In this round-up, we’ve targeted the key announcements for CoWork from Snowflake Summit. The aim is to discuss what each announcement means in practice, where we've already seen these features work, where the gotchas are, and what data leaders should prioritize in H2 2026.
This round-up has been created by Mike Droog, one of our three Data Superheroes.
Snowflake AI Security: The Full Governance Stack for Agentic AI
If you're deploying AI agents into production (or watching your team do it), you already know the governance problem. Agents inherit user permissions. Agents access sensitive data. Agents can move data outside your trust boundary. And until now, your governance framework couldn't tell the difference between a human doing something and an agent doing it on their behalf.
At Summit, Snowflake didn't announce one AI security feature. They announced five. And together they form a proper security stack for the agentic era. Not piecemeal fixes, but a layered approach where each piece solves a different part of the problem.
1. HORIZON AI GUARDRAILS: Stopping Prompt Injection and Jailbreaks
The top threat for any team deploying AI agents: prompt injection. Someone tricks your agent into ignoring its instructions and doing something it shouldn't.
Snowflake's approach is two-tiered:
Built-in protection (no config, no cost): A baseline layer that blocks known prompt injection patterns. As Snowflake's red team identifies new attacks and researchers report vulnerabilities, they're added to the known-pattern database. Every Cortex Agent gets this automatically.
Advanced protection - Prompt Injection Protection Phase 2 (GA): LLM-driven, near real-time detection of zero-day injection and jailbreak attempts. This is generally available now - not preview. It uses a model trained on prior attacks to catch novel patterns that haven't been documented yet.
Both can be scoped at the account level or at the individual agent level. So your customer-facing agent can have stricter guardrails than your internal analytics agent.
For data leaders: this means you can deploy agents without the "but what about prompt injection?" conversation blocking your rollout. The protection is there by default, and you can tighten it per-agent where sensitivity is higher.
2. AGENT IDENTITY (Public Preview): "If It's Agentic, Treat It Differently"
This is the foundational piece. Snowflake now gives every agent a cryptographically verified identity before it accesses data in production. The system can distinguish between actions taken by a user and actions taken by an agent operating on that user's behalf.
What this unlocks:
- Masking policies that differentiate: John can see SSN in a dashboard. John's agent cannot surface it in a generated summary.
- Agent-aware row policies: Restrict which rows an agent can access, independent of what the user themselves can see. Sensitive data stays human-eyes-only.
- Audit trail separation: Account usage views show agent vs. user actions. Your compliance team can answer "who - or what - accessed this data?"
- Agent Policy: Scope the permissions an agent has on behalf of a user. Right-size agents based on their job to be done, rather than inheriting everything the user can do.
The agent policy is expanding post-Summit to also let you restrict which tools (MCP servers, web fetch, etc.) an agent can use. So you control not just what data it accesses, but what actions it can take.
3. DATA EXFILTRATION PROTECTION: "This Data Can't Leave"
Regulated customers' top concern: data leaving the Snowflake trust boundary. Someone exports a table to an external stage. An agent downloads query results. A user moves PII to an unmonitored location.
Data Movement Policy is the enforcement mechanism. You define policies that control:
- Movement to internal stages
- Movement to external stages
- Agentic access (data queried through CoCo or CoWork)
- Snowflake UI exports
The policy says: "this data cannot leave through these channels." Period. And because agent identity is now available, you can have different movement policies for agents vs. humans - e.g., a human can export to an internal stage, but an agent cannot.
Trust Center integration: In addition to prevention, Snowflake adds detection. Trust Center scanners flag when data movement patterns are observed in your environment - a signal for your SOC team during investigations.
4. RANSOMWARE PROTECTION: Retention Lock + Multi-Party Approvals (Public Preview)
The nightmare scenario: a rogue admin (or compromised credentials) drops tables, deletes data, or overrides Time Travel settings to make recovery impossible.
Snowflake's answer has two parts:
Retention Lock: Data cannot be deleted or have its retention reduced below a set threshold. Even an ACCOUNTADMIN cannot override it without going through an approval flow.
Multi-Party Approvals (Private Preview): Sensitive actions - dropping databases, altering retention, changing security settings - now require a second person to confirm. One admin proposes, another approves. A single compromised credential can no longer destroy your data estate.
This is ransomware protection at the platform level. You're not bolting on a third-party tool - you're using Snowflake's own approval mechanism to prevent destructive actions regardless of who initiates them.
5. AI SECURITY POSTURE MANAGEMENT IN TRUST CENTER (Public Preview)
All of the above rolls up into Trust Center - Snowflake's centralized security posture management. The new AI Security Posture Management capability delivers continuous monitoring of agentic security posture with proactive anomaly detection across agent behavior. You get:
- Visibility into AI-specific security risks
- Scanners that detect anomalous data movement
- A single pane of glass for your security team to monitor agent behavior, exfiltration attempts, and policy violations
- Available through UI, CoCo CLI, and programmatically
Why these five together matter
Each feature is useful independently. Together, they form a coherent answer to "how do we govern AI agents at enterprise scale?"
