Agentic AI Security: Snowflake's Data-Model-Agent Framework

Snowflake introduced a Data-Model-Agent security framework to govern agentic AI, addressing risks from autonomous actions on enterprise data. The framework enforces least privilege, data masking, and prompt injection defenses across data, model, and agent layers.

AI agents are changing the enterprise security equation. An agent goes beyond responding to questions to actually take actions and execute tasks on your behalf. As part of that process, it may query sensitive data, call tools, trigger workflows, write code, change configurations and move information across systems at high scale and speed. That is what makes agentic AI so powerful — and difficult for traditional security models to handle. Enterprise security teams are no longer asking, "Can we provide people access to AI?" Now they're asking, "How do we make sure AI agents are executing tasks safely and on behalf of the business?" At Snowflake, we believe the answer starts with a simple principle: agentic AI must be governed where enterprise data, context and controls already live. Security cannot be bolted on after an agent is deployed. It has to be built into the model, the agent runtime and the data layer from the start. That is the foundation of Snowflake’s Data-Model-Agent security framework. Why agentic AI needs a new security model Agents introduce a new class of risk because they combine reasoning, data access and action. An agent may read a document, interpret a request, query data, call a third-party tool, generate code or recommend an operational change all in one workflow. Each step creates a potential control point and each tool call expands the potential blast radius from a misstep. Agents’ actions need to be attributable, governed and recoverable. This is why security leaders must ask the tough yet necessary questions: - Can we distinguish agent actions from human actions? - Can agents be limited to only the tools and data they need? - Can we stop sensitive information from leaving approved boundaries? - Can we defend against prompt injection? - Can high-risk actions require approval? - Can we audit what happened after the fact? These are not edge cases. They are the requirements for putting AI agents into production. The Data-Model-Agent framework Snowflake’s approach organizes agentic security into three layers: The data layer, first and foremost, enforces least privilege, masking, data movement controls, sovereignty, resilience and compliance measures where the data lives. The model layer protects the intelligence engine from manipulation and keeps execution inside the customer’s security boundary. The agent layer governs agent behavior, tools, identity, approvals and auditability as agents take action. This three-layer framework matters because agentic AI is not secured by any one feature; it requires defense in depth across the full workflow. Protect the data: Governance still starts at the foundation AI doesn't change the rules of data security: If the data foundations have weaknesses, AI will expose them. The same foundational controls that matter for analytics — role-based access control, masking, encryption, network policies and auditability — become even more important when agents can act autonomously. Snowflake’s data governance model is built around least privilege, meaning agents should only access the data required for their task. Sensitive information should be masked or restricted before it ever reaches a model response, and data movement should be controlled so sensitive information is restricted from leaving approved boundaries. This is also where Snowflake’s zero-copy architecture matters. Zero-copy is not about pretending that latency, geography or system boundaries do not exist. It is about reducing unnecessary copies, limiting data sprawl, preserving regional sovereignty and keeping governance attached to the data. The more copies an organization creates for AI, the more policies it has to duplicate, monitor and reconcile. Fewer copies mean fewer places for sensitive data to leak, which makes for a stronger security posture. Secure the model: Protect against manipulation Prompt injection is one of the defining threats of agentic AI. Direct prompt injection happens when a user tries to manipulate the model into ignoring instructions. Indirect prompt injection is more dangerous: an agent reads an external source such as a webpage, PDF, ticket or document that contains hidden malicious instructions. The agent may treat those instructions as legitimate and act on them downstream. That is why model protection has to be a top-level control. The goal is straightforward: Protect the model from manipulation, and protect enterprise data from unnecessary movement. Snowflake Horizon AI Guardrails https://docs.snowflake.com/en/user-guide/snowflake-cortex/cortex-ai-guardrails are designed to help defend against both known and emerging prompt injection attacks by adding a governance layer between user intent, model reasoning and execution. Account administrators can enable advanced prompt injection guardrails in minutes using a simple account-level configuration, no infrastructure changes or custom middleware required. Just as important, Snowflake’s architecture keeps AI close to governed enterprise data, helping customers avoid unnecessary exposure to external model providers when privacy and control are paramount. Govern the agent: Identity, tools and action Once a model can use tools, it becomes an actor in the enterprise. Without distinct agent identity, machine actions can disappear into human logs, making it difficult to understand what happened, who or what initiated an action, and how to remediate it. Snowflake’s approach gives AI agents distinct, auditable identities so operations can be attributed to the agent that performed them. Queries, API calls and tool invocations should be visible, reviewable and governed. Tool governance is equally critical. The moment an agent connects to SaaS applications, APIs or MCP tools, the security perimeter expands. Administrators need to know which agents can call which tools, under what conditions and with what permissions. With Snowflake’s integration of Natoma https://www.snowflake.com/en/blog/snowflake-acquire-natoma-governed-agentic-access/ , enterprises can govern MCP tool usage through a centralized gateway giving the teams control and visibility into who requested the action, what permissions they have and whether the action is allowed. The platform provides a way to implement least privilege, observe tool activity and apply consistent controls across the broader agentic stack, not just inside Snowflake. It also comes built in with more than 100 MCP servers and 10,000 tools. It removes the need for employees to deploy shadow AI open source servers. For code-generating agents, isolation also matters. Agents should be powerful enough to do the job but not operate without guardrails. Snowflake supports sandboxed environments for locally running agents, helping restrict access to the file system and network and reducing blast radius by design. Day 2 security: From deployment to continuous control Getting an agent into production is only the beginning. Enterprises also need to monitor, detect, remediate and recover. Snowflake Trust Center https://trust.snowflake.com/ brings security posture management closer to the workloads it protects. AI Security Posture Management helps teams identify vulnerabilities in AI workloads while keeping analysis within the customer’s trusted boundary. Data movement policies help prevent sensitive data from leaving approved environments. High-confidence signals can alert teams to suspicious data movement patterns. Snowflake also helps operationalize security through AI-assisted remediation and compliance workflows. Instead of manually stitching together evidence for audits or security reviews, teams can generate richer reports and take action faster. For highly sensitive operations, Snowflake supports multi-party approval and business justification , helping protect against rogue admin scenarios or compromised credentials. And for resilience, capabilities such as WORM write once, read many backups, point-in-time recovery and cross-region replication help support recovery if something goes wrong. Security is the path to agentic AI at scale Trust is foundational to the agentic enterprise. It must be woven into every aspect of data infrastructure from the ground up so that agents can reason and act across systems while sensitive data remains protected and governance policies remain in force. That is why Snowflake’s approach to agentic security starts with the full workflow: protect the data, secure the model and govern the agent. When those controls live close to enterprise data and context, organizations can balance innovation and security. They can move from prototype to production with confidence and put AI agents to work where they belong: inside the governed enterprise. Accelerate your agentic transformation safely Learn how Snowflake helps enterprises secure and govern AI agents with Horizon Catalog, Trust Center and the Data-Model-Agent security framework. Start your AI transformation journey by trying Snowflake for yourself https://signup.snowflake.com/ , and check out our latest announcements https://www.snowflake.com/en/blog/enterprise-ai-security/ .