Snowflake Cortex Agents can plan a request, choose Cortex Analyst for structured data, use Cortex Search for unstructured retrieval, execute custom functions or procedures, call MCP tools, maintain thread context, generate SQL and charts, collect feedback, and log detailed traces. Agent evaluations and resource budgets add important platform controls. They do not decide who owns a semantically valid SQL query that answers the wrong business question, an over-privileged owner-rights procedure, a stale Search service, a default-role mismatch, or a budget action that arrives hours after spend crossed the threshold.
Datrick provides an ongoing operating layer for an agreed Cortex Agents estate. Named engineers correlate thread and request traces, planning, tool selection, SQL, search results, semantic views, functions and procedures, user default roles, object privileges, target-system audits, evaluation results, feedback, releases, AI Credit use, warehouse compute, and business outcomes. Snowflake Support remains the escalation path for platform defects. Datrick owns the client-specific diagnosis, containment, validation, communication, change, and prevention accepted in the service boundary.
Do you have Cortex Agents in production but no team accountable for turning a wrong answer, failed tool, role denial, stale search result, evaluation regression, or cost spike into a verified outcome? Start with one representative portfolio.
Define ownership across agents, data tools, roles, clients, and outcomes
A production path can include Snowflake CoWork, a custom application, REST API, or MCP client; a Cortex Agent object and thread; orchestration model; Cortex Analyst and semantic views; Cortex Search services and source pipelines; code execution, charts, web search, skills, MCP connectors, functions, or procedures; warehouses; the querying user's default role; OAuth, JWT, or programmatic access token; and a downstream system or decision that creates the actual outcome. Name which layers the managed service owns, observes, changes, coordinates, or excludes.
Document accounts and regions, databases and schemas, agents, clients, threads, tools, semantic views, Search services, source tables and pipelines, functions and procedures, warehouses, roles and users, authentication, observability access, data classes, support hours, severity, quality bars, change authority, budgets, fallback, and Snowflake escalation.
Operate the complete Cortex Agents production surface
| Service area | Managed responsibility | Boundary to define |
|---|---|---|
| Requests and threads | Conversation history, thread depth, planning, response generation, latency, errors, completion, feedback, client behavior, and fallback. | Supported agents and clients, users, languages, hours, SLO, expected answer, thread retention, and human handoff. |
| Observability and evaluation | Trace spans, tool selection and execution, SQL and chart generation, token use, error severity, user feedback, GPA metrics, datasets, custom metrics, and regression. | MONITOR access, unredacted privilege, sensitive fields, retention, metrics, thresholds, model availability, evaluator cost, and reviewer. |
| Structured and unstructured data | Semantic views, Cortex Analyst, generated SQL, warehouse execution, Cortex Search, indexed data, source freshness, filters, retrieval quality, lineage, and grounding. | Authoritative sources, business definitions, freshness SLO, warehouse, query policy, data owner, masking, and recovery. |
| Custom tools and MCP | Functions, stored procedures, code execution, skills, MCP connectors, contracts, inputs and outputs, timeout, retry, side effects, approvals, and target reconciliation. | Allowed tools, owner or caller rights, warehouse, action authority, prompt trust, idempotency, rollback, and emergency disable path. |
| Identity and access | CORTEX roles, agent USAGE and MONITOR, querying-user default role, database and schema grants, semantic and Search access, procedure rights, tokens, and audits. | Default-role owner, least privilege, service user, OAuth or JWT scope, PUBLIC grants, access review, and incident route. |
| Release and change | Agent specification, instructions, models, tools, semantic views, Search services, functions, procedures, warehouses, roles, clients, evaluation gate, rollout, and rollback. | Source of truth, environments, change authority, freeze, approval, compatibility, canary, and acceptance evidence. |
| Cost and value | Agent tokens and AI Credits, Analyst and Search calls, generated SQL warehouse compute, custom tools, evaluations, retries, loops, attribution, budget, anomaly, and outcome. | Commercial owner, tags, entry point, budget latency, threshold, business KPI, forecast, unit economics, and optimization authority. |
Trace requests without exposing sensitive data or confusing metadata with outcomes
Cortex Agent monitoring records conversations, planning, tool selection and results, LLM response generation, SQL execution, chart generation, span inputs and outputs, errors, and feedback in SNOWFLAKE.LOCAL.AI_OBSERVABILITY_EVENTS. The event rows cannot be modified. A role needs OWNERSHIP or MONITOR on the agent and the relevant Cortex database role to view logs. Full conversation text and tool inputs and outputs require the separate READ UNREDACTED AI OBSERVABILITY EVENTS TABLE account privilege; without it, operators can still see metadata such as tool names, token usage, latency, evaluation summaries, model, and error severity.
