Executive Summary
The Databricks AI Security Framework (DASF) is a comprehensive, open security framework designed to help organizations identify, assess, and mitigate risks across the entire AI lifecycle. Now in its third major release (v3.0, March 2026), DASF catalogs 97 security risks and prescribes 73 actionable controls spanning 13 canonical AI system components — making it one of the most thorough AI-specific security frameworks available today.
DASF's core value proposition is threefold: it demystifies AI systems into understandable components, provides defense-in-depth security guidance applicable to any data and AI platform, and bridges the organizational silos between business, IT, data engineering, AI/ML, and security teams. The framework aligns with 12+ industry standards including MITRE ATLAS, OWASP LLM Top 10, NIST AI RMF, and the EU AI Act — ensuring that adopters can map DASF controls directly to their compliance obligations.
The most significant recent evolution is the v3.0 extension for Agentic AI, which introduces 35 new risks and 6 new controls addressing the unique security challenges of autonomous AI agents operating with tools, memory, and multi-agent coordination.
History and Evolution
The DASF has evolved rapidly across three major versions, each expanding scope in response to the accelerating AI threat landscape.
DASF v1.0 — Foundation (March 21, 2024)
The inaugural release established the framework's architecture. It decomposed AI systems into 12 canonical components, identified 55 security risks, and recommended 53 controls. The primary goal was to give security teams a shared vocabulary and mental model for AI system security — a critical gap at the time, as most organizations lacked structured approaches to AI risk beyond general cybersecurity hygiene.
DASF v2.0 — Maturation (February 12, 2025)
The second release expanded coverage to 62 technical security risks mapped to 64 recommended controls. Key additions included broader alignment with international standards (ISO 42001, EU AI Act, HITRUST) and deeper treatment of LLM-specific threats such as prompt injection variants and RAG poisoning. This version also introduced the DASF Compendium — a structured spreadsheet tool for operationalizing the framework.
DASF v3.0 — Agentic AI (March 20, 2026)
The latest release responds to the explosion of autonomous AI agents. It adds Agentic AI as the 13th system component (with three sub-components), introduces 35 new agentic-specific risks, and defines 6 new controls. Totals now stand at 97 risks and 73 controls. The release also introduces the "Lethal Trifecta" concept — a risk model for identifying when agent deployments reach critical danger thresholds.
Core Principles and Design Philosophy
DASF is built on four foundational principles that distinguish it from generic cybersecurity frameworks:
1. Demystify AI and ML. Rather than treating AI as a monolithic black box, DASF decomposes every AI system into 13 discrete components — from raw data ingestion through model serving to agentic orchestration. This decomposition allows security teams to reason about attack surfaces component by component.
2. Provide defense-in-depth. No single control is sufficient. DASF layers cybersecurity best practices, data/AI governance controls, and AI-specific controls to create overlapping protection boundaries. A failure in one layer is caught by another.
3. Deliver actionable recommendations. Every risk maps to specific, implementable controls. The framework is designed to be operationalized — not merely read — with companion tools (the Compendium, workshops, training) that guide teams from risk identification to control deployment.
4. Bridge organizational silos. AI security spans multiple teams: data engineers own pipelines, ML engineers own models, platform teams own infrastructure, and security teams own policy. DASF provides a common language and shared responsibility model that all stakeholders can navigate.
The 13 Canonical AI System Components
DASF's component model is organized across five stages, representing the lifecycle of data and models from ingestion through autonomous operation.
Stage 1: Data Operations (Components 1–4)
Component | Description | Key Concern |
|---|---|---|
1. Raw Data | Unprocessed source data entering the system | Unauthorized access, data exfiltration |
2. Data Preparation | ETL, cleaning, feature engineering | Data poisoning during transformation |
3. Datasets | Curated, versioned training/evaluation data | Insufficient lineage, quality drift |
4. Catalog and Governance | Metadata, access controls, classification | Missing classification, poor ACLs |
This stage carries 20 specific risks including insufficient access controls, missing data classification, poor data quality, lack of data access logs, and data poisoning attacks.
Stage 2: Model Operations (Components 5–8)
Component | Description | Key Concern |
|---|---|---|
5. ML Algorithm | Training logic and hyperparameters | Hyperparameter stealing, algorithm bias |
6. Evaluation | Testing and validation pipelines | Evaluation data poisoning |
7. Model Build | Compilation, packaging, artifact creation | Malicious libraries, supply chain attacks |
8. Model Management | Registry, versioning, lifecycle tracking | Lack of reproducibility, model drift |
This stage carries 15 specific risks including lack of tracking/reproducibility, model drift, hyperparameter stealing, malicious library injection, and evaluation data poisoning.
