Row limits for AI database agents: stop small questions from becoming big scans
A small question can become a big database scan when an AI agent writes the query.
“Show me customers at risk” sounds harmless. Depending on schema context, the agent might join accounts, subscriptions, events, invoices, support tickets, usage records, and notes before deciding what “risk” means.
Row limits are not just a performance setting. They are a production safety boundary for natural-language SQL.
Agents explore before they answer
Human analysts usually know which table to start from. Agents often inspect, sample, retry, and broaden scope as they work through ambiguity.
That behavior can be useful, but it needs hard limits. Otherwise one vague question can create large reads, slow joins, high memory use, or unexpected exposure of rows the user did not need.
Related: AI database query budgets.
Default to preview, not full export
The first result for an open-ended question should often be a preview: top rows, aggregate summary, sampled examples, or a count with a suggested narrowing step.
If the user asks “Which invoices are overdue?” the tool can return a count by age bucket and the first 25 examples, then ask whether to page, filter, or export through an approved workflow.
Related: Tool result contracts for AI database agents.
Make limits visible in the answer
A row-limited answer should say it was limited.
Useful metadata includes requested limit, enforced limit, rows scanned, rows returned, whether more rows exist, sort order, page cursor, and whether the result is a sample or complete set.
Without that context, the model may summarize the first 50 rows as if they represent the entire dataset.
Related: Query provenance for AI database agents.
Use different limits for different intents
Not every question deserves the same boundary.
- schema inspection can have tiny limits,
- diagnostic samples can return a small preview,
- aggregate reporting may return grouped results,
- exports should require a separate approved path,
- incident response may need higher limits with stronger audit logging.
The execution layer should enforce those policies before SQL runs.
Related: Query routing for AI database agents.
Fail closed on unbounded requests
If a generated query has no limit, no safe aggregate, no selective filter, and no approved export route, the MCP tool should refuse or rewrite into a preview mode.
That refusal is not friction. It is the difference between an assistant and an accidental data extraction tool.
Related: Fail-closed MCP database tools.
Where Conexor fits
Conexor helps teams connect AI clients to databases through MCP infrastructure. Safe production access means row limits, query budgets, scoped credentials, provenance, and explicit result contracts.