This work addresses the vulnerability of LLM-generated SQL queries in AIoT systems to prompt injection attacks, which can lead to unauthorized data access or destructive operations, exacerbated by the absence of fine-grained access control in existing approaches. To mitigate this, the paper proposes the first multi-layer defense framework that deeply integrates Role-Based Access Control (RBAC) into the MCP architecture, establishing a sequential fail-closed defense pipeline tailored against six categories of prompt injection attacks. The framework enforces table- and column-level granular policies through five coordinated modules: check_policy, explain_gate, SQL Interceptor, Risk Level Filter, and DB Isolation, with attack scenarios mapped according to OWASP Top 10 for LLM. Experimental results on the IoT-SQL dataset demonstrate that the system maintains query accuracy between 65.1% and 76.4%, achieves an 82.3% policy compliance rate, and exhibits a low real-world defense failure rate of only 3.4%, with the check_policy module accounting for 78.7% of all interceptions.

The deployment of Large Language Model (LLM)-generated SQL queries in Artificial Intelligence of Things (AIoT) systems introduces critical security risks, as prompt injection attacks can manipulate LLMs into producing unauthorized queries that expose sensitive data or execute destructive operations. Existing NL2SQL research focuses on query accuracy, while MCP server implementations provide only SQL-level protections without fine-grained role-based access control. This paper proposes SecureMCP, a policy-enforced LLM data access framework integrating Role-Based Access Control (RBAC) with an MCP server to establish multi-layer defense for LLM-generated SQL execution. The framework incorporates five defense modules -- check_policy for table-and-column-level RBAC, explain_gate for cost-explosive query blocking, SQL Interceptor for dangerous pattern detection, Risk Level Filter for SQL risk classification, and DB Isolation for cross-database restriction -- operating in a sequential fail-closed pipeline mapped to six prompt injection types grounded in the OWASP Top 10 for LLM Applications. We evaluate SecureMCP on the IoT-SQL dataset (11 tables, 173 columns, 239,398 records) using Qwen3-8B. Experiment A demonstrates that defense modules preserve execution accuracy, with EX-in-ALLOW remaining within 65.1%-76.4% across four RBAC roles, matching the unprotected baseline of 63.8%. Experiment B shows that SecureMCP achieves 82.3% Policy Compliance on 2,400 adversarial queries, with genuine defense failures limited to 3.4%. The defense-in-depth analysis reveals check_policy accounts for 78.7% of blocks, while secondary modules contribute an additional 17.5 percentage-point improvement. The Injection Incorporation Rate of 72.5% confirms high LLM susceptibility, establishing the necessity of external policy enforcement.