Credential Isolation
How MarcoPolo prevents credentials from ever reaching the AI.
The most common concern with AI agents working on your data: if the AI can query my database, can it also see (and leak) my credentials?
In MarcoPolo, no. The AI never has access to your credentials at any point in the workflow.
The privilege boundary
MarcoPolo splits execution into two spaces:
User mode. This is where the AI operates. It writes SQL queries, runs Python scripts, processes results, and generates artifacts. It has no mechanism to access credentials, connection strings, or tokens.
Privileged execution layer. A separate component that handles credential injection and query execution. When the AI submits a query via the query tool, the request passes to this layer, which retrieves the encrypted credentials, injects them into the connection, executes the query, and returns only the results to the workspace.
The credentials exist only in the privileged layer's memory during execution. They are never written to the workspace filesystem, included in the AI's context, or returned in query results. They are not visible to you during normal operation either.
What this means in practice
If the AI were compromised or behaved unexpectedly, it still cannot access or exfiltrate credentials. There is no path from the user mode workspace to the credential store.
The AI cannot modify connection configurations or change which credentials are used. Credentials are encrypted at rest and decrypted only during query execution in the privileged layer.
How credentials are stored
When you connect a data source, credentials are encrypted using the platform's key management system and stored in a secure credential store (not in your workspace). Each credential is associated with your account and the specific data source. Credentials are mounted into the privileged execution layer only when your workspace is active.
Credentials are never stored in your workspace filesystem, passed to the AI as tool parameters or context, included in conversation history or logs, or shared between users (even within the same company).