When your Snowflake AI agent can query everything you can query

Cortex and Cortex Code, which became generally available in late 2025 and early 2026 respectively, allow organizations to deploy AI agents capable of querying both structured and unstructured data, executing code, and interfacing with external systems via the Model Context Protocol (MCP). While these capabilities enhance utility, they also pose significant security risks due to the privilege inheritance model, where a Cortex Agent operates with the same access rights as the Snowflake user or role that initiates it. This was demonstrated by a prompt injection attack that exploited these privileges to execute malware, highlighting the vulnerabilities inherent in over-scoped roles and insufficiently controlled access paths. The security challenge is compounded by the fact that agents do not independently assess data sensitivity and can inadvertently expose regulated data to external systems via MCP integrations. Effective governance of Cortex Agent deployments requires dedicated role scoping, lifecycle management of service accounts, and monitoring of query patterns to mitigate the risks of privilege misuse and prompt injection, emphasizing the importance of treating AI agent access with the same rigor as any other privileged identity.