How to give your team AI access to your database without compromising security
Read-only connections are the baseline, not the solution. Here's what you actually need: table-level access controls, centralized credentials, query logging, and shared context.
Your team wants to use Claude or ChatGPT to query company data. Your job is to make sure that happens without exposing sensitive tables, leaking credentials, or letting someone accidentally run a query that takes down production.
I've set this up for multiple teams now. The connection part is easy. The safety part is where most setups fall apart. Here's what you actually need to think about.
Read-only is the baseline, not the ceiling
Every guide starts with “use a read-only database user.” That's correct but insufficient. Read-only prevents writes. It doesn't prevent:
- Expensive queries. A SELECT with no LIMIT against a billion-row table will lock your read replica and spike your cloud bill.
- Sensitive data exposure. Read-only on the entire database means the AI can query your payroll table, your PII columns, your internal pricing data. Everyone on the team sees everything.
- Credential sprawl. If each person configures their own connection, the database password lives in plaintext JSON files on 10 laptops. One stolen laptop and you're rotating credentials for everyone.
Read-only is step one. Not the whole solution.
The six things you need
1. Read-only connection to a replica. Never point AI queries at your production primary. Use a read replica. Even read-only queries can cause lock contention and affect your app.
2. Table-level access controls. Not everyone should see every table. Your marketing team queries campaign tables. Your finance team queries revenue tables. Nobody should accidentally stumble into employee compensation or customer PII. This needs to be configurable per user or per group, not per database role.
3. Centralized credentials. One connection, managed by the admin. Individual users authenticate through the platform, not by pasting a connection string into a config file. When someone leaves the company, you revoke their platform access. The database credentials never change.
4. Query logging. Every question asked, every SQL query generated, every result returned. If someone asks something they shouldn't have access to, you know. If a query returns wrong results, you can trace what happened.
5. Shared business context. This isn't a security feature but it prevents a different kind of damage. Without shared metric definitions, two people ask “what's revenue” and get different numbers. One of those numbers ends up in a board deck. That's a trust problem that's hard to recover from.
6. No raw database access for end users. Users should interact through the AI tool (Claude, ChatGPT) with the context layer in between. They should never see a connection string, never configure a local MCP server, never touch database credentials.
What most teams do instead
Most teams skip the safety layer entirely. They share a connection string in Slack, everyone configures their own MCP server, and the data engineer hopes nothing goes wrong.
It works for a while. Then someone queries a table they shouldn't see. Or the connection string gets committed to a repo. Or the AI runs a cartesian join that costs $400 in BigQuery compute. And the data engineer either shuts down access entirely or spends a week building a custom wrapper.
Neither outcome is good. Shutting it down kills the productivity gain. Building a custom wrapper is weeks of work that has to be maintained forever.
How Contextflo handles this
Contextflo is the layer between your database and the AI tools your team uses. You connect your database once with read-only credentials. Your team authenticates through Contextflo, not through database credentials.
Here's what you get:
| Concern | Raw MCP | Contextflo |
|---|---|---|
| Credentials | On every laptop | Centralized, never exposed to users |
| Table access | Everyone sees everything | Per-user, per-group table scoping |
| Query logging | None | Every question and query logged |
| Offboarding | Rotate DB password for everyone | Revoke one user's access |
| Metric consistency | Each person's prompt notes | Shared definitions for everyone |
Works with Postgres, Snowflake, BigQuery, Redshift, MySQL, ClickHouse, and Databricks. Setup takes about 15 minutes.
Related reading
- Access control for AI analytics: how table-level ACL works in practice
- How to use Claude with Postgres: the full setup guide for teams
- ACL in agentic analytics: why hiding tables from the AI improves accuracy