SQL for MCP agents: why structured queries beat freeform tools

At a glance

What this is: This is a WorkOS recap of Datadog's MCP Night session showing that SQL is a better interface for AI agents than freeform commands when they investigate observability data at scale.

Why it matters: It matters because IAM and security teams are increasingly governing non-human access patterns that depend on query shape, tool scope, and execution boundaries across NHI and agentic workflows.

👉 Read WorkOS' recap of Datadog's SQL-first MCP agent demo

Context

AI agent tooling breaks down when the interface asks the model to improvise too much. In observability and other high-volume systems, freeform commands force agents to guess syntax, manage intermediate state, and stitch together outputs across multiple calls, which quickly becomes brittle at scale. The primary keyword here is MCP, because the article is really about how Model Context Protocol tools shape agent behaviour and access patterns.

SQL changes the governance problem as much as the technical one. A structured query interface constrains what an agent can ask for, where aggregation happens, and how much context the model must carry between calls. For identity teams, that shifts the discussion from generic tool access to scoped, auditable, task-specific non-human identity behaviour.

This is an architecture argument, not a vendor feature tour. The article frames Datadog's experience as a practical example of why agent interfaces need more precision than natural-language-style tool chaining, especially when the workload is investigative and the data volume is large.

Key questions

Q: How should security teams govern AI agents that query observability data through MCP?

A: They should treat the query interface as an access control boundary, not just an application feature. Constrain the agent to structured, task-specific queries, restrict the datasets it can reach, and log the exact statements it runs. That makes investigations auditable and keeps the agent from improvising beyond its intended scope.

Q: Why do structured queries reduce risk for non-human identities and AI agents?

A: Structured queries reduce risk because they replace multi-step tool improvisation with a single, reviewable request. That lowers context bloat, reduces inconsistent intermediate state, and makes it easier to prove what the identity was authorised to do. The result is tighter scope and better accountability.

Q: What breaks when AI agents rely on freeform tools for investigation tasks?

A: What breaks is the chain of custody around intent, state, and result. The agent has to guess syntax, preserve intermediate outputs, and reconcile multiple calls, which creates more room for errors and overreach. In security and observability workflows, that usually means slower investigations and weaker auditability.

Q: How can teams decide whether to use SQL or natural-language-style tools for agents?

A: Use SQL when the task requires repeatable filtering, counting, joining, or aggregation against governed data. Use natural-language-style tools only when flexibility matters more than precision and the blast radius is small. For production investigations, structured queries usually provide the safer operating model.

Technical breakdown

Why SQL works better than freeform MCP tool calls

Freeform tool usage makes an AI agent behave like a shell script writer, repeatedly querying, filtering, and reshaping results in separate steps. That burns context and creates more opportunities for syntax drift and inconsistent results. SQL moves intent into one declarative request, so the execution layer can optimise the query and return a result that the agent can use immediately. For observability workflows, that means less intermediate state and fewer calls to reach the same answer.

Practical implication: prefer structured, declarative interfaces for agent workflows that need repeatable, auditable data retrieval.

Context window pressure and agent tool chaining

When an agent chains freeform commands, it has to remember prior outputs, decide what to keep, and preserve state across iterations. That is a governance and reliability problem, not just a usability problem. Each extra step expands the attack surface for confusion, bad assumptions, and accidental overreach. SQL reduces that by collapsing filtering, counting, and aggregation into a single statement, which keeps more of the reasoning in the system of record rather than in the model's transient context.

Practical implication: limit multi-step agent tool chains where a single scoped query can answer the same question.

Aggregation at the data layer in MCP environments

Aggregation is where the architecture choice becomes obvious. If an agent pulls raw logs and computes counts itself, the model is doing data processing that the database is designed to do better, faster, and more consistently. SQL GROUP BY, indexed filtering, and server-side execution keep the heavy lifting near the data. In MCP terms, this is about choosing tool semantics that match the task instead of exposing every operation as a generic action primitive.

Practical implication: route aggregation and summarisation through backend-native query logic rather than agent-side post-processing.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

SQL for MCP is really a control boundary, not just a query preference. The article shows that structured queries reduce improvisation, which matters because every unconstrained tool call expands the amount of behaviour identity teams must account for. In practice, SQL narrows the space of permissible actions and creates a cleaner audit trail for non-human access. Practitioners should treat interface design as part of identity governance, not just application ergonomics.

