The other alternative is a limited account with the user visibility, who doesn't have an idea there is another data outside of it's view and confidently answers with incomplete data presented as complete.
No SQL injections, no errors, just confident but terribly wrong answer build from wrong data.
Prompts don't fix this - they are requests rather than control layer. So this is a deterministic, LLM-free guard built over sqlglot. It parses the generated SQL, resolves the columns to their DB tables, check tables/columns access based on user's role (deny-by-default), injects filters, and rewrites or refuses before query runs. The agent still sees the whole catalog, so it can say "cost data exists, but it's outside your access" instead of mislabeling revenue as profit. But only executes what's permitted.
The part that makes this solid are the tests.
Honest caveats: this solution makes SQL access safe. Analytical correctness is another topic, not touched here.
Would love to read your feedback.