Is it safe to let Claude or ChatGPT write SQL against my production database?

Question

Accepted Answer

Not without guardrails — and not with a connection string that has more than the minimum privileges. The realistic risk model has three tiers: - **Catastrophic (low probability, high impact):** schema mutation (`DROP TABLE`, `TRUNCATE`), mass deletion. Prevented by statement-type allowlist + a read-only DB role. - **Exfiltration (medium probability, high impact):** UNION-based or subquery-based reads outside the agent's intended scope. Example: an agent asked "what's my Q4 revenue?" returns a query that also pulls `users.password_hash`. Prevented by column-level policy on the AST. - **Scope creep (high probability, medium impact):** the agent runs a valid query that touches data the user shouldn't see — another tenant's rows, another employee's salary. Prevented by row-level policy bound to request context. Production-safe pattern: (1) dedicated DB role with `SELECT` only on a curated view layer, (2) AST validator + policy engine between LLM and DB (QueryShield or equivalent), (3) evidence log shipped to your SIEM. With those three, letting an LLM author SQL is comparable in risk to letting a junior analyst with read access to a sanctioned view query the warehouse.