Understanding Snowflake Horizon
A comprehensive guide to Snowflake Horizon, the built-in governance suite for the AI Data Cloud. Learn about Trust Center, Access polices, and Object Tags.
Data Governance used to be the “boring” part of data engineering. It was about locking things down and saying “no”. In 2025, governance is the enabler of AI. You cannot safely let an LLM loose on your enterprise data if you don’t know what that data is and who is allowed to see it.
Enter Snowflake Horizon.
Horizon isn’t a single feature; it’s the unified brand for Snowflake’s built-in governance, security, and compliance suite. If you are still managing access with just RBAC (Role Based Access Control) and manual spreadsheets for data dictionaries, you are living in the past.
What is Horizon?#
Horizon unifies compliance, security, privacy, and discovery. It covers:
- Discovery: extracting metadata, lineage, and classification.
- Security: Authentication, network policies, and encryption.
- Privacy: Masking policies, row access policies, and differential privacy.
Key Feature: The Trust Center#
One of the best additions in Horizon is the Trust Center (available in Snowsight). It’s essentially a security posture dashboard that scans your account against CIS benchmarks and Snowflake best practices.
It will flag things like:
- Users without MFA (Multi-Factor Authentication).
- Network policies that are too permissive (0.0.0.0/0).
- Public role abuse.
Pro-tip: Schedule a weekly review of the Trust Center findings as part of your admin routine.
Data Quality with Metric Functions (DMFs)#
We used to write custom SQL to check for nulls. Now, we use Data Metric Functions.
-- Create a metric for uniqueness
CREATE DATA METRIC FUNCTION count_duplicates(TABLE_NAME table(ID string))
RETURNS number AS
$$
SELECT COUNT(*) - COUNT(DISTINCT ID) FROM TABLE_NAME
$$;
-- Associate it with a table
ALTER TABLE my_table ADD DATA METRIC FUNCTION count_duplicates ON (ID);Snowflake will runs these checks automatically and populate the results in the DATA_QUALITY_MONITORING_RESULTS view.
Access Policies vs. Row Access Policies#
A common point of confusion:
- Row Access Policy (RAP): Filters rows based on logic (e.g., “Sales users only see EMEA region”).
- Access Policy: Restricts operations on the object itself (e.g., “This table can only be accessed by this UDF”).
In 2025, we use Access Policies heavily to secure “Data Apps”. You might want to allow a Streamlit app to read a sensitive table, but not allow the user logged into that app to query the table directly in a worksheet. Access Policies allow this granular binding.
Universal Search#
Horizon also includes Universal Search, powered by Cortex. You can now search for “Customer Churn Table” in the top bar of Snowsight, and it uses vector search against the table descriptions and comments to find relevant assets, even if the names don’t match exactly.
Best Practices for implementation#
- Tag Everything: Apply object tags (
cost_center,environment,sensitivity) at the schema or database level and let them inherit down. - Automate Classification: Use the sensitive data classifier to auto-tag PII.
- Monitor Lineage: Use the Graph UI in Snowsight to understand upstream impacts before dropping columns.
Conclusion#
Snowflake Horizon makes governance a platform capability rather than a third-party add-on. By leveraging these native tools, we reduce latency (no proxy layers) and increase security.