1 Key Risks
The most critical security risks an operator inherits when deploying this agent in its documented default configuration. Sigma AI's warehouse-native design inherits the operator's data warehouse security perimeter but leaves prompt injection mitigation, output filtering, and real-time monitoring as operator-managed gaps.
2 AIRQ Scores
The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. Sigma AI lands in the lower half of the composite scale, reflecting constrained blast radius offset by moderate attack surface and limited vendor-implemented defense controls.
With an attack surface of 4.80 and a blast radius of 3.88, Sigma AI places in the Humble Providers quadrant. The attack surface score sits 0.20 below the 5.0 quadrant boundary, making this a borderline placement where a single confirmed prompt-injection exploit on the text-to-SQL pipeline could push the agent into Humble Providers. The warehouse-native model caps blast radius by design: all SQL runs on the customer's compute, not on Sigma infrastructure, so a compromised session cannot escalate beyond the credential scope the operator grants.
Attack surface is scored on a 10-point scale, blast radius on 10, defense controls on 15, and the AIRQ composite weighs all three into a single readiness indicator. The defense multiplier rewards vendor-implemented controls that reduce operator burden; Sigma AI's 6 of 15 defense score provides a modest uplift, leaving the composite anchored to the moderate attack and blast positions rather than lifted by strong defaults.
| Metric | Score | Comments |
|---|---|---|
| AIRQ Score | 3.61 | A composite of 2.77 places Sigma AI in the moderate-risk band where the warehouse-native architecture provides a structural ceiling on blast radius but the absence of vendor-implemented input filtering and output-layer controls limits the defense multiplier. Operators can improve this score primarily by adding prompt-injection scanning and real-time audit alerting, both of which are operator-managed on the default configuration. |
| Blast Radius | 3.88 / 10 | Blast radius of 3.88 reflects warehouse-scoped SQL execution and credential access moderated by the absence of host-level filesystem, deployment pipeline, or container escape surface. The operator's warehouse credential is the blast boundary: a compromised session reaches whatever that credential can query or write back, but cannot pivot to Sigma's infrastructure or the operator's broader cloud environment. |
| Attack Surface | 4.8 / 10 | The 4.80 attack surface reflects a text-to-SQL pipeline that accepts natural-language prompts as first-class input and converts them to executable warehouse queries without a documented prompt-injection filter. The MCP client channel, Autonomous mode scheduling, and External Actions REST surface each add input vectors. All three trifecta conditions are satisfied, applying the 4.80 floor. |
| Defense Controls | 6 / 15 | Six of fifteen defense points come from documented warehouse isolation via OAuth passthrough, granular data access controls across four permission levels, and audit logging with 30-day retention. Prompt-injection filtering, output-layer DLP, and real-time anomaly detection are not vendor-implemented on the default configuration, leaving the operator responsible for the gaps that most directly address the text-to-SQL attack surface. |
3 Attack Surface
Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. Sigma AI's reasoning loop ingests user prompts, warehouse table contents, and MCP tool definitions as first-class input, converting them into SQL that executes on production data.
Higher scores on this agent reflect surfaces where user-supplied natural language translates directly into executable SQL or outbound API calls without an intermediate validation layer. The dominant risk channel is the text-to-SQL pipeline, which converts freeform prompts into warehouse queries. The MCP client interface and External Actions REST channel add secondary input vectors. No surface reaches the confirmed-exploitable band because no agent-specific red-team assessment or disclosed vulnerability was found during research, but class-level evidence on text-to-SQL backdoor injection is extensive.
Each row below names a surface through which adversarial input can enter Sigma AI's reasoning loop, scored from 0 (absent or not applicable) to 4 (confirmed exploitable with agent-specific evidence). All scores reflect the documented default configuration. The text-to-SQL conversion boundary is the most consequential surface: prompts flow in as natural language and execute as SQL on the operator's warehouse, so any injection that survives the translation step lands directly on production data. The MCP client channel and External Actions mode create additional entry points that an attacker can reach without physical access to the Sigma workbook.
