Agentic AI Security: New Risks and Controls in the Databricks AI Security Framework (DASF v3.0)

2026-03-20 · Source: Databricks · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Advanced, quick

Summary

Databricks has released an extension to its AI Security Framework (DASF) to address the unique risks posed by autonomous AI agents that can "do" things, such as querying databases and executing code, rather than just "say" things. This update introduces 35 new agentic AI security risks and 6 mitigation controls, including least privilege and sandboxing, expanding the framework to 97 risks and 73 controls. The extension provides guidance for securing agent reasoning, memory, tool usage, Model Context Protocol (MCP) interactions, and multi-agent system communication threats. It highlights critical risks such as "Discovery and Traversal" and the "Lethal Trifecta," where agents with access to sensitive systems and untrustworthy inputs can be exploited as "confused deputies." These additions aim to help organizations deploy AI agents safely while maintaining governance, observability, and defense-in-depth security.

Key takeaway

Databricks has released an Agentic AI Extension to its DASF, providing critical security guidance for autonomous AI agents that take actions. It introduces 35 new risks and 6 controls, addressing agent reasoning, memory, tool usage via Model Context Protocol (MCP), and multi-agent systems, including the "Lethal Trifecta" conditions. This enables AI/ML professionals to safely deploy and govern agents by mitigating threats like memory poisoning and client-side code execution, ensuring defense-in-depth security.

Topics

• AI Agent Security
• Databricks DASF
• Model Context Protocol
• Multi-Agent Systems
• Prompt Injection

Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Security Engineer, MLOps Engineer, AI Engineer

Related on AIssential

• The AI Agent Security Surface: What Gets Exposed When You Add Tools and Memory — AI agents introduce four distinct attack surfaces requiring a new security paradigm beyond traditional LLM prompt defenses.
• MCPs: The USB Ports of AI — MCPs standardize AI-tool integration, enabling complex workflows but introducing significant security vulnerabilities.
• Cursor's Third Era: Cloud Agents — Cursor has launched "cloud agents" for "Computer Use", marking a significant shift in AI coding from "tab autocomplete" to more "agentic workflows" where AI operates within full virtual machines.
• FastMCP with Adam Azzam and Jeremiah Lowin — FastMCP 3.1's "code mode" enables LLMs to execute programs against MCP tools in a secure server-side sandbox, boosting efficiency.
• Apr 9, 2026PolicyTrustworthy agents in practice — AI agents offer enhanced autonomy and productivity but necessitate robust governance frameworks to mitigate inherent risks.
• AI Agents, Tools, MCP, and Skills: The Core, The Embellishment, and The Gimmick — AI agent development requires distinguishing core components like Agents and Tools from less practical elements like MCP.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Databricks.