A production AI database agent should not always try harder. Sometimes the safest answer is no. Or more precisely: I cannot run that query with the current scope, permissions, and context. That is fail-closed behavior. It is less exciting than a perfect demo, but it is the difference between useful automation and a system that quietly crosses boundaries. What fail-open looks like Fail-open tools keep going when something is unclear. the tenant is missing, so the tool runs a broad query schema context is stale, so the model guesses a result is truncated, so the model summarizes it as complete a user asks for a write, so the agent hides it inside a general SQL tool These failures often look like helpfulness. They are not helpful in production. Fail closed on missing scope If the workflow requires tenant, account, workspace, or user scope, missing scope should stop execution. A database tool should not infer scope from a vague prompt.…