Governing AI Agents: Databricks’ Approach to MCP, Identity, and Control

Elise Gonzales, Staff Product Manager at Databricks and lead for Agent Bricks and the MCP marketplace, shares how Databricks is approaching AI agents as governed infrastructure — not experiments — and what it really takes to make MCP work in enterprise environments.

From agent discovery and marketplaces to user-level identity, permissions, and multi-agent coordination, Elise breaks down the architectural and organizational challenges that emerge once agents move beyond demos and touch real data, real tools, and real users.

Rather than optimizing for speed or novelty, Databricks is building for trust, control, and long-term adoption — treating agents like a new class of system that must coexist safely with enterprise data platforms.

MCP, Marketplaces, and the Discovery Problem

Why MCP Spread So Fast
MCP’s simplicity and familiarity helped it gain rapid adoption across the ecosystem.

Discovery Is the Real Bottleneck
Teams inside the same company were independently building identical MCP servers — marketplaces reduce duplication and chaos.

Why Validation Matters
Enterprises need to know MCP servers are real, trusted, and supported — not community experiments pulled into production.

Governance Is the Hard Part of MCP

MCP Is the Easy Layer
The protocol works. The hard part is deciding who can use which tools, when, and under what permissions.

Enterprise Readiness Means Control
Catalogs, approval flows, and scoped access are required before agents can touch production systems.

Why Marketplaces Aren’t About Convenience
They’re about governance, auditability, and enforcing organizational boundaries.

User-Level Identity and Permissioning

Agents Can’t Be Service Accounts
Letting agents operate with broad, shared credentials creates massive risk.

Passing Through the User Matters
Agents should only act with the same permissions as the human behind the request.

Auditability Is Non-Negotiable
Enterprises need to know who did what, through which agent, and using which tools.

Multi-Agent Systems: Power and Amplification Risk

Why Multi-Agent Architectures Are Emerging
Domain-specific agents mirror microservices: finance, research, ops, and more.

The Amplification Problem
Permission mistakes compound quickly when agents coordinate with other agents.

Inheritance Over Isolation
Sub-agents must respect the same access rules as users — or they shouldn’t load at all.

Why “Just Wrapping APIs” Won’t Last

Most MCP Servers Are Stopgaps
Wrapping REST APIs exposes too many tools, increases token usage, and slows agents down.

The Shift to Agent-Native Tools
Future MCP servers will expose fewer, higher-level actions aligned to real jobs.

Designing for Context Windows and Latency
Tool design must account for how agents reason — not how humans click.

Who AI Agents Are Bringing Into Data Platforms

Not Just ML Engineers Anymore
Business users, software engineers, and operators are all entering through AI.

Why Experiences Must Be Curated
Governance enables broader access without exposing unnecessary complexity.

AI as the Front Door to Data
Agents are changing who uses data platforms — and how.

Why It Matters

AI agents aren’t just smarter software — they’re autonomous actors with access to real systems. Databricks’ approach to MCP shows that the future of agents depends less on model capability and more on governance, identity, and trust.

The companies that win won’t be the ones with the flashiest demos — they’ll be the ones that make agents safe, controllable, and reliable enough to run in production.