Read-only is the right default for AI database access.
Most teams do not need an agent to change production data. They need it to answer questions from live systems without waiting for a SQL handoff.
But eventually, useful workflows drift toward actions:
- update a ticket
- tag an account
- refresh a derived table
- draft a config change
- trigger a downstream workflow
That is where “the prompt says ask first” stops being a real control.
The approval gate has to live in the tool layer.
Do not jump from read-only to full write access
The dangerous pattern is treating write access as one switch.
Read-only feels safe. Write access feels useful. So a team adds a broader credential, exposes a generic SQL tool, and relies on the model to be careful.
That is not production architecture.
Better intermediate states are:
- draft-only tools
- preview tools
- approval-required tools
- allowlisted stored procedures
- rollback-aware workflows
The agent can help prepare the work without automatically crossing the final boundary.
Preview before execution
Every write-capable tool should be able to show:
- the exact operation proposed
- affected tables or APIs
- estimated or exact affected row count
- the permission being used
- why the agent believes the action is appropriate
- what approval is required
If the agent cannot clearly explain the change, it should not execute the change.
We wrote the full breakdown here: Approval gates for AI database writes: where automation should stop
Conexor is MCP infrastructure for connecting databases and APIs to AI clients like Claude, ChatGPT, Cursor, n8n, and Continue.
The goal is not to make agents powerful by default.
It is to make the boundary explicit:
read → draft → preview → approve → execute → audit.
Top comments (0)