What is scope creep in LLM SQL agents?

Question

Accepted Answer

Scope creep is when an LLM-generated query is syntactically valid, semantically reasonable, and yet accesses data the *requesting user* shouldn't see — typically because the agent omits a tenant or user filter that the surrounding application would normally enforce. Example: a customer-support agent for a SaaS company is asked "show me recent orders." The agent emits `SELECT * FROM orders ORDER BY created_at DESC LIMIT 10` — and returns the most recent orders *across all tenants*, because no `tenant_id = ?` predicate was included. This is not a malicious attack — it's a default failure mode of LLMs. The model doesn't know about your tenancy model unless told, and even then forgets it 5% of the time. Defense: required predicates per table, enforced on the AST. Policy says `orders` queries must contain `tenant_id = :ctx.tenant_id` in the `WHERE` clause (or in every branch of every `UNION`/`JOIN`). If the LLM omits it, the validator either rejects with a recoverable error ("missing required predicate `tenant_id`") or rewrites the AST to inject it. QueryShield supports both modes.