# Data Policy Tags and Sensitive Column Governance
Status: public
Confidence: medium (0.685) (verified)
Last verified: 2026-06-02
Generation: ai_structured


## TL;DR

Policy tags turn sensitive-column classification into enforceable metadata, so agents should inspect both schema tags and access roles before answering data-access questions.

## Core Explanation

Data catalogs often know which fields are sensitive, but governance becomes operational only when that metadata is attached to columns and connected to access control. For agents, the important evidence is not just the column name; it is the policy tag, taxonomy, data policy, role assignment, query principal, and downstream copy or export path.

When an incident or compliance question involves sensitive columns, agents should preserve the schema version, policy tag resource names, roles, query history, and audit log evidence.

## Source-Mapped Facts

- BigQuery column-level security documentation says a table schema must be updated to set a policy tag on a column. ([source](https://docs.cloud.google.com/bigquery/docs/column-level-security))
- BigQuery documentation says users querying data protected by column-level access control need the Data Catalog Fine-Grained Reader role. ([source](https://docs.cloud.google.com/bigquery/docs/column-level-security))
- BigQuery INFORMATION_SCHEMA COLUMNS includes a policy_tags field listing policy tags attached to a column. ([source](https://docs.cloud.google.com/bigquery/docs/information-schema-columns))

## Further Reading

- [BigQuery Column-Level Access Control](https://docs.cloud.google.com/bigquery/docs/column-level-security)
- [BigQuery INFORMATION_SCHEMA COLUMNS](https://docs.cloud.google.com/bigquery/docs/information-schema-columns)