Freeform agent tooling creates context debt. When an AI agent has to chain filters, parse outputs, and preserve intermediate state, the programme inherits a growing governance burden with every additional call. That is a familiar NHI pattern in a new form: more steps mean more ways to lose control of scope, traceability, and task fidelity. Teams should read this as a warning that tool sprawl can become identity sprawl when agents are the operator.

Scoped query interfaces are where NHI governance and agentic AI governance start to converge. The same discipline that limits service account reach applies when agents are executing investigations against sensitive telemetry. SQL makes the boundary more explicit, but it does not remove the need to define what the agent may query, how much it may retrieve, and which datasets remain off-limits. Practitioners should align tool design, access scoping, and logging before broadening agent access.

Structured interfaces expose the real failure mode: overbroad runtime capability. The article's central lesson is that agents perform better when they are given less freedom and more structure. That suggests the category is moving away from conversational tool access and toward governed execution surfaces where the query language itself is part of the control model. Practitioners should expect tighter coupling between interface design and identity policy.

From our research:

• 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate, according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
• For the interface-design lens behind this post, read Analysis of Claude Code Security for the governance shift from open-ended prompting to constrained execution.

What this signals

Structured access will matter more than broad tool exposure as MCP usage grows. The article shows that agent performance improves when the system constrains query shape and pushes computation to the backend. That pattern is likely to show up across observability, data, and internal operations platforms as security teams demand clearer boundaries for non-human identities.

Query semantics are becoming an identity control surface. Once agents can reach production telemetry, the difference between a freeform tool and a declarative query is the difference between vague capability and governed access. Teams should expect future policy models to care as much about what an agent can ask as about what it can authenticate to.

With 52% of companies able to track and audit the data their AI agents access, the governance gap is already visible in programmes that still treat tool access as a low-level engineering concern. The shift to structured interfaces will not remove the need for access reviews, but it will make those reviews more meaningful.

For practitioners

• Prioritise structured query surfaces for agent workflows Use SQL or similarly declarative interfaces for investigations, aggregation, and reporting tasks so agents are not forced to improvise across multiple tool calls. That reduces context consumption and makes access patterns easier to review.
• Scope agent permissions to task-specific datasets Limit what an agent can query by environment, tenant, and data class before exposing observability or log platforms through MCP. The right control is not just tool access, but which records the agent can reach and combine.
• Log the full query and result path Capture the exact structured statement, the returned dataset, and the follow-up calls so investigations are auditable after the fact. This is especially important when agents are handling incident triage across large telemetry volumes.
• Review agent tool chains for unnecessary state transfer Remove steps where an agent only re-formats or re-sorts data that the backend could handle natively. Every extra hop increases the chance of scope creep and makes approval boundaries harder to define.

Key takeaways

• Agentic workflows break down when interfaces ask the model to improvise too much, especially at observability scale.
• Structured queries such as SQL reduce context bloat and make non-human access more auditable than freeform tool chains.
• Identity teams should govern query scope, data reach, and logging together instead of treating MCP access as a simple integration choice.

Key terms

• Model Context Protocol: An open protocol for connecting AI agents to tools and data sources in a standard way. In practice, MCP turns tool access into an integration layer that must still be governed, logged, and scoped like any other non-human identity path.
• Structured query interface: A controlled way for an agent to express intent using a formal query language such as SQL. It reduces improvisation, limits intermediate state, and pushes filtering or aggregation to the system that owns the data, which improves both performance and governance.
• Context window bloat: The accumulation of intermediate data, prompts, and outputs that an AI model must carry while completing a task. As bloat grows, reliability falls and the agent becomes harder to govern because more of the work happens in transient model memory rather than in the source system.
• Non-human identity: A machine or software identity that authenticates and performs actions without being a person. That includes service accounts, API keys, tokens, certificates, bots, and AI agents, all of which need explicit scoping, lifecycle management, and auditability.

Deepen your knowledge

SQL-driven agent workflows and scoped tool access are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are designing governed access for MCP-based investigations, it is worth exploring.

This post draws on content published by WorkOS: Datadog: SQL Is the New Bash for AI Agents. Read the original.