Use SQL when the task requires repeatable filtering, counting, joining, or aggregation against governed data. Use natural-language-style tools only when flexibility matters more than precision and the blast radius is small. For production investigations, structured queries usually provide the safer operating model.
Why This Matters for Security Teams
The choice between SQL and natural-language-style tools is really a choice between precision and flexibility. For agents, that tradeoff matters because the agent is not just reading data, it is acting on it. SQL is better when teams need predictable filters, joins, counts, and approvals against governed datasets. Natural-language tools can speed exploration, but they also widen the chance of ambiguous intent, overbroad access, and mis-scoped actions when the agent’s output is converted into a real operation.
That distinction is consistent with current guidance from the OWASP Agentic AI Top 10 and NHI governance findings in the Ultimate Guide to NHIs, where excessive privilege and weak control over service accounts remain common failure modes. NHIMG research also shows that only 5.7% of organisations have full visibility into their service accounts, which makes opaque tool usage even harder to govern.
In practice, many security teams discover the difference only after a natural-language workflow has already issued a broader-than-intended query or exposed more records than the review process expected.
How It Works in Practice
SQL should be the default when an agent needs repeatable, auditable access to structured data. It gives teams a constrained query surface, clearer logging, and a cleaner path to policy enforcement. Natural-language-style tools are more suitable when the question is exploratory, the data set is small, and the consequences of a mistaken retrieval are limited. For production use, the safer pattern is to translate intent into a controlled execution layer rather than letting free-form text directly drive data access.
A practical design usually looks like this: the agent expresses intent, a policy engine validates the request, and the system decides whether the task can be satisfied with a bounded SQL query or whether the use case is too fuzzy to approve. That aligns with the NIST AI Risk Management Framework, which emphasizes governance, mapping, and measurement before deployment. It also fits the control logic described in the CSA MAESTRO agentic AI threat modeling framework, where tool access should be treated as a risk-bearing capability, not a convenience feature.
- Use SQL for counting, joining, filtering, summarising, and controlled record retrieval.
- Use natural-language tools only for low-risk investigation, draft analysis, or user-facing search experiences.
- Require query templates, allowlisted tables, and row-level restrictions for production agents.
- Log the intent, the generated query, and the result set for review and replay.
- Block direct execution when the agent cannot express a deterministic target or scope.
When SQL is paired with scoped credentials, policy checks, and tightly defined schemas, teams gain far better control over what the agent can do. These controls tend to break down when the agent is allowed to chain tool calls across loosely governed data sources because query boundaries become hard to predict.
Common Variations and Edge Cases
Tighter query control often increases implementation overhead, requiring organisations to balance usability against auditability and speed. That tradeoff becomes sharper when the agent must support multiple business roles, each with different data views and different tolerance for ambiguity. Best practice is evolving, but there is no universal standard for granting natural-language tools direct production access yet.
One common exception is investigative work, where a natural-language interface may help analysts find the right dataset before switching to SQL for the actual decision-making query. Another is customer-facing search, where the surface is intentionally broad but the backend still converts requests into structured retrieval and access checks. The risk is highest when teams confuse convenience with control and allow a chat-style interface to behave like an application programming layer without governance.
NHIMG’s OWASP NHI Top 10 and the AI LLM hijack breach both underscore the same pattern: once an agent can infer intent loosely and act broadly, the blast radius grows faster than most review processes can track. That is why structured queries remain the safer default for regulated, high-volume, or high-impact workflows.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A2 | Agent tool misuse risk rises when natural-language output drives actions. |
| CSA MAESTRO | T1 | MAESTRO covers threat modeling for agent tool access and data reach. |
| NIST AI RMF | GOVERN | AI RMF governance is needed to decide when flexibility is acceptable. |
Constrain agent tool use with allowlists, scoped intents, and execution logging.
Related resources from NHI Mgmt Group
- How should security teams reduce risk from AI agents and developer tools that use secrets locally?
- How should security teams govern AI agents that use service accounts and MCP tools?
- How do security teams decide whether to let AI agents automate investigations?
- How do IAM teams decide whether an AI use case needs new controls or better NHI hygiene?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 7, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
