A method and apparatus for proactive information security management is described. In one embodiment, for example, a computer-implemented method for controlling access to sensitive information, the method comprising: maintaining access constraint data that can be used to control access to the sensitive information, wherein the access constraint data includes match pattern data and apply pattern data; receiving a semantic query from a querier requesting access to the sensitive information; based on the match pattern data, determining whether the semantic query should be constrained according to the apply pattern data; where said semantic query should be constrained according to the apply pattern data, rewriting the semantic query according to the apply pattern data to produce a rewritten query; executing the rewritten query against a database that contains the sensitive information; and returning any results of executing the rewritten query.