The most dangerous AI database bug is rarely a syntax error.
It is the query that works, returns a polished answer, and quietly includes the wrong tenant.
For MCP database servers, tenant scope should not live in the prompt:
βOnly answer for the current customer.β
That is a preference, not a boundary.
The safer design is boring:
- derive tenant scope from auth, not user text
- expose approved views, not raw tables
- require scope before the tool runs
- fail closed when identity/scope is missing
- use read-only scoped DB roles
- log tenant, role, view, query ID, and audit event with the result
- require a separate privileged workflow for cross-tenant reporting
A model can forget a filter.
A database policy should not.
Longer version: Tenant-scoped MCP database tools
AI database access gets much safer when the tool cannot return the wrong tenant in the first place.
Top comments (0)