The risky part of AI database access is not the first query. It is the credential that keeps working after the demo. Static service keys are convenient. They are also exactly how a harmless prototype turns into standing access to live business data. AI agents are different from normal backend services. They can choose tools dynamically, retry tasks, carry context across steps, and chain actions in ways the original developer may not have listed one by one. That does not mean agents are unusable. It means credential lifetime is part of the architecture. The better default For database-facing agents, I would rather see: per-session credentials for interactive users per-task credentials for automation separate roles for read/reporting tools vs write/admin tools short TTLs for higher-privilege access no credentials stored in prompts, traces, or long-term memory Short-lived access reduces exposure time. But TTL is only half the story. A short-lived admin credential is still an admin credential.…