We do something similar in adaptive [1].

What you can also do is add frontend and backend user to the proxy and then agents won't ever get the actual db user and password. You can make it throwaway too as well as just in time if you want.

Traditionally it was database activity monitoring which kind of fell out of fashion, but i think it is going to be back with advent of agents.

[1] https://adaptive.live