how to

Stop destructive agent SQL: hold DROP, TRUNCATE and WHERE-less updates

the short answer

To stop an AI agent from running destructive database queries, put a proxy between the agent and the database that inspects each query's body and holds the dangerous patterns — DROP TABLE, TRUNCATE, DELETE and UPDATE without a WHERE clause, schema changes — for human approval, while forwarding safe reads and scoped writes instantly; agent·shield does this by matching regex over the request body, so a destructive query waits for a person before it ever reaches the database.

Of all the things an agent can be given, database access is the one that turns a bad inference into a disaster fastest. A model that's allowed to write SQL can, on a single wrong call, drop a table, truncate a collection, or run an UPDATE with no WHERE clause that rewrites every row. The query is valid, the credentials are valid — only the intent is catastrophic, and the database has no way to know.

The fix isn't to take the agent's database access away, because querying is usually the job. It's to inspect what's in each query before it runs and stop the destructive ones for a human. This guide is the concrete how-to: which SQL patterns to gate, how to intercept them without rewriting the agent, and how to keep the gate from slowing legitimate work.

in the query bodyagent·shield reads each query's body and matches the destructive patterns before forwarding it to the database
open agent·shieldabout agent·shield

Which queries are worth stopping

Not every write is dangerous, so gate precisely. The clear destructive patterns are the irreversible or wide-blast ones: DROP TABLE and DROP DATABASE, TRUNCATE, DELETE without a WHERE clause, UPDATE without a WHERE clause (the classic that rewrites every row), and schema-altering statements like ALTER and the various DDL commands. These are the queries where a mistake isn't a bad row, it's a lost table.

Scoped writes — an INSERT, an UPDATE or DELETE that targets specific rows by id — are usually routine and shouldn't be held, or your queue fills with noise and reviewers stop reading. The art is gating the shape that signals danger (the missing WHERE, the DROP, the TRUNCATE) rather than the operation type wholesale. That keeps human attention on the queries that can actually wreck the database.

Intercept the query, read the body, decide

agent·shield sits as a transparent proxy in the path between the agent and the database's HTTP-accessible endpoint. Because the SQL lives in the request body, agent·shield can inspect it: its policies are regex over method, path, and body, so a policy can match "DROP TABLE" anywhere in a query body, or an UPDATE/DELETE that lacks a WHERE clause. A match holds the query; no match forwards it instantly.

A held query is parked, not run — the database never receives it until a person approves. The reviewer sees the actual SQL, so the decision is concrete: this DELETE has a WHERE targeting one record, approve; this one would hit the whole table, deny. And because it's a proxy, there's no SDK and no change to the agent or its ORM — you point the agent's database traffic at agent·shield and the inspection happens in the middle.

Keep legitimate queries fast, and keep the record

The whole design depends on safe queries not being slowed down. Reads and scoped writes are forwarded instantly, so the agent queries at full speed for almost everything it does; only the destructive patterns pause. If you find a routine query keeps getting held, that's a signal to tighten the policy so it stops matching the safe case — the goal is a queue that only contains queries genuinely worth a human's look.

Every query decision is written to the append-only audit log: the full query, the policy it matched, who approved or denied a held one, and when. After an incident or a near-miss, you can see exactly which destructive queries the agent attempted and what was caught — which is also how you justify giving an agent database access in the first place. To be precise: the protection covers the database traffic you route through agent·shield, so point the agent's queries at the proxy and that's the surface it guards. It governs query intent; it's not a replacement for the database's own permissions.

how it works

  1. 01

    Define the destructive query patterns

    Gate DROP TABLE / DROP DATABASE, TRUNCATE, DELETE and UPDATE without a WHERE clause, and schema changes (ALTER/DDL). Leave scoped, id-targeted writes to forward.

  2. 02

    Route the agent's database traffic through agent·shield

    Point the agent's database connection at the proxy. No SDK and no ORM changes — the agent issues queries as before, and agent·shield sees the bodies.

  3. 03

    Write body-matching policies

    Use regex over the query body to match the destructive patterns. A match holds the query; no match forwards it instantly to the database.

  4. 04

    Review held queries

    Read the actual SQL in the queue and approve (it's forwarded) or deny (it never reaches the database). The query stays paused until you decide.

  5. 05

    Tune from the audit log

    Every query decision is recorded. Relax policies that keep holding safe queries and keep the gate tight on the genuinely destructive shapes.

frequently asked

Can agent·shield tell a dangerous query from a safe one?
It matches the patterns you define against the query body — DROP TABLE, TRUNCATE, DELETE or UPDATE with no WHERE, schema changes. Those shapes signal danger reliably; scoped, id-targeted writes don't match and are forwarded. You tune the policies to your schema so the gate catches the destructive cases without snagging routine ones.
Won't inspecting every query slow my agent down?
Only the destructive ones are held. Reads and scoped writes are forwarded instantly, so the agent queries at full speed for the vast majority of its work. If a routine query keeps getting held, you tighten the policy so it stops matching the safe case.
Do I have to change my agent's ORM or database code?
No. agent·shield is a transparent proxy — you point the agent's database traffic at it and the agent issues queries exactly as before. There's no SDK and no ORM rewrite; the inspection happens in the middle of the connection.
Is this a replacement for database permissions?
No — it's a complement. Database permissions decide what the agent's role is allowed to do; agent·shield decides, per query, whether a permitted-but-destructive statement should run now or wait for a human. Use both: least-privilege roles, plus a hold on the dangerous queries that remain possible.

Published June 4, 2026 · Last updated June 13, 2026

more on agent·shield

agent·shielda human in the loop for your ai agents

ready to try agent·shield?

open agent·shield