A lot of AI database safety discussions start and stop at read-only access. Read-only is necessary. It is not sufficient. A read-only agent with broad table access can still return customer records, private notes, billing details, free-text fields, and operational data that was never needed for the question. The agent did not mutate anything. It still saw too much. That is why data minimization matters for AI database workflows. Most users want an answer, not a dump A useful agent does not need unlimited rows. It needs: the right approved view enough schema context scoped permissions row limits redaction before data reaches the model audit logs showing what was returned The model should not receive every table just because the database role can technically read it. Approved views beat raw tables Approved views let teams encode: safe columns valid joins source-of-truth metrics default filters fields that should never leave the database That improves security and answer quality at the same time.…