Treat unredacted observability as production data. Define who can see prompts, SQL, retrieved text, tool arguments, outputs, and feedback; how long events remain; when deletion is allowed; and which fields can leave Snowflake. Do not grant broad unredacted access merely to make incident response convenient.
Cortex Agent evaluations trace the Goal-Plan-Action path, including tool selection, tool execution, logical consistency, answer correctness, and custom metrics. Evaluation datasets and judge results must represent current business questions and source states. Agent response times and detailed traces can constrain evaluation throughput, and some metrics or models have availability limits. A passing evaluation is a release input, not proof that production data, roles, tools, or downstream outcomes remain correct.
Distinguish planning, semantic, search, tool, role, release, and cost failures
| Symptom | Evidence to reconcile | Safe containment | Permanent control |
|---|---|---|---|
| Wrong answer or inefficient plan | Thread and request ID, planning spans, selected tools, agent specification, model, SQL, retrieved context, evaluation scores, feedback, expected answer, and recent change. | Narrow the affected use case, route to human review, restore accepted agent or tool configuration, preserve traces, and correct impacted decisions. | Representative GPA evaluation, business-grounded datasets, custom metrics, cohort monitoring, feedback review, and release threshold. |
| Cortex Analyst returns wrong SQL or meaning | Semantic view, business definitions, generated SQL, role and row access, source schema and freshness, warehouse result, query history, and expected metric. | Disable affected analytical path, use an approved query or dashboard, label uncertainty, preserve SQL evidence, and reconcile decisions. | Semantic-model ownership, verified queries, definition tests, schema contracts, row-access tests, and metric acceptance. |
| Cortex Search misses or returns stale context | Search service, source pipeline, target lag, indexed rows, filters, searchable attributes, retrieved chunks, role grants, freshness, and expected source. | Pause affected source or answer path, use an accepted snapshot or manual lookup, rebuild or resume safely, and communicate staleness. | Freshness SLO, pipeline and service alerts, retrieval evaluation, source ownership, filter tests, and recovery exercise. |
| Custom tool fails or changes the wrong state | Function or procedure signature, owner or caller rights, default role, warehouse, inputs and outputs, timeout, retries, external audit, idempotency, and target state. | Disable tool, block replay, revoke or narrow access if needed, isolate records, use manual fallback, and reconcile side effects. | Contract and negative tests, restricted rights, least privilege, approval, idempotency, target verification, and emergency disable path. |
| Works for one user but fails for another | Querying user's default role and warehouse, CORTEX database role, agent USAGE, database and schema grants, semantic and Search privileges, procedure rights, and client auth. | Stop privilege escalation, restore only approved grants, use a controlled service path, preserve access evidence, and communicate affected users. | Default-role matrix, access-as-code, per-persona tests, PUBLIC grant review, least privilege, entitlement review, and drift alert. |
| Unexpected AI Credit or warehouse spend | CORTEX_AGENT_USAGE_HISTORY, request and agent IDs, entry point, Analyst and Search calls, generated SQL, warehouse use, model, tokens, retries, loops, evaluations, tags, and outcomes. | Stop loops, restrict agent access, lower traffic, suspend noncritical Search or warehouse use where safe, and notify the commercial owner. | Per-agent and per-team attribution, early alerts, resource budgets, quota design, iteration limits, forecast, and unit economics. |
Safe replay is a business decision, not merely repeating agent:run. Before retrying, determine whether a stored procedure, UDF, MCP tool, generated SQL process, or external system already created, changed, approved, sent, paid, assigned, or closed a record. Use idempotency, target-state reconciliation, and explicit approval for consequential actions.
Test the effective default role and every privilege hop
Cortex Agents determine session permissions from the querying user's default role. That role needs USAGE on the database, schema, and agent and the privileges required by each tool. Cortex Search requires service access; Cortex Analyst depends on semantic-view and underlying data access; functions and procedures require USAGE; and a procedure preserves its owner-rights or caller-rights definition. The effective authority can therefore change at the tool boundary even when the agent call succeeds.
Inventory default roles, default warehouses, CORTEX_USER or CORTEX_AGENT_USER grants, PUBLIC exposure, agent USAGE and MONITOR, semantic and Search objects, functions and procedures, OAuth or JWT scopes, PAT restrictions, and MCP trust. Test representative user personas in the actual client. A creator preview under an administrative role is not production authorization evidence.
