MODULE 04

Deterministic Queries &
Stored Procedures for AI

Learn why letting AI generate raw SQL is dangerous and how stored procedures create security contracts that make AI data access predictable, auditable, and compliant.

~8 min read
Foundational
Security Focus
Full Step-by-Step Documentation ~20 min

🎯 The Core Problem

When AI systems generate SQL queries dynamically, organizations lose control over data access. The same question asked twice may generate different queries with different performance characteristics, and potentially different security implications.

This isn't just a performance issue. Regulatory frameworks like GDPR, HIPAA, and FedRAMP require documented, approved data access patterns. Ad-hoc SQL generation makes compliance nearly impossible to prove.

⚖️ Raw SQL vs. Stored Procedures

❌ AI-Generated SQL

  • Non-deterministic: same question, different queries
  • Can inadvertently expose sensitive data
  • Impossible to audit effectively
  • Vulnerable to prompt injection attacks
  • No predefined security boundaries

✓ Stored Procedures

  • Deterministic: identical query plans every time
  • Encapsulate data masking & row-level security
  • Complete audit trails with parameters
  • Immune to SQL injection
  • EXECUTE permissions, not SELECT

🔐 The Security Contract

Think of a stored procedure as a security contract between your database and AI systems. The contract says:

  • These are the exact fields you can access
  • These are the only parameters you can pass
  • This is the maximum data you can retrieve
  • Every call will be logged with full parameter visibility

The AI can call the procedure, but it can never see or modify the underlying query. It's like giving someone a vending machine instead of the keys to the warehouse.

🧩 Four AI-Safe Access Patterns

Pattern 1

Direct Procedure Invocation

AI calls pre-defined stored procedures through an API layer. Simplest and most secure.

Pattern 2

Procedure-to-AI Pipeline

Data flows from procedures to AI models for analysis. AI never queries directly.

Pattern 3

AI-Selected Procedures

AI chooses from an approved list of procedures based on user queries. Limited choice = limited risk.

Pattern 4

Parameterized Calls

AI extracts parameters from natural language and passes them to procedures. No query construction.

💻 Example: Secure Data Retrieval Procedure

Here's a stored procedure that acts as a security gatekeeper for sensitive business data:

SQL Server 
CREATE PROCEDURE GetRecordSummaryData
    @RecordId INT
AS
BEGIN
    -- Only return approved/completed records
    -- Exclude sensitive fields (SSN, payment info, etc.)
    SELECT
        r.DisplayName,
        r.Category,
        r.Department,
        r.CreatedDate,
        r.StatusDescription,
        r.PublicNotes,
        r.SummaryMetrics
    FROM Records r
    WHERE r.Id = @RecordId
      AND r.Status = 'Approved'
    ORDER BY r.CreatedDate DESC
END

Notice what this procedure doesn't expose: sensitive PII, financial data, or draft records. The AI can generate summaries from this data, but it physically cannot access what the procedure doesn't return. This pattern applies to any domain: HR, finance, healthcare, customer data, and more.

📋 Compliance Benefits

GDPR / HIPAA / FedRAMP Ready

With stored procedures, you can demonstrate that: (1) exact queries are reviewed and approved before deployment, (2) complete audit trails exist for every data access, (3) AI systems cannot access unauthorized data, and (4) data minimization principles are enforced by design.

💡

Real-World Use Case

A federal consulting organization used this pattern to let on-premises LLMs analyze HR data while maintaining FedRAMP compliance. The stored procedure returned only the fields needed for AI summarization, nothing more.

🔀 Parameter Isolation: A Lesson from the Field

⚠️

Keep Business Logic Separate from AI Payloads

When one enterprise team switched from a local Ollama model to OpenAI's cloud API, their requests suddenly failed with a 400 Bad Request error. The culprit? A username parameter in the AI payload that OpenAI rejected as an unknown parameter.

The fix was simple but illustrates an important principle: use DreamFactory's script to handle business parameters (like user identity) separately from what gets sent to the AI model.

  • Your stored procedure handles the "who": user identity, permissions, data scoping
  • The AI model only receives the "what": the actual data to process
  • DreamFactory's script orchestrates both without mixing concerns

This separation makes your integration portable across AI providers. Switch from Ollama to GPT to Claude to Gemma; the stored procedure and business logic stay exactly the same.

🚀 Next Steps

  • Read the full blog post for deeper technical details
  • Explore Module 05 to learn about identity passthrough for AI agents
  • Review your existing stored procedures. Are they AI-ready?
📖

See Also

Enterprise Guide: Securing LLM Access to Your Databases. A 5-layer security framework for AI database access: governed REST APIs, identity passthrough, deterministic queries, rate limiting, and MCP for local LLMs.

Ready to implement? Get the complete step-by-step guide with code examples, screenshots, and troubleshooting tips.

Full Step-by-Step Documentation ~20 min