- As you guide enterprises from systems of intelligence to systems of action, what do you believe is the single greatest technical hurdle to achieving autonomous, reliable agentic workflows?
- If a human-in-the-loop is one way to help guarantee quality, what if you want to build the human out of the loop – or at least have the human ‘over the loop’? What kind of mechanisms can be built into agentic workflows to help guarantee quality?
- Do you build in system-prompt type guardrails, as we see in some AI architectures, to help with quality?
- How do you see the tension between open source innovation and the proprietary nature of modern foundation models, given that the models providing the ‘intelligence’ are increasingly opaque and controlled by a few massive corporations?
- You’ve championed the idea of the ‘borderless’ lakehouse. How do you reconcile that with the reality of increasingly fragmented, multicloud enterprise environments?
- If an AI agent can reach across every cloud and database in the company, how do you prevent it from accessing data it shouldn’t? How does the ‘borderless’ dream balance freedom of access with the strict security and compliance required by a modern enterprise?
- Whose responsibility is that scoping? Are you just providing the tool and leaving the responsibility to the customer? How far does Google’s responsibility go?
- Having managed database services at AWS and Google, what is the most significant misconception organisations have about the ‘data gravity’ required to power generative AI effectively?
- You’ve talked about the zettabytes of data under your control. If an individual struggles to manage a single 1TB drive on their home PC, how can enterprises manage data at this scale?
- You spoke during the keynote about the massively beneficial results for humanity that can come from these technologies. How do we ensure that it’s not used for harmful purposes, such as military operational uses, or by regimes accused of war crimes?
At last week’s Google Summit in London, the company’s agentic data cloud vice-president and co-creator of web server scripting language PHP, Andi Gutmans, said enterprises are set to transition from “systems of intelligence” to “systems of action”.
In that world, as data volumes reach zettabyte scale, work will transition from human-scale data stewardship to agent-scale automation, utilising artificial intelligence (AI) agents to organise data, manage metadata and build ontologies. For enterprises, that means the task of managing and activating data will undergo a fundamental shift.
Gutmans helps lead the hyperscaler tech giant’s strategy for businesses to leverage their data estates for autonomous agentic workflows.
We asked him about the technical hurdles to achieving reliable and safe autonomous workflows, the use of multi-agent architectures for quality verification, the engineering behind Google’s “borderless lakehouse”, the tension between the open source world he came from and the huge potential for lock-in to proprietary AI models, security boundaries in multicloud environments and the ethical responsibilities of model providers.
As you guide enterprises from systems of intelligence to systems of action, what do you believe is the single greatest technical hurdle to achieving autonomous, reliable agentic workflows?
I think the biggest technical hurdle is to get to the right high-quality outcomes. As you know, foundation models can hallucinate – they do not always drive to the right outcomes. And so it is all about whether we can actually give the foundation model the right context, so it understands the business, understands the data estate, and can actually drive towards high-quality outcomes. So I would say quality is the number one thing.
Now, different enterprise use cases require a different level of quality. Customer support can be a bit more forgiving. If it is an existential decision in financial services, you may want a human in the loop. So really, our goal is not only to deliver the highest quality outcomes, but also to build trust with the enterprise user that those outcomes are being achieved and give them a way to verify that the outcomes we are driving are accurate.
If a human-in-the-loop is one way to help guarantee quality, what if you want to build the human out of the loop – or at least have the human ‘over the loop’? What kind of mechanisms can be built into agentic workflows to help guarantee quality?
We have very good success with agents critiquing agents. Basically, you are about to take an action, and then you have another agent that isn’t polluted with the context going and critiquing, asking: “Does this action make sense?” You could even have three agents and then have them vote. And if all three say yes, then you have pretty high certainty that you are getting to the right outcome. Outside of the human-in-the-loop, that is a very typical pattern – an agent actually critiquing another agent.
Do you build in system-prompt type guardrails, as we see in some AI architectures, to help with quality?
Yes, although I would say that the best would be if you do not have to build system instructions when you are building agents. We are still not quite there. But that is why making sure we build the right knowledge about the business, about the interactions and the workflows, and making sure we have high-quality metadata that can help give the right context to agents is really critical.
To really get to high-quality outcomes, it is all about making sure that agents not only reason correctly, but that they reason correctly based on having the right enterprise context
Andi Gutmans, Google
The better we can do that, the fewer system instructions you actually have to give the agents, because the agent is going to be able to drive to those outcomes. This is why we are so focused in our messaging around the knowledge catalogue and what we are doing in that world.
To really get to high-quality outcomes, it is all about making sure that agents not only reason correctly, but that they reason correctly based on having the right enterprise context.
How do you see the tension between open source innovation and the proprietary nature of modern foundation models, given that the models providing the ‘intelligence’ are increasingly opaque and controlled by a few massive corporations?
