{"slug": "from-optimization-to-protection-adding-a-security-and-governance-agent-to-your-3", "title": "From Optimization to Protection: Adding a Security and Governance Agent to Your Snowflake Multi-Agent Team (Part 3)", "summary": "A developer built a Security and Governance Agent as the third specialist in a multi-agent team for Snowflake administration, adding the ability to answer security-related questions. The agent uses specialized views over Snowflake's account usage data and Cortex Analyst tools to detect login anomalies, excessive privileges, unauthorized access attempts, and user-role audits. The orchestrator routes security questions to this agent, enabling a unified response for operations, cost optimization, and security governance.", "body_md": "In [Part 1](https://dev.to/swaroop_krishna_e2f4b83b2/ask-your-snowflake-account-anything-build-an-ai-admin-agent-with-cortex-github-copilot-1mk6), we built an Admin Agent for usage and cost visibility.\n\nIn [Part 2](https://dev.to/swaroop_krishna_e2f4b83b2/from-one-agent-to-many-building-a-multi-agent-team-for-snowflake-administration-part-2-379d), we added a Cost Optimizer Agent and an Orchestrator that routes questions to specialists.\n\nNow we close the loop with the third specialist: a **Security and Governance Agent**.\n\nThis turns your assistant from \"what happened\" and \"what to optimize\" into a full team that also answers \"what is risky right now\".\n\nBy the end of this post, you will have:\n\nThe first two agents are strong for operations and spend, but security requires a different lens:\n\nCould one large agent do everything? Sometimes. But specialized agents are easier to maintain, safer to evolve, and easier to test.\n\n```\nUser Question (natural language)\n        |\n  Orchestrator Agent\n   /      |        \\\nAdmin   Cost     Security\nAgent  Optimizer Governance\n                 Agent\n        \\    |    /\n      Unified Response\n```\n\nCreate security-focused views over `SNOWFLAKE.ACCOUNT_USAGE`\n\n, including:\n\nImplementation file:\n\n`sql/08_create_security_governance_views.sql`\n\nMap these views into natural language dimensions, facts, and metrics so Cortex Analyst can reason over them.\n\nExamples:\n\n`SV_LOGIN_ANOMALIES`\n\n`SV_EXCESSIVE_PRIVILEGES`\n\n`SV_UNAUTHORIZED_ACCESS_ATTEMPTS`\n\n`SV_USER_ROLE_AUDIT`\n\nImplementation file:\n\n`sql/09_create_security_governance_semantic_views.sql`\n\nDefine a dedicated agent with explicit analyst tools for each security domain:\n\n```\nCREATE OR REPLACE AGENT <APP_DB>.<APP_SCHEMA>.<SECURITY_AGENT_NAME>\n  COMMENT = 'Security and Governance agent for access control and compliance'\n  FROM SPECIFICATION\n  $$\n  instructions:\n    response: \"You are a Security and Governance assistant...\"\n    orchestration: \"Route role hierarchy questions to RoleHierarchyAnalyst; \\\n                   privilege grants to PrivilegeGrantAnalyst; \\\n                   failed logins to FailedLoginAnalyst; \\\n                   login anomalies to LoginAnomalyDetector...\"\n\n  tools:\n    - tool_spec: { type: \"cortex_analyst_text_to_sql\", name: \"RoleHierarchyAnalyst\" }\n    - tool_spec: { type: \"cortex_analyst_text_to_sql\", name: \"PrivilegeGrantAnalyst\" }\n    - tool_spec: { type: \"cortex_analyst_text_to_sql\", name: \"FailedLoginAnalyst\" }\n    - tool_spec: { type: \"cortex_analyst_text_to_sql\", name: \"LoginAnomalyDetector\" }\n    - tool_spec: { type: \"cortex_analyst_text_to_sql\", name: \"ExcessivePrivilegeAnalyst\" }\n    - tool_spec: { type: \"cortex_analyst_text_to_sql\", name: \"UnauthorizedAccessAnalyst\" }\n    - tool_spec: { type: \"cortex_analyst_text_to_sql\", name: \"UserAuditAnalyst\" }\n  $$;\n```\n\nImplementation file:\n\n`sql/11_create_security_governance_agent.sql`\n\nYour orchestrator now includes `SecurityAgent`\n\nas a first-class route target.\n\n```\n-- in sql/12_create_orchestrator_agent.sql\n-- Questions about security, roles, privileges, failed logins, unauthorized access -> SecurityAgent\n```\n\nIt can also fan out to multiple agents for blended questions.\n\nQuestion:\n\n\"Are there suspicious login failures in the last 7 days?\"\n\nWhat happens:\n\n`SV_LOGIN_ANOMALIES`\n\nExample response:\n\n```\nLogin Anomaly Summary (Last 7 Days)\n\nCritical: 2 users with >= 10 failed attempts/hour\nHigh: 5 users with 5-9 failed attempts/hour\nPattern: Multiple failed attempts from distinct IPs for USER_X\n\nRecommendation:\n- Lock and verify impacted accounts\n- Enforce MFA re-registration for affected users\n- Review network policy and source IP ranges\n```\n\nQuestion:\n\n\"Which users have ACCOUNTADMIN or SECURITYADMIN but low recent usage?