Cloud Next 2026

BigQuery, Spanner, AlloyDB Agent Guardrails: Gating Google's Agentic Data Cloud MCP Calls

Google Cloud Next 2026 shipped the Agentic Data Cloud: BigQuery, Spanner, AlloyDB, Cloud SQL, and Looker are all exposed as MCP tool calls, and the Data Agent Kit drops those tools into Claude Code, Codex, Gemini CLI, and VS Code on day one. Existing IAM policies gate who can call what. They do not gate what your agent already learned not to do.

What changed on April 22, 2026

Google announced the Agentic Data Cloud at Cloud Next. Three pieces matter for anyone running an AI coding agent:

Knowledge Catalog remote MCP — semantic metadata for every table, column, and warehouse surface, exposed through an MCP server.
Core-engine MCP — BigQuery, Spanner, AlloyDB, and Cloud SQL each speak MCP directly. Your agent can query, mutate, and describe tables through a standard tool-call wire.
Data Agent Kit — a portable set of MCP tools and IDE extensions that drop into VS Code, Claude Code, Gemini CLI, and Codex.

Net effect: every schema is now a surface your agent can call. The blast radius of a single bad tool call just grew by the width of your cloud warehouse.

Why IAM is not the answer

IAM and VPC Service Controls gate who can call an operation. They do not gate what you already taught your agent not to do. An agent running under a service account with bigquery.tables.delete has permission to drop the table. IAM will not stop it. Your "don't drop prod tables" thumbs-down from last Tuesday lives in a lesson, not a role.

The role-based layer and the feedback-based layer are orthogonal. IAM protects the tenant. ThumbGate protects the session.

What ThumbGate gates at the MCP boundary

ThumbGate runs as an MCP server next to your agent and maintains a local SQLite lesson database at .thumbgate/memory.sqlite. Every thumbs-down becomes a row. On every subsequent tool call, ThumbGate's gate_check intercepts the proposed call and blocks known-bad patterns before execution. For Google's Agentic Data Cloud surfaces, the high-value patterns are:

BigQuery destructive DDL — DROP TABLE, DROP DATASET, TRUNCATE TABLE, ALTER TABLE ... DROP COLUMN on any dataset matching prod_*.
BigQuery unscoped DML — DELETE FROM <table> WHERE 1=1, UPDATE without a WHERE, any mutation whose predicate did not match the previous SELECT COUNT(*).
Spanner schema mutations — DROP TABLE, DROP INDEX, schema change DDL on labeled-prod instances.
AlloyDB / Cloud SQL — TRUNCATE, unscoped DELETE, extension drops, gcloud sql instances delete, gcloud sql instances patch ... --no-backup.
IAM escalation — gcloud projects add-iam-policy-binding granting roles/owner or roles/iam.serviceAccountTokenCreator from an agent session.

Install alongside your Google Cloud agent

The Data Agent Kit ships into Claude Code, Codex, Gemini CLI, and VS Code — every one of those is a first-class ThumbGate-supported agent. One install per agent:

# Claude Code (most common path for BigQuery work)
npx thumbgate init --agent claude-code

# Codex
npx thumbgate init --agent codex

# Gemini CLI
npx thumbgate init --agent gemini

The installer writes the MCP server config, wires the PreToolUse hook, creates .thumbgate/memory.sqlite, and prints every file it touched so you can roll back.

Teach it a BigQuery lesson

The first time your agent proposes DROP TABLE prod_events, capture the thumbs-down:

npx thumbgate capture \
  --feedback=down \
  --context="agent proposed DROP TABLE prod_events during migration rewrite" \
  --what-went-wrong="destructive DDL on a prod BigQuery table" \
  --what-to-change="require explicit confirmation before any DROP on prod_* datasets" \
  --tags="bigquery,ddl,prod"

Every future agent session — Claude Code, Codex, Gemini CLI, tomorrow morning's autopilot run — now checks this lesson against proposed tool calls before firing them.

Knowledge Catalog vs. ThumbGate memory

Google's Knowledge Catalog and the Agent Platform Memory Bank are different memory classes from ThumbGate's lesson DB:

Knowledge Catalog — semantic metadata about your data. "This column is PII, this table holds transactions."
Memory Bank — conversational recall for the agent. "The user prefers Python over SQL."
ThumbGate lesson DB — tool-call behavior memory. "Never DROP TABLE on prod after last Tuesday's thumbs-down."

All three coexist. None replaces the others.

Install ThumbGate →

FAQ

Does ThumbGate need a separate "Google" adapter?

No. The Data Agent Kit drops into Claude Code, Codex, Gemini CLI, and VS Code, all of which are first-class ThumbGate-supported agents. Install ThumbGate against your CLI of choice and the gate runs against every MCP call — including the ones Google just added.

Does the gate add latency on BigQuery queries?

The gate reads a local SQLite row and runs a pattern match. Typical overhead is under 5 ms per proposed tool call, measured against an empty warm cache. Your BigQuery query itself is still bounded by Google's SLA, not ours.

What happens on an autopilot / scheduled run?

The gate runs on every tool call regardless of origin. Whether Claude Code fired it from your terminal, an autopilot job triggered it at 9am, or Gemini CLI ran it from a CI hook — the PreToolUse hook still checks the lesson DB first.

Does ThumbGate send my query text to any external service?

No. The lesson DB is local SQLite. The gate check is local. No outbound network call is required for enforcement.

Can I use ThumbGate with Google's Agent Platform (managed agents)?

ThumbGate gates tool calls at the agent process that speaks MCP. For managed Agent Platform agents that run inside Google, the equivalent enforcement lives in IAM and VPC Service Controls. ThumbGate is the local-development and self-hosted companion — run it wherever your agent's process is under your control.