Your MCP database server should not use an admin key

The fastest way to make an AI database agent dangerous is to connect it with the same credential a senior engineer uses in production. The model does not need your admin key. It needs a narrow, explicit operating lane. A safer MCP database setup starts with the job: answer product analytics questions inspect tickets summarize operational metrics prepare a write action for human approval Each job deserves its own credential scope. Read-only should be the default. Usually against approved views, not raw application tables.