The model can understand the question.
It should not be trusted to assemble the final executable SQL string.
That distinction matters when AI agents query production databases.
The risky pattern is simple:
- user asks a question
- model writes SQL
- system runs the SQL
Even when the model is usually correct, the failure mode is ugly: wrong table, wrong tenant, broad scan, unsafe filter, or a query that is syntactically valid but semantically wrong.
A safer workflow separates the layers:
- model identifies intent
- router selects an approved query template or view
- model proposes typed parameters
- execution layer validates tables, columns, tenant scope, and budgets
- database receives bound values, not string-concatenated SQL
Longer version: Parameterized queries for AI database agents
The practical rule:
The model can help choose what to ask. The infrastructure decides how it may be executed.
Top comments (0)