The risky part of natural-language SQL is not always the SQL.
It is the moment before SQL, when the model decides:
- which tables matter
- which joins are correct
- which fields are safe
- what a metric means
- which records should be excluded
That is too much business logic to leave inside a prompt.
For production AI database agents, I would rather expose approved views than raw application tables.
A view can encode:
- tenant/workspace scope
- safe columns
- approved joins
- redaction rules
- business metric definitions
- test/internal data exclusions
The model can still ask useful questions. The database surface keeps those questions inside a controlled lane.
Longer version: Approved views for AI database agents
The practical rule: do not expose the schema first and hope the model remembers policy later. Encode the safe path before the agent starts querying.
Top comments (0)