmarks and three open-source models, PCC-SQL achieves 0% Leakage Rate and Coverage up to 88.7% on Spider-CU, while staying within +10% tokens of direct prompting. We additionally assess semantic alignment with execution accuracy.
Problem

Research questions and friction points this paper is trying to address.

column-level access control
policy compliance
Text-to-SQL
semantic use
constrained decoding
Innovation

Methods, ideas, or system contributions that make the work stand out.

Policy-Conditioned Decoding
Column-Level Access Control
Text-to-SQL
Constrained Decoding
Semantic Use Policy
🔎 Similar Papers
2024-06-20North American Chapter of the Association for Computational LinguisticsCitations: 1