Databricks Tames AI Agents

The explosion of AI agents within enterprises, from coding assistants to sales forecasting tools, has outpaced traditional governance frameworks. Databricks is now extending its Unity Catalog, previously focused on data governance, to manage these increasingly autonomous systems. This move aims to address the escalating risks associated with ungoverned AI agents, balancing innovation speed with necessary oversight.

This expansion of Databricks' AI agent governance capabilities is built around four core pillars designed to provide granular control and visibility. The challenge, according to Databricks, lies not in predicting what agents might do, but in controlling what they can access and meticulously monitoring their actual actions.

Four Pillars of Agent Governance

The first pillar, Delegated Access, ensures agents operate within defined permission boundaries. Instead of relying on static service accounts, agents inherit the invoking user's real-time data permissions. This identity flow extends to external tools registered within Unity Catalog, allowing for governed credential management and audit logging.

Service Policies act as a runtime control layer. These Unity Catalog functions dictate whether a specific tool call is permitted based on factors like the tool's name, arguments, or caller identity. Guardrails, meanwhile, inspect model inputs and outputs in real-time, scanning for personally identifiable information (PII) and potential hallucinations before they reach the user.

Data-Centric AI Governance, the second pillar, posits that an agent's behavior is largely dictated by its data access. Unity AI Gateway logs the full payload of every model call, including prompts and responses, into queryable tables within the lakehouse. This provides a complete audit trail, crucial for regulatory compliance and detailed analysis.

This approach moves beyond traditional logging tools by integrating observability data directly into the lakehouse. Agent traces become easily queryable tables, enabling investigations into which agents accessed specific services, associated costs, or handled sensitive data. Lakewatch, Databricks' SIEM built on the security lakehouse, further transforms this audit trail into active threat detection.

Data quality monitoring and classification are also integrated. By joining agent traces with data quality metrics, organizations can connect agent errors to underlying data issues. Automated data classification ensures that sensitive columns remain masked, regardless of the agent accessing them, making existing data governance practices automatically applicable to AI systems.

Cost Intelligence, the third pillar, tackles the often-opaque spending associated with AI agents. Unity Catalog and the Unity AI Gateway track usage, including token counts and latency, for both Databricks-hosted and external model providers. This data lands as a table, allowing costs to be directly linked to business outcomes and ROI.

Budgets within Unity AI Gateway enable administrators to set spend thresholds per user or group, providing alerts as consumption nears limits. This proactive cost management aims to prevent unexpected invoice shocks.

The final pillar, Open and Interoperable, emphasizes a governance strategy that is not tied to specific frameworks or models. Governance is designed to reside with the data and services, not solely within the code that accesses them.

This means agents built on different frameworks can interact with the same governed resources through Unity Catalog and the Unity AI Gateway. Open standards like MCPs (Model, Computation, and Prediction servers) provide a universal tool connectivity protocol, allowing registration once in Unity Catalog and invocation from any framework.