For CDOs and CISOs: this is your "we've thought about AI risk" slide. You're not blocking AI adoption - you're enabling it with proper guardrails at every level.
What to do about it
If you're deploying agents today: → Enable AI Guardrails immediately (the built-in layer is free and automatic). → Audit which agents have access to sensitive data. Define your Agent Policy: what can each agent do, and what's off-limits? → Implement Data Movement Policies for your most sensitive tables - especially restricting agentic access channels.
If you're a security team: → Get ahead of the multi-party approval Private Preview. Identify the destructive actions in your environment that should require two-person confirmation. → Set up Trust Center scanners for data exfiltration detection - this is your early warning system.
If you're a CDO reporting to the board: → Frame it as: "AI governance isn't optional, and it's no longer a gap in our platform. Snowflake now provides prevention, detection, and approval controls specifically for the agentic era."
Snowflake CoWork: Every Business User Gets a Personal Agent
There's a question I keep hearing from data leaders:
"We built all these dashboards. We invested in a semantic layer. We trained people on SQL. And still, 80% of the org just Slacks a data analyst when they need a number."
The problem was never access to data. It was access to understanding. Dashboards show you what happened. They don't tell you why, and they definitely don't tell you what to do next.
Snowflake CoWork (formerly Snowflake Intelligence) is Snowflake's answer to this challenge. A personal business agent that sits on top of your governed data and so that any user, whether they are sales reps, finance analysts, ops managers, or anything else, can ask complex questions and get real answers. No SQL. No dashboard navigation. Just a conversation, with responses underlined by real data points.
What was announced
Snowflake CoWork is now fully GA. Skills, MCP Connectors, Deep Research, the mobile app, and reusable Artifacts are all generally available. Not preview. Not beta. The full platform, production-ready.
Deep Research enables multi-agent, multi-step reasoning that combines your company data with external context, fully cited and traceable back to every source, and built for the strategic questions a dashboard can't answer. Skills are now shareable across teams as reusable workflows that codify domain expertise, where one prompt triggers complex orchestration. With a simple prompt such as "prep forecast analysis for this month", the agent pulls data, summarizes it, and drafts a brief. Artifacts are live dashboards that auto-refresh from real data, and with next-gen artifacts, you can now publish certified dashboards for organiszation-wide use. There's also the iOS app with Face ID, and CoWork-Only Users for provisioning business user access securely at scale.
Additionally announced for Snowflake CoWork:
- Cloud Agents GA
- Async API for long-running tasks
- Scheduled tasks
- A CoWork Slackbot
- A new certified artifacts system for publishing trusted dashboards across the entire org.
Why this matters for your team
You've invested in data infrastructure. Snowflake CoWork is the interface that makes that investment accessible to the 90% of your org that will never write SQL. That's not a small thing. Most data infrastructure investments fail the last mile, not the technical layer.
The distinction between a chatbot and what this actually is matters. Chatbots answer questions. Snowflake CoWork does research, creates visualizations, executes workflows, and connects to external systems via MCP. It takes action rather than just answering questions.
Governance is inherited, not bolted on. Same RBAC. Same row-level policies. Same masking. The agent can only see what the user is authorized to see. No separate data copy. No shadow IT risk.
And the proof at scale is worth citing: Some figures for Snowflake's own internal deployment ("Raven"):
- Serves 6,000+ GTM employees across 15+ personas
- $16M overhead savings
- 5x ROI
- 70% weekly retention.
- 92% NPS
That's not a concept, that's production at enterprise scale.
The honest caveats
The quality of answers depends entirely on the quality of your semantic views. If your semantic layer is thin or inconsistent, your agent will confidently surface bad answers. Good context in, useful answers out. There's no way around this prerequisite.
CoWork-only users are powerful but require thoughtful role design. You're giving business users direct access to a data-querying agent, so your RBAC needs to be tight before you provision at scale.
Certified artifacts (publishing dashboards for org-wide use) are a next-gen feature announced alongside GA. Expect this to mature, but it signals where CoWork is headed: not just a Q&A tool, but a replacement for the BI layer itself.
What to do about it
If you're a CDO thinking about AI adoption across your org, this is your "AI for everyone" strategy. Most of your organisation doesn't need Cortex Code or Agent Studio. They need a conversation with their data.
If you already have semantic views, you're most of the way there. Snowflake CoWork queries through Cortex Analyst, which uses semantic views. Your existing investment is the foundation — don't rebuild it.
If you're worried about cost, budget controls are GA. You can set spend limits per user, per team, per SI instance. We've even released a separate article on this: Proactively Monitoring AI Costs in Snowflake Using Custom Budgets
If you have non-technical teams asking data questions daily, pilot with one team — sales is the obvious choice. Give them an SI instance with a scoped semantic view and measure time-to-answer before and after.
CoWork Personal Work Engine: Your Agent Now Has Memory, and That Changes Everything
CoWork going GA was the expected news. What I didn't expect was what came next.