| Surface | Score | Comments |
|---|---|---|
| User Input | 2 / 4 | Natural-language prompts are the primary input channel and are converted to SQL without a documented prompt-injection scanner at the agent layer [6]. The three agent modes all accept user-authored text as the entry point for query generation. |
| External Data | 2 / 4 | The agent queries warehouse tables containing customer-managed datasets where all SQL runs on the operator's own compute, inheriting whatever access controls the warehouse enforces [8]. Data content is operator-governed, not vendor-filtered. |
| Memory | 1 / 4 | Session context persists within a workbook interaction but no long-term vector store or cross-session memory poisoning surface is documented [7]. Memory risk is limited to single-session prompt context. |
| Reasoning | 2 / 4 | The text-to-SQL translation step is the core reasoning boundary where natural language becomes executable code; backdoor payloads embedded in training data can hijack query generation with high attack success rates [2]. |
| Planning | 2 / 4 | Autonomous mode allows the agent to chain multi-step queries and schedule monitors, extending the planning horizon beyond a single prompt turn [7]. Scheduled workflows persist until the operator revokes them. |
| Tool Execution | 2 / 4 | Generated SQL executes directly on the warehouse with the operator's credentials; class-level attacks on text-to-SQL systems achieve high success rates [3] and a documented full-chain prompt injection on a comparable Snowflake agent led to database exfiltration [5]. |
| Orchestration | 2 / 4 | Sigma AI exposes MCP client capabilities for external tool discovery, creating an orchestration boundary where upstream agents can discover and invoke Sigma's query tools [6]. |
| Inter-Agent | 1 / 4 | The vendor publishes a documentation MCP server that AI coding assistants can query for API endpoint discovery [16]. The agent-to-agent surface is limited to this read-only documentation channel. |
| Output Processing | 1 / 4 | Generated SQL results and visualizations flow to downstream consumers; prompt injection on text-to-SQL outputs enables data exfiltration through crafted query results [4]. |
| Configuration | 1 / 4 | The data access model uses four granular permission levels with additive visibility across connections, schemas, and tables; misconfigured connections can expose data beyond the intended scope [10]. |
The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. Sigma AI satisfies all three conditions: user prompts feed the text-to-SQL pipeline, warehouse tables hold sensitive operational data, and External Actions mode routes output to third-party APIs.
Sigma AI exhibits all three of these conditions in its documented default configuration:
- Untrusted input — User prompts and MCP tool definitions enter the reasoning loop as first-class input without a documented prompt-injection filter at the default configuration [6].
- Sensitive data — The agent queries production warehouse tables governed by the operator's permission model, reaching any dataset the connected credential can access [10].
- External egress — External Actions mode sends agent-initiated HTTP requests to admin-configured REST API endpoints, creating a direct egress channel from the reasoning loop [15].
4 Blast Radius
The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. A compromised Sigma AI session reaches whatever the connected warehouse credential can query, write back, or trigger via External Actions, bounded by the operator's permission model.
Higher blast scores on this agent reflect surfaces where a compromised session can read, modify, or exfiltrate production data through warehouse queries or outbound API calls. The warehouse-native architecture keeps all SQL execution on the customer's compute, which constrains lateral movement: there is no Sigma-side shell, container, or filesystem the agent can pivot to. The blast ceiling is set by the operator's warehouse credential scope and the External Actions connector configuration.
Each row maps a blast factor to the scope of damage a compromised agent session can inflict through its documented capabilities. Sigma AI's blast radius is structurally bounded by the warehouse-native model: the agent has no host filesystem, no shell access beyond SQL, and no deployment pipeline integration. The dominant blast channels are warehouse query scope (governed by the operator's credential) and outbound REST calls via External Actions (governed by admin-configured connectors).
| Factor | Score | Comments |
|---|---|---|
| Code execution | 2 / 4 | Generated SQL executes on the customer's warehouse compute with no code sandbox or shell access beyond SQL documented in the default agent configuration [8]. The operator's warehouse credential scope is the execution boundary. |
| File system access | 1 / 4 | Sigma operates as a SaaS platform with no host-level filesystem access; warehouse-side data reads are governed by connection-level permission grants [8]. |
| Network access | 2 / 4 | External Actions mode routes agent-initiated REST calls through admin-configured connectors, enabling outbound HTTP to operator-specified endpoints [15]. No unrestricted internet access is documented. |
| Credential access | 2 / 4 | Warehouse credentials are encrypted with customer-managed KMS keys and accessed via OAuth passthrough; revoking the KMS root key severs Sigma's credential access immediately [12]. |
| Autonomous action | 2 / 4 | Autonomous mode runs scheduled multi-step workflows without per-action approval; the immutable audit trail logs each action after execution rather than gating it beforehand [7]. |
| Deployment access | 0 / 4 | No deployment pipeline, IaC integration, or production infrastructure access is documented; the agent's blast radius stays within the warehouse and API action boundary [8]. |
5 Defense Controls
Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. Sigma publishes warehouse isolation, access controls, and audit logging confirmed by third-party security assessments [17], but prompt-injection filtering and output-layer DLP remain undocumented on the default configuration.
Higher defense scores reflect vendor-implemented controls that reduce risk without operator intervention; lower scores flag gaps the operator must close independently. Sigma AI's controls cluster around infrastructure isolation and access governance, both inherited from the warehouse-native architecture. The gaps are at the agent layer itself: no prompt-injection filtering on input, no DLP or redaction on output, and no real-time anomaly detection on agent-generated SQL.
