DreamFactory is a secure, self-hosted enterprise data access platform that provides governed API access to any data source, enabling organizations to safely connect enterprise applications and on-prem or private large language models (LLMs) using role-based access control and identity passthrough. As enterprises accelerate AI adoption and begin integrating LLMs with live operational data, the need for controlled, auditable, and policy-driven data access has never been more critical.
Here’s what you need to know:
Bottom Line: Treat LLMs as untrusted clients. Secure database access with strict governance, API controls, and robust monitoring to mitigate risks without sacrificing productivity.
When large language models (LLMs) are directly connected to enterprise databases, they inherit full database permissions without the ability to distinguish safe usage. This creates a significant vulnerability. Prompt injection currently ranks as the top security threat on the OWASP Top 10 for LLM Applications. Chenta Lee, Chief Architect of Threat Intelligence at IBM Security, explains the danger:
"With LLMs, attackers no longer need to rely on Go, JavaScript, Python, etc., to create malicious code, they just need to understand how to effectively command and prompt an LLM using English".
Here’s a closer look at the three primary vulnerabilities tied to direct LLM database access.
Prompt-to-SQL (P2SQL) injection attacks exploit middleware that converts natural language prompts into database queries. Attackers manipulate these prompts to create SQL queries that bypass application logic, enabling them to extract, delete, or modify sensitive data. A 2025 study of five real-world applications using LLMs revealed that every single one was vulnerable to P2SQL injections. Alarmingly, even with a specialized detection tool, only 48% of attacks by the red team were identified.
The problem doesn’t stop with direct user input. Indirect prompt injection occurs when malicious instructions are hidden in stored data. If the LLM accesses this compromised data to answer a legitimate query, it can unknowingly execute harmful commands. These commands might send sensitive information to external servers. For instance, in 2024, researchers identified CVE-2024-21513 in the langchain-experimental package. This vulnerability allowed attackers to use natural language prompts to execute arbitrary shell commands, such as whoami, on the host server through the get_result_from_sqldb function.
LLMs often prioritize functionality over security, which can lead to significant risks. Nathan Hamiel, AI Lead at Black Hat, sums it up:
"Don't treat LLM coding agents as highly capable superintelligent systems. Treat them as lazy, intoxicated robots".
This lack of precision in permission management amplifies the risks posed by injection threats. Granting overly broad permissions - such as allowing UPDATE or DELETE when only SELECT is necessary - makes attacks far more damaging. In tests with Llama 3.1, attackers achieved a 99% success rate in extracting secrets when no safeguards were in place. Even with system prompt protections, secret leakage rates reached 34% for smaller models and 21% for larger models.
The core issue is that LLMs treat instructions and data as the same type of input. This makes it difficult for them to differentiate between legitimate security rules and malicious user commands. In a benchmark of 15 LLM families, the highest-performing model only achieved 61.7% accuracy in preventing sensitive data leaks, compared to 94% accuracy for humans. Many models performed at or below random chance when tasked with detecting and preventing sensitive data leaks during SQL generation.
Direct LLM database access also introduces significant compliance risks. When cloud-hosted LLMs handle queries containing personal health information, financial data, or personally identifiable information, organizations risk violating regulations like GDPR, HIPAA, and CCPA. Studies show that the success rate of extracting confidential data increases by up to 73% when LLMs are integrated with external tools compared to standalone use. This means connecting an LLM to a customer database can turn a compliant system into one that risks unauthorized disclosures, undermining both regulatory compliance and customer trust. These risks highlight the urgent need for structured access controls.
Securing database interactions for large language models (LLMs) requires strict controls at the data layer. Jorge Sancha, Co-founder of Tinybird, explains the importance of this approach:
"LLMs can not be trusted for security purposes, and when it comes to database access, you must always enforce security at the data layer, where access is deterministic and can be governed by cryptographically signed tokens".
Below are strategies to ensure LLMs interact securely with enterprise data, laying the groundwork for robust API control practices.
LLM operations should follow the principle of least privilege, limiting permissions based on the intersection of the model, user, and task. Row-Level Access Control (RLAC) is a practical way to enforce this. Instead of granting broad table access, RLAC filters results based on user identity. For example, appending WHERE user_id = 123 to every query ensures that even if an LLM attempts to access "all customer records", only authorized rows are returned.