Stage 3: Model Deployment and Serving (Components 9–10)
Component | Description | Key Concern |
|---|---|---|
9. Model Serving — Inference Requests | Input handling, request routing | Prompt injection, adversarial inputs |
10. Model Serving — Inference Responses | Output generation and delivery | Hallucinations, data leakage, inversion |
This stage carries 19 specific risks including prompt injection, model inversion, denial of service, LLM hallucinations, and black-box adversarial attacks.
Stage 4: Operations and Platform (Components 11–12)
Component | Description | Key Concern |
|---|---|---|
11. ML Operations | CI/CD, monitoring, retraining pipelines | Poor SDLC, lack of vulnerability management |
12. ML Platform | Infrastructure, compute, networking | Unauthorized privileged access, compliance gaps |
This stage carries 8 specific risks including lack of vulnerability management, missing penetration testing, unauthorized privileged access, and compliance failures.
Stage 5: Agentic AI (Component 13 — New in v3.0)
Sub-Component | Description | Key Concern |
|---|---|---|
13A. Agent Core | Brain (LLM reasoning) and memory | Memory poisoning, goal manipulation |
13B. MCP Server | Tool interface and execution | Tool poisoning, prompt injection in descriptions |
13C. MCP Client | Connection layer to external services | Malicious server connection, data leakage |
This stage introduces 35 new risks addressing autonomous agent behavior, multi-agent coordination, and tool-use security.
Security Risks Taxonomy
DASF's 97 risks span the full AI attack surface. They are categorized by the component they affect and the type of threat they represent. The risks range from traditional cybersecurity concerns (network access, encryption) to AI-specific threats (adversarial examples, prompt injection) to novel agentic concerns (goal manipulation, cascading hallucinations).
Risk Distribution Across Stages
- Data Operations: 20 risks (21%) — reflecting the foundational importance of data integrity
- Model Operations: 15 risks (15%) — covering the training and validation lifecycle
- Model Serving: 19 risks (20%) — addressing inference-time attacks
- Operations & Platform: 8 risks (8%) — infrastructure and process controls
- Agentic AI: 35 risks (36%) — the largest single category, reflecting the expanded attack surface of autonomous agents
The heavy weighting toward Agentic AI in v3.0 signals the framework's recognition that agent architectures introduce qualitatively different risks — not merely more of the same.
Controls Framework
DASF's 73 controls are organized into three tiers, reflecting increasing AI-specificity:
Tier 1: Cybersecurity Best Practices
These are foundational controls that any well-secured system should implement:
- Single sign-on (SSO) and identity federation
- Encryption at rest and in transit
- Library and source code controls (dependency scanning, artifact signing)
- Network access controls (private endpoints, firewalls)
- Defense-in-depth architecture
- Vulnerability management and patching
Tier 2: Data and AI Governance Controls
These extend general security practices to the specifics of data and model lifecycles:
- Data classification and labeling
- Data lineage tracking
- Data and model versioning
- Asset-level permission management
- Model governance (approval workflows, stage gates)
- Experiment and training run tracking
Tier 3: AI-Specific Controls
These address threats unique to AI/ML systems:
- Model serving isolation and sandboxing
- Prompt guardrails and safety filters
- Auditing and monitoring of model behavior
- MLOps/LLMOps pipeline security
- Centralized LLM management and gateway enforcement
- Fine-tuning and pre-training security protocols
New Controls in v3.0 for Agentic AI
The six new agentic controls deserve special attention:
# | Control | DASF Reference | Purpose |
|---|---|---|---|
1 | Least privilege for tools | DASF 5, 57, 64 | Restrict agent tool access to minimum necessary |
2 | Human-in-the-loop oversight | DASF 66 | Require human approval for high-impact actions |
3 | Sandboxing and isolation | DASF 34, 62 | Contain agent execution environments |
4 | AI Gateway and Guardrails | DASF 54 | Enforce policy at the inference boundary |
5 | Observability of thought | DASF 65 | Capture planning steps, tool-selection reasoning, chain of thought |
6 | MCP monitoring and security | New | Monitor and secure Model Context Protocol connections |
Deployment Models and Shared Responsibility
DASF recognizes that AI systems are deployed in diverse configurations, each with different risk profiles and responsibility boundaries. The framework defines seven primary deployment models:
- Predictive ML Models — Traditional supervised/unsupervised models
- Foundation Model APIs — Consuming third-party LLM APIs (e.g., OpenAI, Anthropic)
- Fine-tuned LLMs — Adapting foundation models on proprietary data
- Pre-trained LLMs — Training language models from scratch
- RAG (Retrieval Augmented Generation) — Grounding LLMs with retrieved context
- AI Agents with LLMs — Autonomous agents orchestrating tools and reasoning
- External Models — Models hosted outside the organization's infrastructure
Each deployment model has a distinct shared responsibility split across the 13 AI system components, divided among three parties: the organization, the data/AI platform provider, and any external partners. For example, when using Foundation Model APIs, the model provider bears responsibility for model training security (components 5–8), while the organization retains responsibility for data preparation and governance (components 1–4) and the platform provider handles serving infrastructure (components 9–12).
