OneQuery

OneQuery vs building the whole agent stack

OneQuery vs Internal Data Agent: Build vs Govern

An internal agent can be the right product choice. OneQuery makes sure that agent does not also become the credential store and production query gate.

Connect a source View connectors

Direct answer

OneQuery vs internal data agent: which should agents use?

Use OneQuery with an internal data agent when you want to build custom agent behavior without rebuilding the production access layer. The internal agent can own planning and UX while OneQuery owns source credentials, query boundaries, limits, and audit logs.

Build the agent, not the whole access layer

Internal data agents are often worth building when the workflow is specific to the company. The risky part is letting that project quietly expand into credential management, query validation, source authorization, rate limits, and audit review.

OneQuery gives the internal agent a smaller contract. The agent decides what to ask and how to explain the result. OneQuery decides which source can be used, how the request executes, and what record operators can review later.

Keep the custom agent UI and planning loop. Replace direct source calls one at a time with OneQuery-backed source commands, starting with a read-only source that supports a real operational workflow.

Comparison criteria

Where the boundary lives

Factor OneQuery internal data agent
Infrastructure scope OneQuery provides the source access layer so the internal agent can focus on task logic and user experience. The internal team must design and maintain credential storage, source mapping, query safety, limits, and audit behavior.
Secret handling Credentials stay centralized behind named sources and do not need to appear in agent prompts or runtime env vars. Credentials often spread across service configs, worker environments, and prototype scripts.
New source rollout Teams add approved sources through a consistent connection, command, and audit model. Each source needs custom policy and logging code before it is safe for production use.
Operational review Access history is part of the governed data layer from the start. Audit review is usually a bespoke feature that competes with agent product work.
Responsibility split The agent asks and interprets; OneQuery resolves sources, validates requests, executes, and records outcomes. The internal agent becomes responsible for both reasoning and security-sensitive execution.

Choose OneQuery when

  • Teams that want custom agent UX without owning every production access control.
  • Engineering agents that need real operational context from several sources.
  • Organizations that need source-by-source rollout, review, and audit behavior.

Choose internal data agent when

  • A differentiated product experience where the agent workflow itself is the core product.
  • Custom reasoning, planning, or UI behavior that cannot be bought as infrastructure.
  • A narrow internal prototype that uses one data source and a small trusted user group.

Rollout pattern

Move access without changing the agent job.

  1. Identify where the internal agent currently stores or receives source credentials.
  2. Move one production source into OneQuery with a read-only upstream credential.
  3. Change the agent tool call to use a OneQuery source identifier instead of direct source metadata.
  4. Keep custom planning and response logic in the agent while reviewing source execution in OneQuery.

FAQ

Common questions

Does OneQuery replace our internal data agent?

No. OneQuery is the data access boundary, not the reasoning layer. Internal teams can still build custom agents, prompts, UIs, and workflows while delegating governed source access to OneQuery.

What should we build ourselves?

Build the agent behavior that is specific to your company. Use OneQuery for the repeated infrastructure work around credentials, source identifiers, safe execution, result limits, and audit history.

How should an internal agent adopt OneQuery?

Connect one low-risk read-only source first, give the internal agent only the source identifier and command surface, and review audit history after the first automated runs.

Reference points

Docs behind the comparison

Governed access OneQuery docs on the split between what stays outside the agent and what the agent receives. Security architecture OneQuery docs on credential boundaries and reviewable request flow.

Related comparisons

Credential strategy direct database credentials Direct database credentials can be fast for a human, but they make the agent runtime the security boundary. OneQuery moves that boundary into a governed execution layer. Protocol adapter MCP database server MCP helps an AI application discover and call tools. OneQuery handles the production data boundary those tools still need. Analytics versus operations BI chatbot BI chatbots make analytics more accessible. OneQuery makes production source access safer for agents that do operational work.