How do I sandbox an AI agent's database access?

Question

Accepted Answer

Five layers of sandboxing, applied together: 1. **Dedicated DB user per agent.** Never reuse application creds. 2. **Read-only by default.** Grant `SELECT` only; promote to write only with justification. 3. **Views, not tables.** Grant access to curated views (`v_orders_for_agent`) that pre-filter PII columns and apply joins the agent shouldn't compose itself. 4. **Connection-level limits.** `statement_timeout`, `idle_in_transaction_session_timeout`, `max_connections` per role. 5. **AST guardrail in the application layer.** QueryShield or equivalent — statement-type allowlist, policy DSL, evidence log. Optional advanced layer: **read replica with a delayed sync** for agents handling exploratory analytics. A 5-minute-delayed replica is functionally identical for most analytics but eliminates the (already-low) risk of an agent affecting transactional performance and makes destructive mutations physically impossible.