Bedrock expands ArgusAI for AI agent risk oversight

Bedrock Data has expanded its ArgusAI product to cover AI agents, MCP servers and enterprise data, targeting what it calls the enterprise AI risk surface.

The update adds automated discovery of Model Context Protocol servers, governance for Snowflake Cortex Search and Cortex Analyst, and a Bedrock MCP server that feeds data risk context into AI workflows.

Bedrock is targeting security teams struggling to track how AI systems reach internal data through connectors, roles and permissions. It argues that older security and data security posture management tools can identify sensitive data, but do not provide a combined view of agents, access paths and entitlements.

ArgusAI is built on Bedrock's Metadata Lake and uses what it calls a Data Bill of Materials, or DBOM, to create an inventory of data assets linked to an AI system. This includes categorisation, sensitivity classification, entitlement chains, regulatory context and lineage.

One part of the update focuses on the infrastructure linking AI systems to enterprise data.

MCP oversight

Model Context Protocol is emerging as a common way for AI agents to connect to external tools and data sources. Bedrock argues that wider MCP adoption can also create new exposure points if roles are too broad, servers are poorly configured or unapproved services appear in the environment.

The new MCP Server Discovery feature is designed to identify MCP endpoints across cloud environments, map connections between agents, servers, roles and data, and monitor changes over time. It also applies data sensitivity and entitlement analysis so security teams can see whether MCP-connected services can access regulated, proprietary or customer-sensitive information.

"AI risk isn't defined by a single endpoint or service, it's defined by the chain of connectivity between agents, infrastructure, roles and data," said Pranava Adduri, CTO and Co-Founder of Bedrock Data.

"ArgusAI synthesizes those layers into a unified exposure model so security teams can see not just what's deployed, but what it can actually access. That architectural context is what makes governing the AI risk surface possible," Adduri said.

Another part of the release extends ArgusAI to Snowflake's Cortex services, which are used to build semantic search and retrieval systems on top of data stored in Snowflake. Bedrock says this addresses a problem for companies that add new datasets into AI search systems without always reviewing whether sensitive information is entering those pipelines.

Snowflake reach

The product now discovers Snowflake Cortex Search and Cortex Analyst services and identifies which datasets are indexed into those retrieval systems. It then correlates those services with role-based access and underlying data permissions to show which users, agents or applications may be able to reach sensitive data indirectly through AI search.

As an example, Bedrock described a global retailer that expanded an internal AI search assistant by indexing more datasets, including customer analytics tables. A review using its DBOM showed that a Cortex-powered search service had indexed customer loyalty tables containing personally identifiable information that was not meant for AI responses, allowing the team to narrow the indexing scope.

Bedrock linked the product expansion to a broader increase in AI governance work inside security teams. It cited its 2025 Enterprise Data Security Confidence Index, which found that 60% of security teams had taken on AI governance responsibilities while 53% still lacked real-time visibility into sensitive data assets.

The company also pointed to an external forecast on AI-related breaches.

"AI introduces non-deterministic data access patterns that traditional security tools weren't built to govern. Organisations need a clearer view of how AI systems interact with enterprise data to manage emerging risk," said Jason English, Director and Principal Analyst and CMO at Intellyx.

Bedrock's new MCP server is aimed at internal AI workflows such as access reviews, incident response, remediation and data operations. It exposes information from the Metadata Lake through an MCP interface so AI systems can query data classification and exposure details before taking action.

Bedrock argues that AI systems are increasingly making operational decisions, but often do so without direct access to authoritative information on where sensitive data sits and how permissions are structured.

"AI is increasingly making operational decisions within the enterprise, including access reviews, remediation, incident response, and more. MCP is the interface those systems use to access enterprise data. If the workflows on the other side of that interface don't understand where sensitive data lives or how access is structured, they're automating without guardrails. By making data risk intelligence directly consumable through MCP, Bedrock Data ensures governance is embedded in the workflow itself rather than bolted on after the fact," said Harold Byun, Chief Product Officer at Bluerock.

Chief executive and co-founder Bruno Kurtic framed the issue as visibility into the full chain of access around enterprise AI.

"As enterprises operationalize AI, risk is defined by what those systems can access," said Bruno Kurtic, CEO and Co-Founder of Bedrock Data.

"If you don't know what data your agents can access, through which MCP servers, under which identities and with which entitlements, you can't govern them. ArgusAI gives teams a complete map of the AI footprint so they can govern the AI risk surface end to end and scale innovation without increasing exposure," Kurtic said.