Constructive Tackles AI Code Risk with Secure-by-Default Postgres

SAN FRANCISCO, CA – February 11, 2026 – As artificial intelligence continues to accelerate the speed of software development, a new wave of security challenges is emerging, threatening to outpace human oversight. Addressing this gap, Constructive today announced the commercial launch of its secure-by-default Postgres platform, a system designed to embed security directly into the database layer before an application even begins to run.

The launch, which finds the company celebrating over 100 million downloads of its open-source developer tools, introduces a novel approach to database security. By compiling Row-Level Security (RLS) policies at the moment of table creation, the platform aims to eliminate entire classes of vulnerabilities that stem from manual misconfiguration, a problem growing more acute in the age of AI-generated code.

The AI Security Gap Becomes a Chasm

The timing of Constructive's launch is critical, arriving at the intersection of Postgres's dominance as the database of choice for modern applications and the explosive growth of AI-assisted coding. While AI tools can generate production-ready databases in seconds, this speed comes at a cost. Recent industry analyses reveal a troubling trend: a significant percentage of AI-generated code, with some studies citing rates as high as 45%, introduces security flaws. These vulnerabilities often arise because AI models, trained on vast public code repositories, lack the context of a specific application's threat model and may reproduce insecure patterns.

This risk is not merely theoretical. The recent “Moltbook phenomenon,” a social network for AI agents, provided a stark illustration of the danger. A simple database misconfiguration led to the exposure of API keys and credentials for 1.5 million AI agents, highlighting how routine errors can escalate into high-severity security failures in rapidly developed, AI-driven systems. The incident underscores a fundamental problem: the speed of software generation is far exceeding the capacity for human review and testing.

“We trusted software when it moved at human speed—slow enough for developers to inspect every line,” said Dan Lynch, Founder and CEO of Constructive, in the announcement. “AI makes that model obsolete. When human review becomes the bottleneck, security can't be an afterthought—it has to be baked into the architecture.”

A Trust Layer for Autonomous Code

Constructive's platform is positioned as a foundational trust layer for this new era of software development. Instead of relying on developers to manually enable and configure security policies—a process proven to be error-prone—it makes security an inherent, structural property of the database itself. This marks a significant departure from the standard practice of many popular platforms, where security features like RLS are often disabled by default and require meticulous post-hoc implementation.

In a notable incident from 2025, misconfigured RLS settings on a popular backend-as-a-service platform led to data exposure across more than 170 applications, demonstrating the widespread consequences of such manual oversights. Constructive aims to prevent these scenarios by automating the entire process. In its workflow, teams select a predefined access model, and a proprietary compiler then generates database tables with the corresponding security policies already built-in. The database, not the application code, becomes the ultimate source of truth for authorization, natively representing organizational roles and hierarchies.

This approach extends beyond initial creation. As application schemas evolve, the platform’s deterministic migrations ensure that security guarantees remain consistent and verifiable. By integrating RLS validation directly into CI/CD pipelines, what was once opaque security logic becomes transparent, testable code, allowing teams to prove and enforce authorization policies automatically.

Under the Hood: Compiling Security into Software's DNA

The technology powering this new security paradigm operates at a fundamental level of software architecture: the abstract syntax tree (AST). An AST is a structural representation of source code, essentially its architectural blueprint. By working at this layer, Constructive's tools can analyze and modify the very structure of software before it is converted into executable code.

“Abstract syntax trees are the structural DNA of software,” Lynch explained. “By operating at that layer, we can define and propagate security deterministically—before applications are written and long before they run.”

Central to this process is the company's security compiler, a technology supported by multiple provisional patent filings. This compiler transforms a database schema into a structurally secure configuration at compile-time, effectively eliminating the possibility of misconfiguration by design. This proactive stance contrasts sharply with traditional security tools that scan for vulnerabilities after the code has already been written.

Furthermore, the platform includes a built-in, language-agnostic serverless execution layer. Functions written in TypeScript, Python, Rust, or other runtimes automatically inherit the same robust permission model enforced at the database level, ensuring security policies are consistently applied across the entire stack.

Proven at Scale in the Postgres Ecosystem

While the commercial platform is new, the technology and expertise behind it are deeply established. Lynch has been working with Row-Level Security for over a decade, and his previous enterprise software company, Brandcast, which was backed by Marc Benioff, served Fortune 500 clients before its acquisition by TIME. This experience is now being applied to the open-source world, where Constructive's tooling has seen meteoric adoption.

The company’s open-source parsers, migration systems, and introspection tools are already running in production across more than 10 million databases. Its core parsing technology has become a foundational component for major players in the modern Postgres ecosystem, including Supabase, Neon (which was acquired by Databricks), and Gel Data (acquired by Vercel). This widespread integration demonstrates the technology's stability and provides a strong foundation of trust for its new commercial offering.

Constructive is launching today in a commercial private beta. Enterprise teams looking to secure their backends in the agentic era can request early access through the company's website.