The demo is easy.
Connect a model to a database. Ask a natural-language question. Get an answer.
The production decision is harder.
Who is the model acting for? Which tables can it touch? What happens when it guesses the wrong join? Can you reconstruct what happened after the fact?
Before an AI agent queries production data, the access path needs a review. Not a six-month governance program. A practical checklist.
The checklist I keep coming back to:
- Every request maps to a real user or service identity.
- Read-only credentials are the default.
- Tool catalogs are scoped by role and workflow.
- Recurring questions use approved database views.
- Sensitive columns are excluded, masked, or blocked.
- Row limits, statement timeouts, and rate limits are enforced.
- Prompt, tool call, generated query, user, and result metadata are logged.
- Catalog expansion requires review.
- Write access is handled by a separate approval path.
That last part matters.
There is a big difference between letting an agent prepare a recommendation and letting it surprise production.
MCP makes database access feel simple from the client side. That is good. But it also means the security model has to move into the layer between the prompt and the database: identity, permissions, tool scope, query controls, and auditability.
I expanded this into a more detailed Conexor checklist here: https://conexor.io/blog/ai-database-access-review-checklist?utm_source=devto&utm_medium=article&utm_campaign=content
The goal is not โconnect AI to prod.โ
The goal is to approve a specific, inspectable AI data access path.
Top comments (0)