For two decades the database has been able to outsource trust to the application layer. The app authenticated users, sanitized inputs, enforced business rules, and the DB just executed whatever came through the connection pool. That worked because the caller was almost always software written by someone, reviewed by someone, and shipped on a release train. Agents don't fit that picture. Once an LLM with tool access holds a live connection to your production database, the assumptions behind the application-as-perimeter model stop being true: Connections aren't short-lived anymore. A tool-using agent can keep a session open across a long reasoning loop, with the SQL emerging one token at a time. The caller isn't deterministic. Two runs of the same prompt can produce different queries. Sometimes very different ones. Writes aren't intentional in the way a human commit is. An agent will issue an UPDATE without a WHERE clause if its plan says so. Failures don't surface loudly.…