Each component is scored from 0 (absent) to 3 (vendor-implemented and externally verified), with confidence flags reflecting the strength of the supporting documentation. Sigma AI's defense profile is shaped by its warehouse-native architecture: the controls the vendor can claim strongest are the ones the warehouse already provides (tenant isolation, credential governance, audit trail). The controls that require agent-layer implementation (input scanning, output filtering, anomaly detection) are the ones scored lowest.
| Component | Score | Comments |
|---|---|---|
| Input Guardrails | 1 / 3 | The vendor holds ISO 27017, 27018, and 27701 certifications [13] but documents no prompt-injection scanner or input-shape validator at the agent layer; the Trust Center addresses third-party incidents only [1]. |
| Execution Isolation | 2 / 3 | All SQL runs on the customer's warehouse compute rather than on Sigma infrastructure, providing tenant isolation by construction via OAuth passthrough and optional PrivateLink support [8]. |
| Action Controls | 2 / 3 | Autonomous mode requires operator-configured triggers and External Actions mode requires admin-granted connector credentials, but no per-action approval gate is documented as a default control [7]. |
| Output Guardrails | 0 / 3 | No output DLP, redaction, or URL-sanitization controls are documented at the agent layer; data processing practices are governed by the vendor's privacy and data processing policies [14]. |
| Monitoring | 1 / 3 | Audit logs capture agent actions in a vendor-managed Snowflake connection with 30-day retention and up to one-hour event lag; SIEM forwarding and real-time alerting are operator-managed [9]. |
6 Hardening Tips
Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. Operators should prioritize adding prompt-injection filtering at the input layer and real-time anomaly detection for agent-generated SQL to break the trifecta exfiltration path.
Input Guardrails
Input guardrails intercept adversarial content before it reaches the reasoning loop.
- Policy Require all natural-language queries to pass through a review gate before SQL generation when operating in Autonomous mode.
- Configuration Restrict the MCP client channel to a pre-approved allowlist of external tool providers in the Sigma admin console.
- Engineering Deploy a prompt-injection classifier upstream of the text-to-SQL pipeline that flags suspicious input patterns before query generation.
Execution Isolation
Execution isolation contains what a compromised agent can do on the host.
- Policy Limit warehouse connection credentials to read-only access for all Interactive mode queries and require elevated approval for write operations.
- Configuration Enable PrivateLink for all warehouse connections to eliminate public network exposure of the SQL execution channel [8].
- Engineering Instrument the text-to-SQL output with a query-shape validator that rejects unexpected DDL, multi-statement, or administrative SQL commands.
Action Controls
Action controls govern which tools and actions the agent can invoke autonomously.
- Policy Require per-action operator approval for all External Actions mode API calls before they execute on third-party endpoints.
- Configuration Disable Autonomous mode by default and enable it only for workbooks with explicit operator approval and scoped data connections.
- Engineering Wire a webhook pre-flight check into the External Actions connector pipeline that validates each outbound request against a policy engine.
Output Guardrails
Output guardrails inspect what the agent sends to other systems and users.
- Policy Establish a data classification policy that prohibits agent-generated outputs from including PII or financial records without explicit redaction.
- Configuration Configure warehouse-side column masking policies to redact sensitive fields before query results reach the agent layer.
- Engineering Implement a post-query output scanner that detects and redacts PII patterns before results render in the workbook interface.
Monitoring
Monitoring captures what the agent did and surfaces anomalies for review.
- Policy Establish a process to report agent-related security issues through the vendor's responsible disclosure program for coordinated triage [11].
- Configuration Forward Sigma audit logs to an enterprise SIEM with real-time alerting rules for anomalous query volumes or unexpected external actions.
- Engineering Build a query-pattern anomaly detector that flags SQL deviating from the workbook's historical baseline and triggers an automated hold.
7 References
The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.
Selected Vulnerabilities
- Sigma Computing Trust Center Vendor Trust Center documents MOVEit non-impact and a third-party credential incident isolated to a sub-processor
Selected Research
- TrojanSQL Backdoor SQL injection on text-to-SQL parsers with up to 99 percent success on fine-tuned models
- ToxicSQL 0.44 percent poisoned training data achieves 79 percent attack success generating malicious SQL queries
- SecureSQL Prompt injection and inference attacks causing data leakage in text-to-SQL systems
- Prompt Injection via GitHub README on Snowflake Agent Full-chain prompt injection leading to sandbox escape and database exfiltration via a Snowflake AI agent
Vendor Documentation
- Sigma AI Product Overview Sigma Assistant and Sigma Agents capabilities including MCP client mode and warehouse-native AI
- Sigma Agents Product Page Three agent modes with warehouse security inheritance, OAuth passthrough, and immutable audit trail
- Sigma Architecture Warehouse-native execution with all SQL on customer compute plus PrivateLink and SOC 2 compliance
- Sigma Audit Logging Sigma-managed Snowflake audit connection with 30-day retention and cloud storage export
- Sigma Data Access Overview Four granular permission levels and additive access model for warehouse data visibility
- Sigma Vulnerability Disclosure Policy Bug bounty program with dedicated staging environment for responsible disclosure
- Sigma Customer-Managed Keys Envelope encryption where customers own KMS root keys and can revoke Sigma credential access
- Sigma ISO Certifications ISO 27017, 27018, 27701 certifications alongside ISO 27001, SOC 2, and HIPAA attestations
Other Sources
- Sigma Computing Privacy Policy Data processing practices and DPF self-certification for international data transfers
- Sigma API Actions Workbook actions call external REST API endpoints through configured connectors with admin permissions
- Sigma Documentation MCP Server Exposes search and fetch tools for AI coding assistants via the Model Context Protocol
- Nudge Security Profile for Sigma Computing Third-party profile listing SOC 2, PCI, HIPAA, ISO 27001, GDPR, FedRAMP, and CSA STAR Level 1