Tenant-scoped MCP database tools: every AI query should know who it is allowed to see
The most dangerous AI database bug is rarely a syntax error.
It is the query that works, returns a polished answer, and quietly includes the wrong tenant.
For MCP database servers, tenant scope should not live in a prompt. It should be enforced by the tool boundary before rows ever reach the model.
Prompted tenant rules are too easy to bypass
“Only answer for the current customer” sounds reasonable until a tool exposes a broad SQL interface and relies on the model to remember every filter.
Models can forget context, misread ambiguous requests, or follow injected instructions inside retrieved content. A missing tenant_id predicate should not become a privacy incident.
Related: Least-privilege tool catalogs for MCP database servers.
Make tenant scope a required parameter
Every data tool should know the user, workspace, account, or tenant it is serving. If that scope is missing, the tool should fail closed with a structured refusal.
Good MCP tools make unsafe ambiguity boring:
- tenant scope is derived from authentication, not user text
- approved views include tenant filters by design
- cross-tenant queries require a different privileged workflow
- tool results include scope metadata for audit
Related: Fail-closed MCP database tools.
Use database policy, not just application code
Application-layer filters are useful, but they should not be the only line of defense. Row-level security, scoped database roles, or tenant-specific approved views make the boundary harder to bypass.
The MCP server should be designed so the model cannot accidentally ask for data outside the allowed scope because the database role cannot return it.
Related: Approved views for AI database agents.
Audit the scope that was used
When an AI answer matters, teams need to know which tenant, role, policy, approved view, and query evidence produced it.
That metadata should travel with the tool result, not be reconstructed later from logs.
Related: Audit-ready MCP database workflows.
Where Conexor fits
Conexor is MCP infrastructure for teams connecting AI clients to databases and APIs. Tenant-scoped tools, approved views, structured refusals, and audit trails are how AI database access becomes usable beyond a demo.