I have been in open source for many years, since 1997, contributing to open source and starting open source projects outside of corporate America. In my prior and existing roles, I have also supported open source from within Amazon and Google. The way I think about it is there is no one-size-fits-all – it depends on the use case.
There is room for open source models, and we have Gemma, which is an open model we put out there. But definitely, I think what you are also seeing, as in many businesses, is that there are also areas where you want to differentiate as a provider.
Our goal is to differentiate in some of those areas, but to be very open in how customers can consume that. For example, you can consume Gemini if you are running on AWS [Amazon Web Services] or [Microsoft] Azure. We have cross-cloud interconnects in place so you can do it at super-low latency. We try to make sure that even where we are proprietary, we do it in a way that is very open and gives customers a choice.
You’ve championed the idea of the ‘borderless’ lakehouse. How do you reconcile that with the reality of increasingly fragmented, multicloud enterprise environments?
Most of our enterprise customers have at least two clouds, and sometimes that is unintentional through acquisition. Historically, that in itself was a bit of a barrier, because getting to data in other clouds was both slow and expensive, and there were security concerns.
We have worked closely with both AWS and Azure to have cross-cloud interconnects in place, which basically allow customers now to purchase a certain amount of bandwidth that is open between these clouds. It does not go through the public internet, so it is super-secure, and the latencies are very low. That is an example of a technical obstacle that has now allowed us to make it super-easy and very cost-effective to directly query data that is sitting on other clouds through our borderless lakehouse.
Other work we have done is with SaaS [software-as-a-service] providers like SAP and Salesforce to have zero-copy integration with them through open standards like Iceberg, where we can actually have BigQuery directly query data that is sitting within those SaaS applications.
Between the technical infrastructure, tearing down those walled gardens, open data formats, and models allowing us to take unstructured data – which traditionally has been dark data – and make that light up, these advancements are really helping us bring this borderless lakehouse to reality.
If an AI agent can reach across every cloud and database in the company, how do you prevent it from accessing data it shouldn’t? How does the ‘borderless’ dream balance freedom of access with the strict security and compliance required by a modern enterprise?
It is still important to make sure that when you are accessing data on the other side, you are accessing it with the persona and role in mind so that you can enforce access control at the source. That is a big part of our design goal – to make sure we honour all the security controls that customers may have, whether they sit on GCP [Google Cloud Platform] or whether that data is sitting on another cloud.
The other thing we do in our agent platform is allow customers to really downscope the access that these agents get. You can give the agent permission for only the exact data sources and services that they need access to, and no more.
Whose responsibility is that scoping? Are you just providing the tool and leaving the responsibility to the customer? How far does Google’s responsibility go?
At Borderless Lakehouse, we assume a lot of the responsibility to help customers make it easy to use this system in a way that is very secure and governed from their perspective.
When customers are building their own bespoke agents, there is an element there that is on them to make sure they are scoping the agent permissions in a way that makes sense to them. We make it easy to have a secure-by-default kind of posture, but in many cases, especially with very sensitive workloads, the customer may want to descope the permissions even more.
Having managed database services at AWS and Google, what is the most significant misconception organisations have about the ‘data gravity’ required to power generative AI effectively?
You still see certain vendors sending the message that you should ingest all the data into the central lakehouse and then activate your agents from that. I think that is a false assumption, because these agents have to act in real time, they have to be autonomous, and they have to get to operational data. You cannot just bring all the data in – you need data freshness.
Also, the cost and complexity of that ingestion are quite high. And as you think about your unstructured data, you cannot move petabytes of data around just to get it into the right place. Customers get a lot of benefit when they ingest data into GCP because GCP is built very differently than everyone else, but I don’t think a company can be successful if the path forward is to bring all the data into a central data lake.
You’ve talked about the zettabytes of data under your control. If an individual struggles to manage a single 1TB drive on their home PC, how can enterprises manage data at this scale?
We are getting to a level of scale where we need agents to do some of this. This is where some of the existing vendors are still depending heavily on data stewards and people basically defining ontologies manually. But we think that if we don’t automate this, it is not going to be successful.
We are at too high a scale, and the customers are getting to too high a scale, to just throw more data stewards onto the problem. A big part of our focus and our differentiation is to try to solve these problems for humans with agents – shifting from human-scale to agent-scale data management.
You spoke during the keynote about the massively beneficial results for humanity that can come from these technologies. How do we ensure that it’s not used for harmful purposes, such as military operational uses, or by regimes accused of war crimes?
Those high-level model distribution policies and broader ethical oversight issues fall outside my specific purview. My focus is entirely on enterprise data activation – providing organisations with the secure, governed infrastructure they need to activate their data estate. Corporate and ethical policies regarding model use are managed by dedicated teams at the corporate level.
