Imagine an AI system that doesn't just answer questions but independently plans tasks, calls external tools, queries databases, and performs actions without human intervention at every step. This is agentic AI – and it's precisely what is at the center of the security conversation today.
Databricks recently released an updated version of its security framework for AI systems – DASF 3.0 (Databricks AI Security Framework), supplementing it with a special section dedicated to agentic systems. This document is an attempt to systematize the risks that arise when AI starts to act, not just respond.
What is Agentic AI and How Does It Differ from Regular Models?
A standard language model operates on a simple principle: you ask a question, and it provides an answer. Everything happens within a single exchange, and the human always controls every step.
Agentic AI is structured differently. Simply put, it's a system that is given a goal – and it independently breaks it down into steps to achieve it. Along the way, it can access external data sources, launch other tools, delegate tasks to subordinate agents, and perform actions in the real world: sending emails, modifying database records, or making service requests. The human, in this process, might not be involved in the intermediate steps at all.
It is this very autonomy that creates new risks. When a system acts on its own, the «input → response» chain transforms into a complex network of decisions and actions, where something can go wrong at any stage.
What Can Go Wrong – and Why It's Not Obvious
Traditional AI security often boils down to one question: «Will the model produce something harmful in its response?» With agentic systems, the question becomes more complex.
First, an agent can retrieve data from external sources – web pages, documents, or search results. This data might contain a hidden instruction that forces the agent to act against the user's interests. This is called a prompt injection – an attack where malicious text in the input data takes control of the agent's behavior. To put it simply: someone can «embed» a command in a document that the agent processes, and it will execute it unknowingly.
Second, agentic systems often consist of multiple components that communicate with each other. Each such transition is a potential vulnerability. One agent might pass data to another, which the latter could interpret as an instruction.
Third, an agent can have access to tools with real-world consequences. If it makes the wrong decision – or is deliberately misled – the consequences can be very tangible: deleted files, sent messages, or altered data.
Finally, agentic systems remember context within a session, and sometimes between sessions. This means that one successful «hack» of an agent's behavior can influence all subsequent actions.
What DASF 3.0 Proposes
The Databricks framework doesn't invent entirely new security concepts – it adapts well-established principles to the specifics of agentic systems.
The central idea is the principle of least privilege. An agent should only have access to what is absolutely necessary for a specific task. If an agent is assisting with data analysis, it doesn't need rights to change the system configuration. This sounds obvious, but in practice, agents are often given excessive permissions «just in case» – and this is precisely what becomes a point of vulnerability.
A second key element is human oversight. This is especially crucial for high-risk actions: before an agent does something irreversible, the system should request confirmation. This doesn't mean a human must approve every single step – but critical points must be under control.
The third principle is observability and logging. If an agent makes decisions on its own, it must be possible to reconstruct its chain of reasoning and actions. Without this, it's impossible to either investigate an incident or improve the system.
Separately, the framework highlights the importance of input validation. An agent should not blindly trust what it receives from external sources – whether it's a search result, the content of a document, or a response from another agent. Mechanisms are needed to distinguish legitimate instructions from potentially malicious ones.
Why Now?
Agentic systems are no longer an experiment – they are being increasingly integrated into real-world workflows. And this creates an interesting paradox: the more useful an agent becomes, the more access it needs – and the higher the stakes in case of an error or attack.
Previously, AI security was mainly concerned with the quality of a model's responses. Now, it's about the system's actions in a real environment. This is a fundamentally different level of responsibility – and the industry is only just beginning to develop common approaches to it.
DASF 3.0 is not a universal recipe or a mandatory standard. It's an attempt to structure what many teams are currently experiencing firsthand: how to make agentic AI useful without turning it into a security hole.
What Remains Unanswered
An honest conversation about the security of agentic systems is impossible without acknowledging that many questions remain unresolved.
How can we reliably defend against data-driven injections if an agent, by its nature, must trust external sources? Where is the line between useful autonomy and dangerous independence? How do you audit the behavior of a system that might be performing dozens of tasks in parallel?
As of now, no one has the final answers. Different companies are experimenting with various approaches – and frameworks like DASF are more about documenting the industry's current thinking than offering a complete solution.
This isn't a cause for alarm – it's a normal stage in the development of any technology. First come the opportunities, then the understanding of the risks, and finally, the tools to manage them. With agentic AI, we are somewhere between the second and third stages. And documents like DASF 3.0 are part of this forward movement.
