Stop rogue AI: How Unity Catalog secures your agent actions
TL;DR · AI Summary
Unity Catalog prevents unauthorized AI agent operations through fine-grained access control, audit logging, and AI-specific governance frameworks, ensuring secure and controllable enterprise AI applications.
Key Takeaways
- Unity Catalog provides unified metadata management and fine-grained access contr
- Real-time audit logs record all AI agent operations for anomaly detection and co
- AI governance framework includes predefined security policies to automatically b
Outline
Jump quickly between sections.
AI agent systems face security threats including unauthorized operations, data leakage, and malicious instructions, requiring dedicated governance mechanisms.
Unity Catalog provides a unified data governance platform supporting fine-grained permissions and AI asset catalog capabilities.
Attribute-based access control (ABAC) enables precise data access permissions for AI agents.
Complete audit trails capture all AI agent actions for compliance review and threat detection.
Pre-built security policy templates automatically assess and block high-risk AI operations.
Adopt least privilege principles combined with real-time monitoring and regular policy audits.
Mindmap
See how the topics connect at a glance.
查看大纲文本(无障碍 / 无 JS 友好)
- Unity Catalog AI Agent Security
- Security Risks
- Unauthorized operations
- Data leakage
- Malicious instructions
- Core Mechanisms
- ABAC permissions
- Audit logging
- Automated policy enforcement
- Governance Framework
- Pre-built security policies
- Risk assessment
- Compliance monitoring
Highlights
Key sentences worth saving and sharing.
Unity Catalog centralizes governance for data, analytics and AI assets, providing a single pane of glass for security teams.
Attribute-based access control enables organizations to define granular permissions for AI agents based on data sensitivity and use case.
The system automatically blocks high-risk operations such as unauthorized data exports or schema modifications.
Complete audit trails capture every AI agent action, enabling compliance reporting and anomaly detection.
Stop rogue AI: How Unity Catalog secures your agent actions | Databricks Blog
[](https://www.databricks.com/)
[](https://www.databricks.com/)
- Why Databricks
- * Discover
- Customers
- Partners
- Product
- * Databricks Platform
- Integrations and Data
- Pricing
- Open Source
- Solutions
- * Databricks for Industries
- Cross Industry Solutions
- Migration & Deployment
- Solution Accelerators
- Resources
- * Learning
- Events
- Blog and Podcasts
- Get Help
- Dive Deep
- About
- * Company
- Careers
- Press
- Security and Trust
- DATA + AI SUMMIT 
Table of contents
Table of contents
Table of contents
ProductMay 19, 2026
Stop rogue AI: How Unity Catalog secures your agent actions
Prevent unauthorized agent behavior with service policies and end-to-end payload logging for MCP tools
by Ahmed Bilal
The risks of agentic AI are no longer theoretical. Agents connected to external tools are taking destructive, irreversible actions in production:wiping entire databases in seconds,deleting millions of rows of critical data, anddropping production databases mid-task. In each incident, the agent was acting within the scope of their delegated authority. What it lacked was any restriction on which tools it could invoke, and any record of the actions it took.
Today, we are launching the ability to govern every MCP tool the same way you govern data, with fine-grained access control, policy enforcement, and a full audit trail. Unity Catalog lets you now set who can call which MCP servers, and admins can layer service policies to restrict access to specific tools (e.g. delete_database) or define conditions on when a tool can be called (e.g. only admins can call delete_database). Unity AI Gateway enforces these policies in real time on every call, with full payload logging of every request.
The problem: access is all-or-nothing, and tool calls leave no trace
An MCP server exposes a set of tools to any connected agent — a GitHub MCP might expose push_files, delete_file, and merge_pull_request; a database MCP might expose execute_query and drop_table. By default, if an agent is authorized to connect, all of those tools are available at any time. There is no way to say "this agent can read but not write," or "only senior engineers can perform this action," or "nobody should be calling admin tools in production."
And when something does go wrong, there is nothing to investigate. Tool calls do not appear in model logs or application logs. The exact action the agent took, with what arguments, on behalf of whom, simply does not exist as a record anywhere.
That means one misconfigured agent, one unexpected action, and you have no way to prevent it before it happens and no way to explain it after.
The solution: MCP governance in Unity Catalog
Unity Catalog now governs the entire GenAI estate, including LLMs and MCPs. Once MCPs are registered, you get exactly what was missing: control over what agents are allowed to do, and a full record of what they actually did. Both are enforced in real time on every MCP call by Unity AI Gateway.
Service policies let you write rules that evaluate every tool call before and after it reaches the upstream MCP server. You decide which calls are allowed, denied, or require user consent. Service policies are defined in SQL and let admins check arguments, including caller properties and other context properties. If a call doesn't pass the policy, it is blocked
Payload logging captures every tool call as an entry in a tracing table managed in Unity Catalog. Tool name, arguments, result, user identity, and whether the call was allowed or denied. Query it with SQL like any other table.
Expand
How it works
Define your policy function in Unity Catalog
Unity Catalog allows you to register and govern any external MCP (seeour blog on how this works!). A service policy is a Unity Catalog SQL function. It receives two arguments,actor (who is calling) and context (what they're calling), and returns allow or deny with a reason.
Here's a simple policy on a GitHub MCP. It blocks file deletion entirely, and blocks merging PRs unless the caller is an approved engineer:
sql
CREATE OR REPLACE FUNCTION main.default.github_mcp_policy(actor VARIANT, context VARIANT)
RETURNS STRUCT<result STRING, reason STRING>
RETURN CASE
-- Nobody can delete files.
