The first successful AI database query is not the milestone. It's the trap. Because the demo question is always harmless: What was revenue last month? Then the connector spreads. More people use it. More clients get wired in. More tables become reachable. Suddenly, the thing you treated as a convenience layer is sitting between natural language and production data. That is not a shortcut anymore. It is a control plane. The five boundaries that matter Before connecting Claude, ChatGPT, Cursor, or an internal agent to live data, teams should define five things clearly: Identity — who is asking, through which client, and under which workspace? Scope — which schemas, views, columns, and tools are in bounds? Schema context — what does the data actually mean in business terms? Execution limits — how much can be queried, returned, or attempted? Auditability — what can be reviewed later when an answer matters? If those boundaries are vague, the connector becomes a thin wrapper around credentials.…