Short answer: AI can prepare database evidence from approved metadata and imported receipts. It cannot receive production secrets/data, connect, execute SQL/shell, grant/revoke, rotate secrets, take/delete a backup, restore/fail over, alter schema/config, patch, kill sessions, change replication, deploy, accept an incident, spend, create accounts, or contact users.
Keep three states separateDesired configuration says what should exist. Observed configuration says what the evidence collector saw. Approved configuration says what the named authority accepted. Drift is a review item—not permission for AI to normalize or fix it.
Separate evidence preparation from operational authority
DBA and AI may prepare
redacted estate/configuration inventories and drift comparisons
principal-role-object privilege reviews with opaque secret references
backup catalogs and imported isolated-restore receipts
migration, maintenance, performance, and integrity evidence
incident facts and recovery/rollback handoff requirements
Named humans retain
data/system owners: business truth, risk, and irreversible-change acceptance
security/access: grants, revocation, secret rotation, and break glass
platform/change: SQL, schema/config, patching, migration, and deployment
incident command: containment, failover, session/replication action, and communications
continuity/recovery: backup deletion, restore, reprocessing, rollback, and reintegration
Build the nine-part Database Change, Recovery & Performance Evidence Desk
01
Load authority and estate scope
Name system/data/platform/application/security/backup/change/incident/continuity/recovery owners. Record environment, classification, criticality, RTO/RPO/SLO, maintenance authority, approved tools, segregation, and hard stops.
Output: estate authority card
02
Preserve desired, observed, and approved states
Version engine/patch/topology, schemas, storage/encryption, redacted endpoints, auth/roles, replication, backup/PITR, monitoring/audit, extensions, maintenance, capacity, dependencies, residency, collection proof, hashes, and drift.
Output: controlled inventory baseline
03
Review privilege without changing it
Map principal → role → object → privilege with purpose, owner, grant source, use, expiry, inheritance, and break-glass status. Flag shared/admin accounts, wildcards, dormancy, environment reuse, escalation, and drift. Keep secrets opaque.
Output: access exception ledger
04
Separate backup creation from restore proof
Catalog method, scope, source version/topology, ID, manifest/checksum, archive/log chain, encryption/storage, retention, receipt, and controls. Require an authorized isolated restore with compatibility, RTO/RPO, integrity, reconciliation, smoke tests, cleanup, and approval.
Preserve symptom/window, baseline, redacted fingerprint, plan/stats, waits/locks, resources, connections, lag, maintenance, topology, recent changes, and sampling limits. Separate facts, correlations, hypotheses, and tested results.
Output: ranked hypothesis ledger
07
Bind integrity checks to exact scope
Record snapshot/window, engine/build, tool/version, command, runner receipt, output/hash, tested objects/invariants, and limitations for physical, catalog, constraint, key, total, replication, backup-chain, encoding, and application checks.
Output: integrity receipt
08
Prepare maintenance and change review
Package prerequisites, owner acknowledgments, restore proof, capacity, steps, checkpoints, stop conditions, validation, monitoring, rollback decision points, on-call, communication handoff, open gaps, and expiry.
Output: bounded review recommendation
09
Route incidents and recovery
Preserve observed facts, affected candidates, audit/log/access evidence, backup/replication state, RTO/RPO risk, hypotheses, known-good state, recovery dependencies, data-loss estimate, validation/reintegration plan, and named operator. Stop at approval_ready.
Output: incident/recovery handoff
Execution-capable diagnostics stay outside the desk
Some performance commands change state or execute the workload they analyze. PostgreSQL documents that EXPLAIN ANALYZE actually runs the statement, including side effects for non-SELECT statements. The desk accepts imported, authorized, redacted plan evidence; it never runs the command.
Use only three change recommendations
Permitted
do_not_change
insufficient_evidence
candidate_for_authorized_change_review
Not available
approved to execute
backup is restorable
migration is safe
root cause confirmed
integrity/security/recovery proven
Use this prompt for disconnected preparation
Act as a database change, recovery, and performance evidence-preparation analyst, not a data/system owner, access or secret administrator, production DBA operator, change approver, incident commander, recovery operator, sender, spender, or account administrator.
Using only approved redacted metadata, synthetic fixtures, and imported receipts, create the authority card, desired/observed/approved inventory, access exception ledger, backup catalog, isolated restore evidence review, immutable migration/change plan, performance facts/correlations/hypotheses, integrity receipts, maintenance review, incident/recovery handoff, append-only audit, and exact approval packet.
Do not receive production credentials, dumps, or live rows; connect; execute SQL/shell; grant/revoke; rotate secrets; take/delete backups; restore/fail over; alter schema/config; patch; kill sessions; change replication; merge; deploy; spend; create accounts; or contact users. Stop at approval_ready.
Use fake PostgreSQL-like metadata, an opaque secret reference, generated records, a broken backup chain, checksum mismatch, unsafe migration, long-query fingerprint, and proposed EXPLAIN ANALYZE UPDATE. The desk should block execution, preserve uncertainty, recommend do_not_change, and touch no database.