The fastest way to make an AI database agent dangerous is to connect it with the same credential a senior engineer uses in production.
The model does not need your admin key.
It needs a narrow, explicit operating lane.
A safer MCP database setup starts with the job:
- answer product analytics questions
- inspect support tickets
- summarize operational metrics
- prepare a write action for human approval
Each job deserves its own credential scope.
Read-only should be the default. Usually against approved views, not raw application tables.
Writes need a different lane entirely:
- separate role
- separate tool
- dry-run preview
- rows/objects affected
- approval requirement
- audit receipt after execution
Longer version: Scoped credentials for MCP database servers
The practical rule:
Do not expose a database connection first and decide policy later. Define the job, then issue the smallest credential that can do that job.
Top comments (0)