Why We Never Let AI Agents Touch a Production Database — And Why Your Dev Agency Shouldn’t Either

When we tell a new client that we use AI agents in our development process, there is usually a pause. Then a version of the same question: “What happens to our data?”

It is the right question. And I want to answer it with more precision than most agencies do, because “we take data security seriously” is not an answer. It is a sentence.

The rule we operate by

AI agents at WizQuest operate on staging environments only. With synthetic data only. Production systems — your live database, your real users, your actual credentials — never appear in an AI prompt. This is not a policy we put in a document and occasionally violate when it is inconvenient. It is structurally enforced. Our staging environments are isolated from production at the infrastructure level. An agent working in staging cannot reach production even if it tried.

This costs us about half a sprint day to set up properly at the start of every engagement. We do it anyway because the alternative is indefensible.

Why this actually matters

Here is the thing that does not get said clearly enough: when you send data to an AI model, that data is no longer only in your environment.

Most major AI providers have reasonable data handling policies. Some offer enterprise contracts with stronger guarantees. But even the best policies say something like “we may use inputs to improve our models” or “inputs may be reviewed for safety purposes.” The specific language varies. The general principle does not: your data has left your system.

For synthetic test data, this is a non-issue. For real user records — names, emails, payment details, health data, whatever your product handles — it is a material compliance and contractual risk. Your users did not consent to their data entering a third-party AI system. In most privacy frameworks, that matters.

What we use in staging instead

Every project starts with a seeding script that generates realistic but completely synthetic test data. Names are pulled from randomisation libraries. Email addresses route to Mailtrap or a test inbox. Payment details use Stripe test cards. The data looks close enough to real that agents can work with it meaningfully, but it is not connected to any actual person.

For testing scenarios that need edge cases — unusual characters in names, addresses in different countries, large dataset volumes — we build those into the seed rather than importing real records. It takes more upfront effort. It removes a category of risk permanently.

The question to ask your current agency

If you are working with any development agency that uses AI tools in their process — and in 2025 virtually all of them do, whether they mention it or not — ask them this specific question: “Can you describe your documented SOP for AI agent access to client data?”

If they cannot answer it clearly, that tells you something. If their answer involves anything that could touch production, that is a conversation worth having before your next sprint starts.

I am not saying every agency without a written SOP is being reckless. Many are using AI responsibly without having formalised it. But formalising it is what makes it consistent — and consistency is what prevents the incident where someone was in a hurry and made an exception.