A safe query can still return unsafe context.
The SQL might be read-only.
The role might be scoped.
The table might be approved.
But if the result includes raw emails, tokens, free-text support notes, internal identifiers, or more rows than the answer needs, the model now has sensitive material it did not need.
AI database agents need result redaction before summarization, not after.
Read-only does not mean safe-to-summarize
Read-only access prevents writes.
It does not decide which returned fields belong in model context.
A safer MCP database layer should apply:
- approved columns per tool, role, and tenant
- masked emails and identifiers by default
- blocked free-text fields unless explicitly approved
- summary-first results instead of raw exports
- row and byte budgets for returned context
- audit logs showing what was removed or masked
Prompting the model to ignore sensitive fields is weaker than not sending those fields in the first place.
Longer version: Result redaction for AI database agents
The practical rule:
If the answer does not need a field, the model should never receive it.
Top comments (0)