Snowflake announced the Personal Work Engine and honestly, this feels like the announcement that changes the trajectory of the whole product. Everything before this was "ask a question, get an answer." The Personal Work Engine makes CoWork something different: an agent that knows you, learns your patterns, and orchestrates work on your behalf without being asked.
That's not an incremental improvement. That's a category shift.
What's the Personal Work Engine?
It's the next layer of CoWork. Instead of a shared agent that gives everyone the same generic experience, the Personal Work Engine introduces:
- Multi-agent orchestration — CoWork automatically directs every question to the best data, skills and tools. No manual routing. You describe the outcome, the engine figures out which agents to call.
- Personal memory — the agent remembers your preferences, your context, the questions you've asked before. It grows to your tastes over time. Ask it about revenue once and explain what you mean, and it remembers for next time.
- Personal Skills — record any multi-step routine into a reusable skill. "Pull pipeline changes by region, flag deals that slipped stage, draft a summary email for leadership." Describe it once in natural language. Run it forever.
- Personal MCP Connectors — your agent connects to your tools. Your Salesforce. Your Jira. Your specific integrations, configured per user.
- Scheduled tasks / Automations — the agent does things when you're not there. "Every Monday morning, compare each account's consumption to the prior week. If any drops more than 20%, brief me with root cause and recommended action." Set it once. Walk away.
- Code Execution Tool — Skills can invoke Python to execute business logic and generate outputs like PDFs and PowerPoint presentations directly from CoWork. Polished deliverables, not just text answers.
Why memory is the real story here
Every AI tool today is stateless. You open a new chat, the context resets. You explain the same thing again. You re-state your role, your definitions, your preferences. It's like having an assistant with amnesia.
Personal memory means CoWork accumulates understanding. It learns that when you say "revenue," you mean ARR excluding services. It learns that you prefer tables over charts. It learns that your Monday morning workflow always starts with the same three questions.
Over time, the agent gets better at its job, specifically for you. That compounding effect is what separates a tool from an assistant.
Cortex Sense: Better Accuracy Through More Context
Announced alongside the Personal Work Engine: Cortex Sense — available for both CoCo and CoWork.
The pitch is straightforward: use more context from more resources to increase accuracy. Instead of just querying your semantic views, Sense automatically learns how your business defines its data, such as revenue definitions, fiscal calendars, relationships between sources, and standard analytical processes, by using signals from your query history, metadata, dashboards in tools like Power BI and Tableau, and enterprise data outside Snowflake.
The numbers back it up. Based on Snowflake's internal testing on complex enterprise queries, CoCo and CoWork achieved an 83% accuracy rate with Cortex Sense, compared to 47% without it, and 23% for frontier coding agents using Snowflake MCP alone. That's not a marginal improvement, it nearly doubles accuracy.
Cortex Sense will also ship with ready-to-use domain plugins (finance, sales) that combine skills, business logic and MCP connectors to get you from zero to a context-aware agent in minutes, not months. Private preview soon.
MCP Gateway (via Natoma acquisition)
Snowflake acquired Natoma and is using it to build the MCP Gateway — a centralized, governed layer for managing all MCP connections across your organisation.
Instead of each agent configuring its own MCP servers independently, the Gateway provides:
- Central management of all external tool connections
- Governance and access control at the gateway level
- Simplified provisioning of new connections across agents
If you're running 50 agents with 10 different MCP integrations each, managing that at the individual agent level is operational chaos. The Gateway centralizes it, giving you one place to manage connectivity, enforce policy, and audit external tool usage.
What this all means together
Snowflake is building something that doesn't quite exist yet in the market. Not just "AI on your data." An intelligent, personal, persistent agent that:
- Remembers your context (memory)
- Orchestrates complex work (multi-agent)
- Connects to your tools (personal MCP)
- Runs without you (scheduled tasks)
- Gets more accurate over time (Cortex Sense)
- Is centrally governed (MCP Gateway)
That's not a feature. That's a platform vision for how knowledge workers interact with data going forward.
The honest take
This is the most ambitious thing Snowflake announced at Summit. And ambition means execution risk. Personal memory, multi-agent orchestration, and per-user customization at enterprise scale are hard problems. I'd expect this to be unevenly available, with some pieces GA, some in preview, and some staying on the roadmap over the next 6-12 months.
But the direction is clear. And if you're a data leader deciding where to invest in AI for your business users, this is the bet Snowflake is making. Your people don't need better dashboards, they need a personal agent that knows their job and does the tedious parts of it.
What we recommend
If you're already rolling out CoWork, start thinking about what "personal" means for your top 3 user personas:
- What would a sales rep's personal agent look like?
- What about a finance analyst's?
- And an ops manager's?
The Personal Work Engine makes those different experiences possible on one platform.
If you're evaluating AI assistants for your org, compare this vision against what Microsoft Copilot and Google Duet are offering. The differentiator is governed data context; CoWork knows your business data because it IS your data platform. Others have to connect to it.
Mike Droog is a Data Superhero and Solution Architect at Aimpoint Digital, a Snowflake partner helping organizations design and deploy AI-powered business intelligence. If your team is planning an enterprise CoWork rollout, we can help.
