The fastest way to leak sensitive data through an AI database agent is to expose columns the model never needed.
Table access is too broad.
A customer table can contain useful business fields and risky fields at the same time:
- account name
- plan
- renewal date
- usage trend
- phone
- private notes
- raw payloads
- billing references
- internal flags
The agent may need the first four. It probably does not need the rest.
For production MCP database access, I would rather expose approved projections than raw tables:
- approved views for common business questions
- masked/pseudonymized fields by default
- aggregate-only modes for trend analysis
- structured refusal for blocked columns
- audit logs showing exactly which columns were returned
Longer version: Column-level permissions for AI database agents
The model should not be the thing deciding whether a sensitive field is safe to see.
Top comments (0)