The fastest way to make an AI database agent dangerous is to connect it with the same credential a senior engineer uses in production. The model does not need your admin key. It needs a narrow, explicit operating lane. A safer MCP database setup starts with the job: Each job deserves its own credential scope. Read-only should be the default. Usually against approved views, not raw application tables. Writes need a different lane entirely: Longer version: Scoped credentials for MCP database servers The practical rule: Do not expose a database connection first and decide policy later. Define the job, then issue the smallest credential that can do that job.
Multi-BU D365 environment: single tenant, multiple LEs