Tinybird implemented this approach in August 2025 using signed JWT tokens, which define filters added to every SQL query generated by their LLM.
Static API keys are insufficient for LLMs since models often create unpredictable queries. Instead, organizations should assign dedicated service accounts to different AI agents. For instance, a "Marketing Bot" and a "DevOps Bot" should have separate identities to maintain clear and isolated audit trails.
|
Access Level |
Role Example |
Data Access Permissions |
|---|---|---|
|
High |
Organization Director |
Full access to all tables, including sensitive contracts/pricing |
|
Medium |
Team Lead |
Limited to team-level resources and general company data |
|
Low |
General Member |
Access to non-sensitive, organization-wide information |
To prevent privilege escalation, user identity should be preserved through APIs. Replace static API keys with an OAuth2 client credentials flow, which issues time-bound access tokens with specific scopes. These tokens, valid for 15 to 60 minutes, reduce the risk of stolen credentials being exploited. Embedding details like user tenant IDs and subscription levels into JSON Web Tokens (JWT) allows API gateways to validate access without additional state management.
For environments requiring extra security, use Mutual TLS (mTLS) to authenticate both the LLM application and the API server, protecting against interception attacks. Oracle’s SQLcl MCP Server, introduced in version 25.2, tracks identity by logging both the client and LLM names in session metadata, offering transparency into database activity.
Centralized controls at the API gateway level are essential. This includes authentication, rate limiting, and filtering requests and responses to block malicious or malformed queries. Managed tools like AWS Secrets Manager or HashiCorp Vault can also automate the rotation of database passwords and API keys, reducing exposure windows.
Preventing data leaks is critical. Ensure that LLMs never process raw sensitive data. Use pseudonymization and redaction at the AI Gateway to identify Personally Identifiable Information (PII) with Named Entity Recognition (NER) or regex. Replace sensitive data with placeholders like [PERSON_1] before processing. The original data can be temporarily stored at the gateway and restored in the final response through a process called re-hydration, ensuring the LLM never directly interacts with sensitive information.
Minimizing data exposure further enhances security. Instead of granting LLMs access to production databases, use read-only replicas or sanitized datasets. For stored data, encrypt model weights, vector databases, and logs using Customer-Managed Keys (CMKs) via a Key Management Service (KMS). Regularly rotate encryption keys - typically every 90 days - to limit the impact of potential breaches and provide an emergency "kill switch".
For data in transit, enforce TLS 1.3 or higher and implement mTLS for service-to-service communication. Avoid logging raw prompts or responses; instead, use deterministic, cryptographically secure hashes to maintain audit trails without exposing sensitive details. Oracle’s implementation logs interactions in a dedicated DBTOOLS$MCP_LOG table and appends comments like /* LLM in use ... */ to queries for easier auditing.
These practices not only reduce security risks but also support effective API-driven database management.
DreamFactory acts as a protective layer between large language models (LLMs) and your databases by creating a REST API abstraction. Instead of directly connecting an AI model to your database via SQL, DreamFactory sets up controlled API endpoints. These endpoints carefully validate inputs, enforce rules, and return sanitized data, significantly reducing risks like prompt injection - an attack where an LLM could be manipulated into running unintended queries.
"Security starts with architecture. Treat your AI like an untrusted actor - and give it safe, supervised access through a controlled API, not a login prompt."
– Kevin McGahey, Solutions Engineer
DreamFactory supports over 20 database types, including SQL Server, Oracle, PostgreSQL, MySQL, and MongoDB, by automatically generating REST APIs. These APIs rely on the Model Context Protocol (MCP), which provides a standardized interface for AI systems to query live data. With parameterized queries at its core, the platform prevents injection attacks.
It goes a step further by enabling field-level redaction through server-side scripting in JavaScript, PHP, or Python. This feature lets you mask sensitive data, such as Social Security numbers or health records, before it ever reaches the AI model. Additional safeguards, like limiting payload sizes and truncating results, prevent the extraction of excessive data. When paired with Retrieval-Augmented Generation (RAG), this secure setup can improve LLM response accuracy by up to 90%.
