Databricks just published the most comprehensive open security framework for agentic AI to date. DASF v3.0 adds 35 new risks and 6 new controls specifically for autonomous AI agents — covering agent reasoning, memory manipulation, MCP server/client threats, and multi-agent system attacks.

The total framework now catalogs 97 risks and 73 controls, mapped to MITRE ATLAS, OWASP, NIST, and Cloud Security Alliance standards. It’s freely available as a whitepaper and spreadsheet.

Why This Matters Now

Databricks customers are already deploying agents that query databases, call external APIs, execute code, and coordinate with other agents. The teams responsible for those deployments keep asking the same question: what happens when the AI can do things, not just say things?

Traditional AI security assumes read-only patterns — a RAG pipeline retrieves data and generates text. Agents break that assumption by taking actions with real-world consequences. DASF v3.0 addresses this shift directly.

The Lethal Trifecta

Databricks references Meta’s “Agents Rule of Two” and Simon Willison’s “Lethal Trifecta” to define when agent risk spikes. Three conditions present simultaneously:

  1. Access to sensitive systems or private data
  2. Processing untrustworthy inputs (user prompts, external websites, incoming emails)
  3. Ability to change state or communicate externally (sending emails, executing SQL, modifying code)

With all three present, an indirect prompt injection embedded in untrusted data can hijack the agent’s full capability set — creating a “confused deputy” that performs authorized actions with malicious intent. Remove any single leg and you break the attack chain.

The 35 New Risks

Organized around how agents actually work:

Agent Core (Brain and Memory) — Component 13A

  • Memory Poisoning (Risk 13.1): False context injected into agent memory alters current or future decisions
  • Intent Breaking & Goal Manipulation (Risk 13.6): Coercing agents into deviating from objectives
  • Cascading Hallucination Attacks (Risk 13.5): Minor errors compound across multi-turn loops into destructive actions

MCP Server Risks (Tool Interface) — Component 13B

  • Tool Poisoning (Risk 13.18): Injecting malicious behavior into tool definitions
  • Prompt Injection in Tool Descriptions (Risk 13.16): Bypassing security controls via tool metadata
  • A direct complement to the OWASP findings and MCP SSRF research

MCP Client Risks (Connection Layer) — Component 13C

  • Malicious Server Connection (Risk 13.26): Agent connects to attacker-controlled MCP server
  • Client-Side Code Execution (Risk 13.32): Exploitation through unvalidated server responses
  • Data Leakage (Risk 13.30): Sensitive data exfiltrated through MCP client connections

Multi-Agent Dynamics

  • Agent Communication Poisoning (Risk 13.12): Corrupted inter-agent messages
  • Rogue Agents (Risk 13.13): Agents operating outside monitoring boundaries in multi-agent systems

The 6 New Controls

Least Privilege for Tools (DASF 5, 57, 64): Granular permissions scoped to the immediate task. Just because an agent can call the HR Metrics Tool doesn’t mean it should when answering a sales query.

Human-in-the-Loop Oversight (DASF 66): Required human verification for high-stakes actions — with a critical design note: if you overwhelm the reviewer with approvals, you’ve created a new vulnerability, not solved one.

Sandboxing and Isolation (DASF 34, 62): Agent-generated code runs in ephemeral, isolated environments with no access to the broader system or outbound connections.

AI Gateway and Guardrails (DASF 54): Monitoring, safety filtering, and PII detection applied to agent inputs and outputs.

Observability of Thought (DASF 65): Standard logging tells you what happened. Agentic tracing captures why — the planning steps, tool-selection reasoning, and chain of thought that led to an action.

How It Fits the Landscape

DASF v3.0 is a reference framework, not a product. But it matters because:

  • It’s the first major data platform vendor to publish comprehensive agentic security guidance
  • It maps directly to platform capabilities (Unity Catalog, Agent Bricks Framework, AI Gateway)
  • Contributors include teams at Atlassian, Experian, and ComplyLeft alongside Databricks security
  • The spreadsheet format means teams can operationalize it immediately against their own architectures

Compared to the OWASP Top 10 for Agentic Applications (which identifies risk categories) and NIST’s agent standards initiative (which defines policy), DASF v3.0 provides implementation-level risk/control mappings — the practical bridge between “here’s the risk” and “here’s what to do about it.”

The full whitepaper and compendium are available at databricks.com/resources/whitepaper/databricks-ai-security-framework-dasf.

Sources: Databricks Blog · DASF Compendium (Google Sheet)