The fastest way to leak sensitive data through an AI database agent is to expose columns the model never needed. Table access is too broad. A customer table can contain useful business fields and risky fields at the same time: The agent may need the first four. It probably does not need the rest. For production MCP database access, I would rather expose approved projections than raw tables: Longer version: Column-level permissions for AI database agents The model should not be the thing deciding whether a sensitive field is safe to see.
Multi-BU D365 environment: single tenant, multiple LEs