DreamFactory also integrates identity and deployment controls, ensuring security across all enterprise levels.
DreamFactory works seamlessly with enterprise authentication frameworks like OAuth 2.0, OpenID Connect, LDAP, Active Directory, and SAML-based SSO. This integration allows identity passthrough, meaning LLM requests inherit the authenticated user's credentials rather than relying on static API keys. With this setup, an LLM can only access endpoints permitted under the authenticated user's profile.
The platform also issues time-restricted tokens with defined scopes and maintains an interaction log. These measures reduce the risk of credential misuse and align with compliance standards such as HIPAA and GDPR.
DreamFactory enhances security further by offering flexible deployment options.
You can deploy DreamFactory on Docker, Kubernetes, or directly on Linux/Windows servers, allowing for operation in air-gapped networks with no external dependencies. This ensures that sensitive data and database credentials remain securely stored within your infrastructure. Additionally, server-side scripting can anonymize personal information and enforce data minimization policies.
For industries with strict regulations, air-gapped deployments eliminate any external exposure of sensitive data. Kubernetes deployments, supported by Helm charts, enable autoscaling and multi-region data residency controls, while compatibility with standard hardware ensures you retain full control over your infrastructure, whether on-premises, in private VPCs, or hybrid environments.
"Your database credentials never leave your environment. DreamFactory runs in your infrastructure and exposes only controlled API endpoints."
– Terence Bennett, CEO, DreamFactory
| Deployment Option | Best Use Case | Key Security Benefit |
|---|---|---|
| On-Premises (Linux/Windows) | Legacy systems & high-security zones | Physical control over hardware and data |
| Private VPC (Cloud) | Enterprise AI agents | Network isolation with cloud-based LLMs |
| Kubernetes / Docker | Scalable AI microservices | Portability and rapid scaling/recovery |
| Air-Gapped | Highly regulated industries (Gov/Defense) | Zero external exposure of sensitive data |
Direct Database Access vs API Abstraction Security Comparison for LLMs
Ensuring secure database access for Large Language Models (LLMs) requires a methodical approach. Start by defining the agent's use case, then create secure APIs that adhere to strict data policies like Role-Based Access Control (RBAC) and field-level masking. Once these are in place, deploy them behind a gateway for added protection. Modern generative AI gateways play a dual role: they not only manage Tokens Per Minute (TPM) to control usage and costs but also act as programmable trust layers. These gateways enforce compliance and provide visibility into AI agent activity, making them essential for secure and efficient operations. With these steps, businesses can integrate precise rules through server-side scripting.
DreamFactory uses server-side scripting in languages like JavaScript, PHP, or Python to apply business rules before data reaches the LLM. By creating database views with built-in filters and masking logic, sensitive raw data is shielded from the AI, ensuring compliance and security.
To simplify monitoring and improve consistency, enforce strict JSON schemas for API responses. This approach makes responses predictable and easier to cache. Additionally, tools like AWS Secrets Manager or HashiCorp Vault can automate secret rotation, reducing the risk of credential exposure.
Ongoing monitoring is a cornerstone of the DreamFactory framework. Set up real-time tracking to detect model drift, unusual API activity, or resource spikes, which could signal potential security threats. Research shows that cloud misconfigurations significantly increase the risk of breaches, so proactive measures are critical.
Incorporate automated security validation and digital signing during the model release phase to prevent insecure models from being deployed. Regularly conduct adversarial testing - also known as "jailbreak" testing - to ensure the gateway effectively blocks unauthorized actions or data exfiltration attempts. Given that many generative AI systems lack sufficient logging, robust auditing is essential. This should include detailed records of system prompts, model versions, and plugin activities for effective forensic analysis.
