Contextflo Blog

How to give your team AI access to your database without compromising security

Read-only connections are the baseline, not the solution. Here's what you actually need: table-level access controls, centralized credentials, query logging, and shared context.

July 3, 20266 min readVivek Sah

Your team wants to use Claude or ChatGPT to query company data. Your job is to make sure that happens without exposing sensitive tables, leaking credentials, or letting someone accidentally run a query that takes down production.

I've set this up for multiple teams now. The connection part is easy. The safety part is where most setups fall apart. Here's what you actually need to think about.

Read-only is the baseline, not the ceiling

Every guide starts with “use a read-only database user.” That's correct but insufficient. Read-only prevents writes. It doesn't prevent:

  • Expensive queries. A SELECT with no LIMIT against a billion-row table will lock your read replica and spike your cloud bill.
  • Sensitive data exposure. Read-only on the entire database means the AI can query your payroll table, your PII columns, your internal pricing data. Everyone on the team sees everything.
  • Credential sprawl. If each person configures their own connection, the database password lives in plaintext JSON files on 10 laptops. One stolen laptop and you're rotating credentials for everyone.

Read-only is step one. Not the whole solution.

The six things you need

1. Read-only connection to a replica. Never point AI queries at your production primary. Use a read replica. Even read-only queries can cause lock contention and affect your app.

2. Table-level access controls. Not everyone should see every table. Your marketing team queries campaign tables. Your finance team queries revenue tables. Nobody should accidentally stumble into employee compensation or customer PII. This needs to be configurable per user or per group, not per database role.

3. Centralized credentials. One connection, managed by the admin. Individual users authenticate through the platform, not by pasting a connection string into a config file. When someone leaves the company, you revoke their platform access. The database credentials never change.

4. Query logging. Every question asked, every SQL query generated, every result returned. If someone asks something they shouldn't have access to, you know. If a query returns wrong results, you can trace what happened.

5. Shared business context. This isn't a security feature but it prevents a different kind of damage. Without shared metric definitions, two people ask “what's revenue” and get different numbers. One of those numbers ends up in a board deck. That's a trust problem that's hard to recover from.

6. No raw database access for end users. Users should interact through the AI tool (Claude, ChatGPT) with the context layer in between. They should never see a connection string, never configure a local MCP server, never touch database credentials.

What most teams do instead

Most teams skip the safety layer entirely. They share a connection string in Slack, everyone configures their own MCP server, and the data engineer hopes nothing goes wrong.

It works for a while. Then someone queries a table they shouldn't see. Or the connection string gets committed to a repo. Or the AI runs a cartesian join that costs $400 in BigQuery compute. And the data engineer either shuts down access entirely or spends a week building a custom wrapper.

Neither outcome is good. Shutting it down kills the productivity gain. Building a custom wrapper is weeks of work that has to be maintained forever.

How Contextflo handles this

Contextflo is the layer between your database and the AI tools your team uses. You connect your database once with read-only credentials. Your team authenticates through Contextflo, not through database credentials.

Here's what you get:

ConcernRaw MCPContextflo
CredentialsOn every laptopCentralized, never exposed to users
Table accessEveryone sees everythingPer-user, per-group table scoping
Query loggingNoneEvery question and query logged
OffboardingRotate DB password for everyoneRevoke one user's access
Metric consistencyEach person's prompt notesShared definitions for everyone

Works with Postgres, Snowflake, BigQuery, Redshift, MySQL, ClickHouse, and Databricks. Setup takes about 15 minutes.

Related reading