Skip to content

SYSTEM Cited by 4 sources

Redpanda Agentic Data Plane (ADP)

Redpanda Agentic Data Plane (ADP) is Redpanda's 2025-10-28-announced managed, governed data control plane for connecting enterprise AI agents with private data and systems. ADP packages three architectural pieces — streaming log + connectivity suite + distributed SQL engine — under a unified governance layer that captures every agent interaction (prompt, input, context retrieval, tool call, output, action) as a first-class durable event for replay, lineage, and compliance.

Announced in "Governed autonomy: The path to enterprise Agentic AI" (Source: Redpanda 2025-10-28). Early access at announcement; no disclosed GA date.

Architectural pieces

Verbatim: "To build the ADP, we intertwined three foundational architectural pieces with a single uniform governance layer":

  1. Redpanda Streaming"wicked fast distributed log". The durable-event-log substrate; every agent interaction is captured here. This is the audit envelope (patterns/durable-event-log-as-agent-audit-envelope).
  2. Redpanda Connect"broad connectivity suite". With the MCP-server add-on, becomes "an agentic governance layer between all the data systems and agents connecting through it" (patterns/mcp-as-centralized-integration-proxy).
  3. systems/oxla"recently acquired, nimble, high-performance SQL query engine". C++-based distributed SQL engine for federated agentic queries spanning Apache Iceberg, Apache Kafka topics, and "a broad suite of legacy data sources". Supports materialized views for streaming transformations; positions SQL as the agent's "universal interface" for reasoning over unbounded, real-time datasets.

The fourth axis — the governance layer — is not a separate component but a cross-cutting contract that the three pieces enforce together: every prompt, tool call, and action stays "inside a unified audit and lineage envelope."

Governance layer

The load-bearing architectural claim: every agent interaction is a first-class durable event. Verbatim:

"The ADP treats every agent interaction as a first-class durable event: prompts, inputs, context retrieval, tool calls, outputs, and actions are captured for analysis, compliance, and replay."

Platform-team capabilities this enables:

  • Rewind and replay agent runs to debug or validate behaviors.
  • Enforce SLOs for latency, accuracy, and cost.
  • Trace agent decisions end-to-end — from input to action to outcome.

The governance layer is positioned against the alternative of agent governance implemented per-framework / per-team, which leads to fragmentation of audit shape and impossibility of cross-agent replay.

Agentic Access Control (AAC)

ADP embeds Agentic Access Control (AAC). Three properties:

  1. No long-lived credentials for agents. Verbatim: "Agents never hold long-lived credentials." Short-lived credentials (concepts/short-lived-credential-auth) only.
  2. Per-call policy enforcement before and after I/O. Verbatim: "Every prompt, action, and output is auditable, replayable, and policy-checked before and after I/O."
  3. Fine-grained temporary access. Verbatim: "grant AI agents fine-grained, temporary access to sensitive data without losing oversight."

The 2025-10-28 post names but does not walk the AAC mechanism — no IdP disclosed, no token-exchange protocol, no policy-engine implementation named. "Policy-checked" is the property; mechanism is future disclosure.

Deployment spectrum

Verbatim: "Deploy ADP the way your risk model demands: VPC/ BYOC, on-prem/air-gapped, or fully managed cloud. Keep data resident, satisfy regional controls, and bring AI to your private systems — not the other way around. Agents can run inside ADP or via proxy in your environment."

The VPC/BYOC axis inherits Redpanda's Data Plane Atomicity tenet from Redpanda BYOC — the ADP data plane sits in the customer's VPC with no runtime dependency on externalised services; Redpanda operates the control plane. This is ADP's substrate for digital sovereignty at the agent-infrastructure altitude.

The "agents inside the plane or via governed proxies" duality tracks the MCP deployment model — agents that can execute inside ADP use in-plane governance; agents that execute elsewhere (external LLM APIs, third-party agent frameworks) route through governed MCP proxies so governance is enforced at the proxy boundary.

Open standards: MCP + A2A

Verbatim: "With open standards like MCP and A2A, the ADP lets agents run inside the plane or via governed proxies and exposes focused MCP servers for context".

  • MCP — already canonical on the wiki; ADP uses it for agent-to-tool connectivity with governance enforced at the MCP-server boundary.
  • A2A (Agent2Agent protocol) — first wiki mention. Post does not unpack A2A; positioned as peer-standard to MCP for agent-to-agent communication.

Model choice

Verbatim: "This flexibility allows enterprises to use the best models and tools — OpenAI, Anthropic, OSS, or fully bespoke — without re-plumbing their data or compromising on governance."

ADP's positioning is model-agnostic governance: the governance envelope is independent of which LLM is the planner. Agents "integrate with external vector databases or use the ADP's built-in knowledge base."

Relationship to the 2025-10-28 announcement pair

ADP was introduced via a coordinated two-post launch on 2025-10-28:

The two posts together give ADP's canonical wiki definition: Gallego's post = architectural framing + acquisition disclosure + product shape; companion post = governance-pattern names + audit-envelope architectural claim.