WHEN context:tool.name::STRING = 'delete_file'
THEN NAMED_STRUCT('result', 'deny', 'reason', 'Deleting files is not permitted.')
-- Only approved engineers can merge PRs.
WHEN context:tool.name::STRING = 'merge_pull_request'
AND actor:run_as::STRING NOT IN ('alice@acme.com', 'bob@acme.com')
THEN NAMED_STRUCT('result', 'deny', 'reason',
CONCAT(actor:run_as::STRING, ' is not authorized to merge pull requests.'))
ELSE NAMED_STRUCT('result', 'allow', 'reason', '')
ENDAttach and enforce
Once written, attach the policy to any MCP service in Unity AI Gateway. From that point, every tool call routed through that service is evaluated before it executes. No code changes needed in the agent or the MCP server.
Expand
Log and verify
Every tool call is automatically captured in a Delta table in Unity Catalog. Send a prompt that should be blocked and one that should pass. The results appear in your logs immediately, queryable with SQL like any other table.
sql
SELECT *
FROM main.default.ai_gateway_mcp_logs
WHERE policy_result:result::STRING = 'deny'Get started
Service policies and payload logging for MCP are available as a Gated Beta, extending the same governance concepts you already use for data to every MCP call. To get early access, reach out to your Databricks account team.
Get the latest posts in your inbox
Subscribe to our blog and get the latest posts delivered to your inbox.
Sign up
*
Work Email
*
Country Country*
By clicking “Subscribe” I understand that I will receive Databricks communications, and I agree to Databricks processing my personal data in accordance with its Privacy Policy.
Subscribe
Why Databricks
Discover
Customers
Partners
Why Databricks
Discover
Customers
Partners
Product
Databricks Platform
- Platform Overview
- Sharing
- Governance
- Artificial Intelligence
- Business Intelligence
- Database
- Data Management
- Data Warehousing
- Data Engineering
- Business Productivity
- Application Development
- Security
Pricing
Integrations and Data
Product
Databricks Platform
- Platform Overview
- Sharing
- Governance
- Artificial Intelligence
- Business Intelligence
- Database
- Data Management
- Data Warehousing
- Data Engineering
- Business Productivity
- Application Development
- Security
Pricing
Open Source
Integrations and Data
Solutions
Databricks For Industries
- Communications
- Financial Services
- Healthcare and Life Sciences
- Manufacturing
- Media and Entertainment
- Public Sector
- Retail
- View All
Cross Industry Solutions
Solutions
Databricks For Industries
- Communications
- Financial Services
- Healthcare and Life Sciences
- Manufacturing
- Media and Entertainment
- Public Sector
- Retail
- View All
Cross Industry Solutions
Data Migration
Professional Services
Solution Accelerators
Resources
Learning
Events
Blog and Podcasts
Resources
Documentation
Customer Support
Community
Learning
Events
Blog and Podcasts
About
Company
Careers
Press
About
Company
Careers
Press
Security and Trust
Databricks Inc.
160 Spear Street, 15th Floor
San Francisco, CA 94105
1-866-330-0121
- [](https://www.linkedin.com/company/databricks)
- [](https://www.facebook.com/pages/Databricks/560203607379694)
- [](https://twitter.com/databricks)
- [](https://www.databricks.com/feed)
- [](https://www.glassdoor.com/Overview/Working-at-Databricks-EI_IE954734.11,21.htm)
- [](https://www.youtube.com/@Databricks)
- [](https://www.linkedin.com/company/databricks)
- [](https://www.facebook.com/pages/Databricks/560203607379694)
- [](https://twitter.com/databricks)
- [](https://www.databricks.com/feed)
- [](https://www.glassdoor.com/Overview/Working-at-Databricks-EI_IE954734.11,21.htm)
- [](https://www.youtube.com/@Databricks)
© Databricks 2026. All rights reserved. Apache, Apache Spark, Spark, the Spark Logo, Apache Iceberg, Iceberg, and the Apache Iceberg logo are trademarks of the Apache Software Foundation.
We Care About Your Privacy
Databricks uses cookies and similar technologies to enhance site navigation, analyze site usage, personalize content and ads, and as further described in our Cookie Notice. To disable non-essential cookies, click “Reject All”. You can also manage your cookie settings by clicking “Manage Preferences.”
Manage Preferences
Reject All Accept All
Privacy Preference Center
Opt-Out Preference Signal Honored
Privacy Preference Center
- ### Your Privacy
- ### Strictly Necessary Cookies
- ### Performance Cookies
- ### Functional Cookies
- ### Targeting Cookies
- ### TOTHR
#### Your Privacy
When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.
#### Opting out of sales, sharing, and targeted advertising
Depending on your location, you may have the right to opt out of the “sale” or “sharing” of your personal information or the processing of your personal information for purposes of online “targeted advertising.” You can opt out based on cookies and similar identifiers by disabling optional cookies here. To opt out based on other identifiers (such as your email address), submit a request in our Privacy Request Center.
#### Strictly Necessary Cookies
Always Active
These cookies are necessary for the website to function and cannot be switched off in our systems. They assist with essential site functionality such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will no longer work.
#### Performance Cookies
- [x] Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.
#### Functional Cookies
- [x] Functional Cookies
These cookies enable the website to provide enhanced functionality and personalization. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
#### Targeting Cookies
- [x] Targeting Cookies
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant advertisements on other sites. If you do not allow these cookies, you will experience less targeted advertising.
#### TOTHR
- [x] TOTHR
Cookie List
Consent Leg.Interest
- [x] checkbox label label
- [x] checkbox label label
- [x] checkbox label label
Clear
- - [x] checkbox label label
Apply Cancel
Confirm My Choices
Allow All