This shared responsibility model prevents both security gaps (where no one owns a risk) and redundant effort (where multiple parties duplicate controls).
DASF v3.0 — The Agentic AI Extension
Why Agentic AI Demands Special Treatment
Agentic AI fundamentally changes the security equation. Traditional ML models are passive — they respond to inputs and produce outputs. Agents are active — they plan, remember, use tools, communicate with other agents, and take actions that change the state of external systems. This autonomy creates a qualitatively different threat model.
The "Lethal Trifecta"
DASF v3.0 introduces a powerful risk heuristic: the Lethal Trifecta. Risk spikes to critical levels when three conditions are simultaneously present:
The agent has access to sensitive systems or private data The agent processes untrustworthy inputs (user-generated content, external APIs, web data) The agent can change state or communicate externally (write to databases, send emails, call APIs)
When all three conditions hold, a single successful attack (e.g., prompt injection via an external document) can cascade into data exfiltration, unauthorized actions, or system compromise. Organizations should treat any agent meeting all three criteria as requiring the highest level of security scrutiny.
Key Agentic Risk Categories
13A — Agent Core (Brain and Memory): - Memory Poisoning (Risk 13.1): Attackers inject malicious content into agent long-term memory, causing persistent behavioral corruption - Intent Breaking & Goal Manipulation (Risk 13.6): Adversarial inputs redirect agent objectives - Cascading Hallucination Attacks (Risk 13.5): Fabricated information in one reasoning step propagates through subsequent steps
13B — MCP Server (Tool Interface): - Tool Poisoning (Risk 13.18): Compromised tool definitions cause agents to execute malicious operations - Prompt Injection in Tool Descriptions (Risk 13.16): Malicious instructions embedded in tool metadata
13C — MCP Client (Connection Layer): - Malicious Server Connection (Risk 13.26): Agents connecting to adversary-controlled endpoints - Client-Side Code Execution (Risk 13.32): Exploiting agent execution environments - Data Leakage (Risk 13.30): Sensitive data exfiltrated through tool calls or agent outputs
Inter-Agent Dynamics: - Agent Communication Poisoning (Risk 13.12): Corrupting messages between agents in multi-agent systems - Rogue Agents in Multi-Agent Systems (Risk 13.13): Compromised agents acting as adversaries within trusted networks
Industry Standards Alignment
DASF does not exist in isolation. It explicitly maps its risks and controls to established security and AI governance standards, enabling organizations to satisfy multiple compliance requirements simultaneously.
The framework maps to:
- MITRE ATLAS — AI-specific attack techniques and mitigations
- MITRE ATT&CK — Enterprise adversary tactics and techniques
- OWASP LLM Top 10 (2025) — Large language model vulnerabilities
- OWASP ML Top 10 — Machine learning security risks
- NIST 800-53 — Security and privacy controls for information systems
- NIST CSF — Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover)
- NIST AI RMF — AI Risk Management Framework
- HITRUST — Health information trust framework
- ENISA — EU agency securing ML algorithms guidance
- ISO 42001 — AI Management System standard
- ISO 27001:2022 — Information security management systems
- EU AI Act — European Union AI regulation
This multi-standard mapping means that an organization implementing DASF controls can generate evidence for audits across multiple regulatory regimes without duplicating effort.
