The easiest way to make an AI database agent dangerous is to let tenant scope become a suggestion. A human analyst usually knows that a customer support question should only touch one account. A model does not know that unless the system makes the boundary explicit. And if the boundary lives only in a prompt, it is not a boundary. It is a preference. Why this matters Most SaaS databases contain data from many customers in the same logical system. Application code normally adds the current tenant, workspace, account, or organization filter automatically. Natural-language SQL changes the path. The user asks: show me recent failed syncs or: which invoices are overdue? The agent turns that into a query. If the system does not enforce tenant scope outside the model, the agent may generate a valid query that answers the wrong audience. The failure may not look like a crash. It may look like a plausible answer with other customers' data included.…