By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. See our Cookie Policy for more information.
CustomizeReject allAccept all
Back to Blog

An AI agent has no direct access to your database - and that's exactly why it works

Robert Keunen
4 min
May 1, 2026

"Doesthe AI agent just go straight into your database?" It's a fair question —and the answer determines whether you trust it. Because if an agent can browseyour ERP data without any controls, that's a problem. And rightly so.

The goodnews: that's not how it works. An AI agent has no direct access to yourdatabase. Instead, it calls a tool — a dataflow, an API, a query service —which then retrieves or writes the data. That sounds like a technical detail,but it's a fundamental architectural principle. And it's exactly why you cantrust it.

How it works technically

An agent withtool calling operates in five steps, and every step is transparent:

Step 1:Understands the intent. The user gives an instruction: "Retrieve the open invoices forcustomer De Vries." The agent understands what's being asked — notliterally, but by meaning.

Step 2:Selects a tool. Theagent picks the right action from the available toolset. Not a free-formdatabase query — a defined tool: Get_OpenInvoices.

Step 3:Passes parameters.It fills in the tool: { customerId: 123, status: "open" }. Theparameters follow from the intent — not from a self-generated query.

Step 4:The tool executes.The dataflow, API, or query service does the real work: connecting to thedatabase, retrieving the records, writing back changes. The agent waits for theresult.

Step 5:The agent processes the result. It summarises, displays a table, suggests a next action, or flagssomething that looks off.

The agentruns no SQL queries and makes no direct database connection. Unless you'veexplicitly set it up that way — which is rarely desirable.

Three levels at which AIcan work with data

Not all AIimplementations are equal. There are three levels, and the level determines howmuch control you retain:

Level 1:Context (read-only, indirect). Data sits in the prompt, in a vector store, or in files. The agent"sees" the data but can't act on it. Safe, but limited.

Level 2:Tool calling (the standard). The agent triggers a controlled action — a dataflow, an API endpoint.You decide which queries are possible, which fields are visible, and whichactions are available. This is the level at which serious ERP integrationsoperate.

Level 3:Direct database access (rare and risky). The agent generates its own queries andexecutes them directly against the database. The risks are significant:security vulnerabilities, unintended modifications, performance issues. In ERPenvironments, this is almost never the right choice.

The right architecture forERP environments

The divisionof responsibility is clear:

Agent = orchestration and intelligence.It understands the instruction, selects the right tool, and decides on nextsteps.

Dataflowor API = controlledexecution. It knows the data model and ensures the right data ends up in theright place.

Dataclips = lookup and reference. Fixed listsand master data the agent can consult without triggering any action.

The practicalconclusion: the agent doesn't go "into" your ERP or your database. Itinstructs a flow with the right parameters, and that flow does the real work.

Why this is powerful — notlimiting

Securityis enforced. Nodirect database access means no risk of the agent operating outside itspermissions. What the agent can do is exactly what you've defined.

Logic isreusable. Adataflow built for an agent can also be used by your application or youremployees. Build once, deploy many times.

Behaviouris predictable. Theagent operates within the boundaries you've set. That makes it easier to test,audit, and trust.

Complexprocesses are possible. Multiple tools in sequence — retrieve, compare, create, flag — arecoordinated by the agent as a structured chain.

The real insight: theagent decides, the flow acts

The value ofan agent is not in retrieving data. The value is in deciding which action aprocess requires.

A searchfunction gives you data.

An agentdecides what to do with that data.

Not:"give me the open invoices." But: "process this purchaseconfirmation, match it to the outstanding order, and prepare a payment proposalfor review." Behind that are three tools the agent calls in sequence —controlled, traceable, repeatable.

An AI agenthas no direct access to your database. And that's exactly why it works.

Curious whatthat architecture looks like for your ERP and your processes? We're happy tothink it through with you.

You might also like

Posts
4 min

From one agent to a network: what happens when AI runs your processes?

Most organisations now have one AI assistant in their ERP, handling questions and summaries. But that's the preliminary step. The real shift is a network of specialised agents — purchasing, sales, logistics, finance — orchestrated together to run entire processes, while humans keep decision authority at the points that matter.

Robert Keunen
Apr 18, 2026
Posts
4 min

How employees without technical knowledge can use AI in your ERP

The fear in every boardroom: "we don't have the people who can build this." Justified, if you think in developers and Python scripts. But that's not how it works anymore. Anyone who can type a mail can operate an AI agent. The people who know the process steer the agent — not the other way around. How finance, service, sales and HR employees use this in practice.

Robert Keunen
Apr 18, 2026
Posts
4 min

Speak and done: What Voice to ERP requests look like

For twenty years, process digitisation has almost-but-not-quite worked for employees who work outside. The technician, the driver, the inspector. What happens: the registration gets added in the evening, or not at all. Voice-driven AI agents remove that friction: speak, the agent transcribes, matches, creates the work order line, schedules follow-ups. The paradox: to get smarter with AI, you need better data — and you get that by lowering the barrier to recording it.

Robert Keunen
Apr 18, 2026

Get started right now

Schedule a demo to learn more about the product

Try for FreeBook a Demo