The table below highlights the differences between direct database access and API abstraction, particularly when using a solution like DreamFactory.
|
Feature |
Direct Database Access |
API Abstraction (DreamFactory) |
|---|---|---|
|
Credential Handling |
Credentials stored in AI tool/prompt; high risk of leaks |
Credentials hidden server-side; no exposure to AI |
|
Query Method |
LLM generates raw, dynamic SQL |
LLM interacts with pre-approved, parameterized REST endpoints |
|
Security Model |
Perimeter-based; often over-permissioned |
Zero-Trust with Role-Based Access Control (RBAC) |
|
Injection Protection |
Vulnerable to SQL injection via prompts |
Prevented through parameterization and input validation |
|
Data Governance |
Limited ability to mask PII or enforce row-level rules |
Server-side scripting enables real-time masking and filtering |
|
Audit Trail |
Minimal database logs; lacks context |
Comprehensive logs (who accessed what, when, and the outcome) |
|
Performance |
Prone to inefficient, resource-heavy queries |
Rate limiting and pagination ensure backend stability |
"To safely expose enterprise data to AI, you must not expose the database directly. Use a hardened API gateway like DreamFactory MCP to mediate all access."
– Kevin McGahey, Solutions Engineer
Directly linking large language models (LLMs) to enterprise databases introduces serious risks, including credential leakage, SQL injection vulnerabilities, and potential data exposure. Allowing AI to generate raw SQL or access database credentials creates a significant security challenge for CISOs. For instance, the CVE-2023-29374 vulnerability in certain LLM "chains" earned a critical CVSS score of 9.8, underlining the magnitude of these threats. Addressing these dangers requires a layered, security-first approach.
A reliable solution involves using a secure API gateway, such as DreamFactory. This tool ensures credentials stay server-side, employs injection-resistant queries, and enforces Role-Based Access Control (RBAC) at the table, column, and row levels. These safeguards are essential for mitigating risks tied to LLM interactions.
Because LLMs can generate unpredictable requests, traditional perimeter defenses alone are insufficient. Instead, organizations need runtime protections like strict JSON schemas, real-time field masking, and detailed audit logs that record every AI interaction. Research indicates that Retrieval-Augmented Generation (RAG) can boost LLM answer accuracy by up to 90%, but only when paired with secure, well-governed data access.
DreamFactory’s Model Context Protocol (MCP) strengthens security by auto-generating REST APIs for over 20 data sources, integrating seamlessly with existing authentication systems, and supporting secure self-hosted environments. This ensures data stays within your control, and raw credentials are never exposed to AI. This approach aligns with earlier governance strategies by keeping sensitive information secure while enabling reliable AI performance.
When working with large language models (LLMs) connected to databases, security should be a top priority. One of the key steps is creating prompts that reduce risks. This means avoiding direct user input in commands that deal with sensitive data and sticking to pre-defined templates with strict formatting rules.
Beyond that, techniques like input sanitization, access controls, and response validation play a big role in keeping things secure. These measures help catch and block potential exploits before they cause harm.
For added protection, advanced methods such as reinforcement learning with constraints or layered defenses (like guardrails and prompt filtering) can make interactions even safer. Regular system monitoring for unusual activity and keeping an eye on new threats are also essential for ensuring your LLM integrations stay secure and comply with enterprise data standards.
Integrating large language models (LLMs) with enterprise databases can bring a host of compliance challenges. These include the potential exposure of sensitive or regulated data, the risk of unauthorized access, and the difficulty of maintaining compliance with privacy laws such as GDPR, CCPA, or HIPAA. If these risks are not managed carefully, the consequences could include legal penalties, data breaches, or damage to your organization's reputation.
To address these risks, it's essential to implement strict access controls and monitor data usage diligently. Ensuring robust encryption protocols are in place is another critical step. Additionally, conducting regular audits and using secure, API-driven access frameworks can help maintain compliance while still taking full advantage of LLM capabilities.
API abstraction acts as a protective barrier for database access, offering a controlled interface that limits direct interaction with sensitive data. Through this approach, organizations can implement authentication, authorization, and monitoring directly at the API level, reducing the chances of unauthorized access and potential security weaknesses.
By consolidating security policies at a central point, API abstraction ensures that only verified and compliant requests from LLMs are allowed. It also enables advanced security frameworks like zero-trust architectures, OAuth2, and contextual request filtering. These measures help defend against risks such as lateral access escalation and malicious prompt injections. This strategy not only protects sensitive information but also ensures compliance and preserves data integrity, even when handling unpredictable AI-generated queries.