Building conversational applications with Bigtable and ADK

Key Concepts

• Agentic AI: AI systems capable of performing tasks, using tools, and making decisions autonomously.
• Agent-as-a-Tool Pattern: A hierarchical architecture where a "root agent" delegates tasks to specialized sub-agents (Query, Search, Booking).
• Bigtable: A high-performance, scalable NoSQL database service used here with a SQL API.
• Tool Context: A mechanism to pass user identity and metadata to tools securely, independent of the agent’s reasoning process.
• Row-Level Security (RLS): Ensuring users can only access data associated with their specific identity.
• Pydantic: A data validation library used to enforce types and prevent SQL injection.
• Model Armor: A security layer for LLMs that filters for prompt injection, jailbreaking, and sensitive data leakage.
• ADK (Agent Development Kit): A framework for building, evaluating, and debugging agentic applications.

---

1. Architecture and Components

The application is designed as a health concierge that interacts with a user's medical history and calendar.

• Root Agent: Orchestrates the workflow by calling specialized sub-agents.
• Sub-Agents:
  • Query Agent: Interfaces with Bigtable to retrieve medical records.
  • Search Agent: Grounds answers using Google Search and Maps for external information (e.g., health facility locations).
  • Booking Agent: Manages Google Calendar integration for appointments.
• Contextual Tools:
  • Get Profile Info: Retrieves user demographics (age, gender, zip code) for personalization.
  • Update Time: Provides current temporal context for relative date queries (e.g., "last three months").

2. Data Management and Security

• Bigtable Structure: Data is stored in a patients table with column families (profile, prescriptions, visits, tests) keyed by user email. Column families function as key-value maps, often storing data in JSON-like formats.
• Row-Level Access Control: To prevent unauthorized data access, the system uses Tool Context. This context is injected by the application backend, not the agent, ensuring the agent cannot be tricked into accessing records belonging to other users.
• SQL Injection Prevention: The system uses Pydantic to enforce strict typing on function arguments. By validating inputs before they are converted into SQL queries, the system blocks malicious attempts to bypass filters.

3. Development and Evaluation Framework

• Evaluation (Evals): The developer emphasizes using evals to detect regressions during iteration. The ADK provides a visual interface to step through agent reasoning and identify where responses fail.
• Self-Tuning Loop: The developer implemented a "Hill climbing loop" where the agent runs evals, analyzes the results, and automatically tweaks its own instructions or tool definitions to improve performance without manual intervention.

4. Security Layers: Model Armor

Beyond SQL injection, the system addresses Prompt Injection and Jailbreaking using Model Armor.

• Functionality: It acts as a middleware that inspects inputs and outputs.
• Application: It is configured with templates to block jailbreak attempts (e.g., trying to override system instructions) and can be configured to redact sensitive information like Social Security or credit card numbers.

5. Notable Quotes

• "User identity is key for our application, because all the tools we'll use will need to be scoped down to work with data and services only the end user can access, while agents themselves run as service accounts."
• "Tool context is not set by the agent. This is very important because we don't want users to claim they are somebody else and trick the agent to access health records they weren't supposed to see."

6. Synthesis and Conclusion

Building secure, customer-facing agentic AI requires a multi-layered approach. By combining hierarchical agent patterns (Agent-as-a-Tool) with strict identity-based access control (Tool Context) and robust input validation (Pydantic/Model Armor), developers can create reliable applications. The transition from manual coding to automated evaluation loops represents a significant shift in how agentic systems are refined, allowing for continuous improvement in response quality and safety.