The riskiest AI database workflow is not a bad SELECT . It is a write that looks reasonable. Update the customer status. Fix the subscription record. Mark these invoices as reviewed. Some writes are legitimate. That does not mean the model should approve them. The model should propose, not decide An AI agent can help prepare a change: inspect context draft the SQL or API call explain the expected side effect identify related records produce a dry-run summary But approval should live outside the model loop. If the same system that generated the change also decides it is safe, the approval gate is mostly theater. Show the diff before approval A useful approval request should include: exact operation affected entity IDs before and after values estimated row count policy rule that requires approval rollback or compensation path audit identifier Approval is not a substitute for scope. Writes still need tenant scope, role separation, type validation, and deterministic execution.…