Operationalization and Implementation
DASF provides a structured methodology for moving from framework awareness to operational security posture.
7 Steps to Manage AI Risks
- Build a mental model — Understand the 13 AI system components and how they interact
- Define roles and responsibilities — Identify the people and processes managing each component
- Catalog responsible AI risks — Enumerate risks across all applicable components
- Understand deployment models — Identify which of the 7 deployment models you use
- Map threats to use cases — Connect the framework's risks to your specific AI applications
- Filter for relevance — Prioritize risks based on your deployment model and data sensitivity
- Implement controls — Select and deploy controls matched to your risk profile
4 Steps to Create a Risk Profile
- Identify the AI business use case — What is the agent/model doing and for whom?
- Determine the AI deployment model — Which of the 7 models applies?
- Select pertinent risks — Filter the 97 risks to those relevant to your deployment
- Choose and implement controls — Map selected risks to applicable controls
Available Resources
Resource | Format | Purpose |
|---|---|---|
DASF Whitepaper | PDF (50+ pages) | Complete framework reference |
DASF Compendium | Google Sheets / Excel | Operational risk-control mapping tool |
DASF Companion Video | Video | Instructional walkthrough |
AI Security Fundamentals | Academy (1 hour, 5 modules) | Self-paced training |
AI Risk Workshops | In-person/virtual (3.5 hours) | Hands-on risk profiling |
"AI Without Fear" | Executive ebook | C-suite framing and business case |
Databricks Platform Capabilities Mapping
DASF is platform-agnostic by design, but Databricks provides native capabilities that map directly to many framework controls.
Platform Capability | DASF Controls Addressed | Function |
|---|---|---|
Unity Catalog | Governance, ACLs, lineage | Centralized data and model governance with fine-grained permissions and full lineage tracking |
AI Gateway | Guardrails, monitoring, PII detection | Governance layer for ML and GenAI workloads enforcing safety policies at inference time |
Model Serving | Isolation, rate limiting, monitoring | Secure model deployment with compute isolation and traffic controls |
Vector Search | RAG security settings | Secure retrieval infrastructure for grounded generation |
Agent Bricks Framework | Agent governance | Native agent development with built-in security primitives |
MLflow | Experiment tracking, model registry | Full ML lifecycle management with versioning and reproducibility |
Feature Engineering (Unity Catalog) | Feature governance, lineage | Governed feature store with access controls |
Private Link | Network access controls | Network-level isolation for data and model endpoints |
Lakehouse Monitoring | Model drift detection | Continuous monitoring of model quality and data distributions |
Community and Partners
DASF is supported by an ecosystem of partners that extend its capabilities:
Obsidian Security — SaaS Security Posture Management, providing visibility into AI system configurations and detecting misconfigurations across cloud-hosted AI services.
EQTY Lab — Advanced governance solutions for AI trust, including cryptographic provenance and verifiable AI pipelines.
AppSOC — Real-time visibility, automated guardrails, and AI governance enforcement across heterogeneous AI deployments.
Key Authors and Contributors
The framework is maintained by Databricks' security and product teams, with key contributors including Omar Khawaja (Security), Arun Pamulapati (Security), Kelly Albano (Product Marketing), David Veuve, Nishith Sinha, and Caelin Kaplan.
Summary and Recommendations
DASF represents the most comprehensive publicly available AI security framework, distinguished by its component-level decomposition, actionable control mapping, and multi-standard alignment. Key takeaways for organizations:
For security teams: Use the DASF Compendium to perform a systematic risk assessment of your AI deployments. Prioritize controls based on your deployment model and the Lethal Trifecta heuristic for agentic systems.
For AI/ML teams: Adopt the 13-component mental model to identify gaps in your current security posture. Ensure every component has a clear owner and documented controls.
For executives: DASF provides the vocabulary and structure for productive conversations between security, data, and business teams. The "AI Without Fear" ebook and risk workshops are designed to accelerate this alignment.
For compliance teams: Leverage DASF's multi-standard mappings to streamline evidence generation across NIST, ISO, OWASP, and EU AI Act obligations simultaneously.
The framework's rapid evolution — from 55 risks in v1.0 to 97 in v3.0 within two years — reflects both the accelerating threat landscape and the community's deepening understanding of AI-specific attack surfaces. Organizations that operationalize DASF today will be significantly better positioned to secure the next generation of autonomous AI systems.