Control releases and cost with evidence, not object existence
Snowflake provides CREATE, ALTER, DESCRIBE, SHOW, and DROP commands for Cortex Agent objects, but an agent specification is only one part of the release. Preserve instructions, orchestration model, tool descriptions and identifiers, semantic views, Search services, source pipelines, function and procedure code and rights, warehouses, default-role expectations, authentication, monitoring access, evaluation dataset and results, budget tags, approvals, rollout, and rollback in a release manifest.
Cortex Agents are billed in AI Credits by tokens, and costs are additive across invoked services such as Cortex Analyst and Cortex Search. Generated SQL incurs warehouse compute. CORTEX_AGENT_USAGE_HISTORY reports agent calls, tokens, credits, user, request, and underlying-service detail, but Snowflake CoWork-originated usage is attributed separately. Resource budget actions are periodic and can lag by up to eight hours under standard configuration, so use early thresholds and operational alerts rather than treating a monthly hard limit as immediate protection.
Onboard through inventory, baselines, controlled failures, and shadow operations
- Inventory: accounts, regions, agents, clients, threads, tools, semantic views, Search services, sources, functions, procedures, warehouses, roles, authentication, and outcomes.
- Responsibility: define supported layers, SLOs, severity, access, data handling, quality, change authority, budget, dependencies, fallback, Snowflake escalation, and exclusions.
- Baseline: measure request success, latency, trace coverage, GPA evaluation, Analyst and Search quality, tool and target-state success, access denials, cost, and incidents.
- Controls: validate redacted and unredacted monitoring, default roles, object grants, procedure rights, evaluation datasets, safe replay, release evidence, rollback, attribution, and alerts.
- Exercise: rehearse a wrong plan, invalid SQL, stale search result, duplicate side effect, role denial, missing trace, regression, loop, cost spike, and platform incident.
- Transition: operate in shadow, close or accept material gaps, publish runbooks and escalation routes, and accept the steady-state support scope.
Start with the Cortex Agents that already influence customer, financial, operational, compliance, or workforce decisions. Datrick can define the operating boundary, close material control gaps, and transition one portfolio into managed support.
Request a Snowflake AgentOps reviewOfficial references and adjacent operating guides
- Snowflake Cortex Agents overview
- Monitor Cortex Agent requests
- Cortex Agent evaluations
- Cortex Agents access control and authentication
- Create and manage Cortex Agents
- Snowflake AI pricing and Cortex Agents cost
- Resource budgets for Cortex Agents
- White-label AI agent managed support for MSPs
- Managed human evaluation for AI agents
Frequently asked questions
What is included in Snowflake Cortex Agents managed services?
A defined service can include request and thread monitoring, trace investigation, Cortex Agent evaluations, Cortex Analyst semantic views, Cortex Search services, custom tools, user default roles and object privileges, incidents, release control, AI Credit usage and budgets, runbooks, and reporting. Scope depends on the agents, tools, data, channels, access, support hours, and accepted responsibility boundary.
How do you monitor Snowflake Cortex Agents in production?
Cortex Agent monitoring records conversation history, planning, tool selection and execution, SQL and chart generation, final responses, and user feedback in AI observability events. Operators need MONITOR or OWNERSHIP on the agent plus the required Snowflake database role. Full conversation and tool payloads require separate unredacted-observability privilege, so monitoring access and sensitive-data handling must be designed deliberately.
Which Snowflake role does a Cortex Agent use?
Cortex Agents determine session permissions from the querying user's default role. That role needs access to the agent and to the objects used by its tools, including Cortex Search services, semantic-view data, functions, and stored procedures. A procedure can then run with owner or caller rights according to its definition, so the effective identity must be tested end to end.
How do you control Cortex Agents cost and budgets?
Track per-agent usage in CORTEX_AGENT_USAGE_HISTORY and account for additive costs from Cortex Analyst, Cortex Search, generated SQL warehouse compute, and other invoked services. Resource budgets can use tags and threshold actions, but standard enforcement can lag by up to eight hours and some Snowflake CoWork-originated use is attributed separately. Operational alerts should therefore trigger before the hard limit.
How long does Snowflake Cortex Agents support onboarding take?
A focused onboarding commonly takes two to four weeks for a representative production portfolio. It covers agent and tool inventory, observability and evaluation baselines, semantic views and search services, default-role permissions, incidents, releases, cost attribution, runbooks, controlled failure exercises, and acceptance of the steady-state operating scope.
Need the same support model across several data and agent platforms?
Compare the Databricks AgentOps boundary