Read-only is the right default for AI database access. Most teams do not need an agent to change production data. They need it to answer questions from live systems without waiting for a SQL handoff. But eventually, useful workflows drift toward actions: update a ticket tag an account refresh a derived table draft a config change trigger a downstream workflow That is where “the prompt says ask first” stops being a real control. The approval gate has to live in the tool layer. Do not jump from read-only to full write access The dangerous pattern is treating write access as one switch. Read-only feels safe. Write access feels useful. So a team adds a broader credential, exposes a generic SQL tool, and relies on the model to be careful. That is not production architecture. Better intermediate states are: draft-only tools preview tools approval-required tools allowlisted stored procedures rollback-aware workflows The agent can help prepare the work without automatically crossing the final boundary.…