Is database RLS enough to secure an LLM SQL agent?

Question

Accepted Answer

No. RLS is necessary, not sufficient. RLS has four blind spots when used as the sole control: 1. **It doesn't block schema mutations.** A misconfigured agent role with `DROP` privilege will happily drop tables; RLS only governs row visibility on `SELECT`/`UPDATE`/`DELETE`. 2. **It doesn't enforce column-level redaction by default.** `SELECT * FROM users` returns every column the role can see, including PII you'd rather not surface to the LLM context. 3. **It produces poor error messages for the LLM.** A row-filtered empty result looks like "no data" to the model, which may retry with a broader query. 4. **It's per-table.** Missing a policy on one table creates a silent gap. The right architecture is AST validator + policy engine *and* RLS. The AST layer catches 99% of bad queries with explainable errors the LLM can recover from. RLS is the last-line guarantee in case the AST layer is bypassed or misconfigured. Defense in depth.