Autonomous agents should not carry permanent database credentials around like a human service account.
Persistent credentials are convenient.
They are also a bad fit for AI workflows where intent changes request by request.
For production MCP database servers, Iād rather see credentials that are:
- short-lived
- read-only by default
- scoped to approved views/tables
- tied to a human/workflow identity
- limited by tenant, timeout, and row budget
- visible in the audit trail
- expired after the specific task
The point is not to trust the model harder.
The point is to make unsafe behavior impossible at the credential and database boundary.
Longer version: Temporary credentials for AI database agents
If an agent only needs access for one question, the credential should behave like it.
Top comments (0)