\"\n\nWhat happens:\n\n`SV_EXCESSIVE_PRIVILEGES`\n\nExample response:\n\n```\nExcessive Privilege Findings\n\nUsers flagged: 4\nCritical: 2 users with no privileged role usage in 60+ days\nHigh: 2 users with < 5 privileged queries in 90 days\n\nRecommendation:\n- Revoke unused privileged grants\n- Replace standing privilege with just-in-time elevation\n- Document business justification for remaining elevated users\n```\n\nQuestion:\n\n\"Why are costs up and is there any security risk around this?\"\n\nWhat happens:\n\nExample response:\n\n```\nIntegrated Account Assessment\n\nOperations (Admin Agent)\n- Compute credits up 18% month-over-month\n- Growth concentrated in two ETL warehouses\n\nOptimization (Cost Optimizer Agent)\n- Idle percentage > 60% on one ETL warehouse\n- Suggested AUTO_SUSPEND change could reduce waste materially\n\nSecurity (Security Agent)\n- One privileged user inactive but still assigned elevated role\n- Increased failed login attempts from multiple IPs for two accounts\n\nPriority Actions\n1) Apply warehouse auto-suspend tuning\n2) Review elevated role assignments and revoke unused grants\n3) Investigate failed-login anomalies and tighten network controls\n```\n\nIf you already deployed Parts 1 and 2:\n\n```\n# 1) Security views\nsql/08_create_security_governance_views.sql\n\n# 2) Security semantic layer\nsql/09_create_security_governance_semantic_views.sql\n\n# 3) Security agent\nsql/11_create_security_governance_agent.sql\n\n# 4) Orchestrator (includes SecurityAgent routing)\nsql/12_create_orchestrator_agent.sql\n```\n\nDirect test:\n\n```\nSELECT SNOWFLAKE.CORTEX.DATA_AGENT_RUN(\n  '<APP_DB>.<APP_SCHEMA>.<SECURITY_AGENT_NAME>',\n  '{\"messages\":[{\"role\":\"user\",\"content\":[{\"type\":\"text\",\"text\":\"Show failed login anomalies by severity\"}]}]}'\n);\n```\n\nOrchestrated test:\n\n```\nSELECT SNOWFLAKE.CORTEX.DATA_AGENT_RUN(\n  '<APP_DB>.<APP_SCHEMA>.<ORCHESTRATOR_AGENT_NAME>',\n  '{\"messages\":[{\"role\":\"user\",\"content\":[{\"type\":\"text\",\"text\":\"Analyze account risk: costs, idle warehouses, and failed logins\"}]}]}'\n);\n```\n\n`SNOWFLAKE.ACCOUNT_USAGE`\n\nviews have latency. For near-real-time incident response, combine this with event-driven telemetry.`<APP_DB>.<APP_SCHEMA>`\n\n`<EXEC_WAREHOUSE>`\n\n`<ADMIN_ROLE>`\n\n, `<DEVELOPER_ROLE>`\n\nAfter Part 3, you have a complete multi-agent Snowflake administration team:\n\nThis is where multi-agent design pays off: each specialist stays focused, and users still ask one simple question.\n\n`sql/08_create_security_governance_views.sql`\n\n`sql/09_create_security_governance_semantic_views.sql`\n\n`sql/11_create_security_governance_agent.sql`\n\n`sql/12_create_orchestrator_agent.sql`\n\n`skills/security-governance/SKILL.md`\n\nComplete implementation:\n\nPart 1 gave us visibility.\n\nPart 2 gave us optimization.\n\nPart 3 gives us governance and risk control.\n\nSame architecture pattern, broader coverage:\n\n**Views -> Semantic Views -> Specialist Agent -> Orchestrator**\n\nNext directions:\n\nQuestions or feedback? Drop a comment below.\n\nPart 1: [Ask Your Snowflake Account Anything - Build an AI Admin Agent](https://dev.to/swaroop_krishna_e2f4b83b2/ask-your-snowflake-account-anything-build-an-ai-admin-agent-with-cortex-github-copilot-1mk6)\n\nPart 2: [From One Agent to Many - Building a Multi-Agent Team](https://dev.to/swaroop_krishna_e2f4b83b2/from-one-agent-to-many-building-a-multi-agent-team-for-snowflake-administration-part-2-379d)\n\nPart 3: Security and Governance Agent (this post)", "url": "https://wpnews.pro/news/from-optimization-to-protection-adding-a-security-and-governance-agent-to-your-3", "canonical_source": "https://dev.to/swaroop_krishna_e2f4b83b2/from-optimization-to-protection-adding-a-security-and-governance-agent-to-your-snowflake-369f", "published_at": "2026-07-09 21:26:01+00:00", "updated_at": "2026-07-09 21:35:40.086568+00:00", "lang": "en", "topics": ["artificial-intelligence", "ai-agents", "ai-tools", "ai-infrastructure", "developer-tools"], "entities": ["Snowflake", "Cortex Analyst", "Security and Governance Agent", "Admin Agent", "Cost Optimizer Agent", "Orchestrator Agent"], "alternates": {"html": "https://wpnews.pro/news/from-optimization-to-protection-adding-a-security-and-governance-agent-to-your-3", "markdown": "https://wpnews.pro/news/from-optimization-to-protection-adding-a-security-and-governance-agent-to-your-3.md", "text": "https://wpnews.pro/news/from-optimization-to-protection-adding-a-security-and-governance-agent-to-your-3.txt", "jsonld": "https://wpnews.pro/news/from-optimization-to-protection-adding-a-security-and-governance-agent-to-your-3.jsonld"}}