Relationship to prior Redpanda announcements

  • Agent-substrate precursor: Gallego 2025-04-03 Autonomy is the future of infrastructure launched the Redpanda Agents SDK — three-component toolkit (rpk connect mcp-server + rpk connect agent + Python SDK). ADP is the six-months-later product-packaging sequel that binds the SDK's substrates (streaming log + MCP + connectivity) into a named product with explicit governance contract.
  • Data-substrate precursor: 2025-06-24 Why streaming is the backbone for AI-native data platforms canonicalised the data-substrate half of the AI-platform thesis (streaming + CDC + Iceberg). ADP is the governance-substrate half packaged alongside.
  • Query-engine component: Oxla acquisition is the new piece introduced in the 2025-10-28 announcement; replaces an implicit-external-SQL-engine dependency with a Redpanda-owned C++ distributed SQL engine for federated analytics across streams + point-in-time data.
  • BYOC substrate: Redpanda BYOC is a pre-2025 deployment model; the ADP post reuses it as the "VPC/BYOC" axis of the deployment spectrum.

Enterprise value proposition

Verbatim, four axes:

  • Governance at scale: "unified policies, short-lived credentials, and complete lineage."
  • Observability by design: "tracing, metrics, and replay across all agents."
  • Connectivity without compromise: "multi-modal data access with regional and regulatory controls."
  • Sovereignty and choice: "deploy in your own cloud, on-premises, or multi-cloud environments."

Caveats

  • Early-access / pre-GA. "Contact Redpanda to get early access to the Agentic Data Plane." No GA date; no design-partner list; no pricing model; no licensing disclosure (Apache 2.0 / Enterprise / BYOC-only / SaaS-only).
  • Mechanism depth absent. AAC named without policy engine. Event-log audit named without retention / schema / query-API disclosure. Oxla named without query-planner / consistency-model disclosure.
  • A2A underspecified. First wiki mention; post doesn't unpack what A2A provides beyond MCP, or how ADP consumes it.
  • Exactly-once across tool chains claim unverified. Post asserts "uphold exactly-once processing across tool chains" without mechanism — tool chains typically involve non-idempotent external APIs where exactly-once requires idempotency keys / sagas / compensations, none disclosed.
  • Replay-for-compliance determinism not engaged. LLM outputs vary with temperature; downstream API responses vary with time; post doesn't address how replay handles non-determinism.
  • Audit + lineage conflation. "Unified audit and lineage envelope"concepts/audit-trail and concepts/data-lineage are distinct substrates with different query shapes; product-voice conflation is defensible at vision altitude but obscures the two primitives.

Seen in

  • sources/2026-02-10-redpanda-how-to-safely-deploy-agentic-ai-in-the-enterprise — Akidau (Redpanda CTO) talk-recap at Dragonfly's Modern Data Infrastructure Summit, reiterating the ADP framing with a risk-first angle. Introduces the D&D alignment frame (agents default to chaotic column without governance infrastructure) and the eight-axis enterprise-agent-infrastructure checklist as a shareable decomposition of what ADP delivers. Four closing pitch axes for ADP reinforced: missing-pieces framing ("Agentic Data Plane: a managed, governed data control plane that provides the missing layer companies need"). ~3.5 months after the 10-28 launch; talk-recap altitude for lay audience.
  • sources/2025-10-28-redpanda-introducing-the-agentic-data-plane — canonical product announcement. Names ADP as four-layer composition (streaming + Iceberg-native query + 300+ connectors + governance/observability); names Oxla acquisition as the query-engine component with rpk oxla CLI + PostgreSQL wire protocol + separated compute-storage; three-shift narrative (compute-storage separation → lakehouse → agentic data plane); names OBO + IdP integration + Remote MCP + Agent Runtime + knowledge-agent templates; open-protocols commitment (MCP + A2A + PostgreSQL + durable log + Iceberg).
  • sources/2025-10-28-redpanda-governed-autonomy-the-path-to-enterprise-agentic-ai — companion governance-framing post. Names ADP as three pieces (log + connectivity + SQL engine) bound by governance layer; names Agentic Access Control (AAC) as the access-control pattern; names durable event log as the audit envelope with six event classes; names VPC/BYOC / on-prem / managed-cloud as the deployment spectrum.
  • sources/2026-04-14-redpanda-openclaw-is-not-for-enterprise-scaleCrystallises the four-component agent production stack and introduces the agi CLI as ADP's sandbox→gateway mediator. Redpanda 2026-04-14 Openclaw is not for enterprise scale post is a rhetorical-voice governance essay that compresses the ADP governance pattern pair (AAC + audit envelope) into a quotable four- component formula: Gateway + Audit log + Token vault + Sandboxed compute = Agents in production. Introduces the token vault as a distinct architectural component (previously implicit in AAC's "no long-lived credentials" property) and introduces agi CLI as Redpanda's demonstration of the sandboxed- compute-with-gateway-only-egress component. Canonicalises the "Don't give the dog your documents" rhetorical frame and the scaling-breaks-the-dev-machine-threat-model argument. Positions ADP as the production substrate for the four-component stack; ~6 months after the 10-28 launch, no new GA / availability disclosures. Tier-3 borderline ingest on pattern-crystallisation + agi-CLI-introduction grounds.
Last updated · 470 distilled / 1,213 read