Agent Identity is generally available. CoWork is going after knowledge workers on Microsoft's home court. Both moves share a premise: trust the data platform. Whether that premise survives contact with multi-system agentic deployments is the real evaluation question.
Somewhere between the data warehouse era and the agentic one, Snowflake made a decision about what kind of company it wants to be. Summit 26, held June 1 through 4 at Moscone Center in San Francisco, made that decision visible. The argument, distributed across 26-plus announcements, is that the governed data environment should be the control plane for both AI agents and the knowledge workers who direct them. That is a bigger architectural claim than most Summit coverage has named.
Two announcements carry the weight of it. Agent Identity is now generally available, giving AI agents a verified identity and auditable permissions enforced within Snowflake before they touch enterprise data. CoWork, formerly called Snowflake Intelligence, pushes into knowledge worker productivity with a mobile app, a Slack integration, an Excel extension, and Model Context Protocol (MCP) connectors to Salesforce, Google Drive, and Slack. Both bets only work if organizations accept the same premise: that where your data is governed is where your agents should be governed too. Whether that premise holds when agents act across systems Snowflake does not own is the evaluation question every CTO should bring into the next platform review.
The claim is bigger than it looks
The assumption in most enterprise security conversations is that agent governance belongs in the identity provider. Microsoft Entra, Okta, and similar platforms have spent years building the control layer for human identity. The natural extension, in that view, is to register AI agents in the same directory, enforce the same role-based access policies, and audit actions through the same tooling.
Snowflake is arguing something different. Agent Identity gives agents a verified identity before they can access enterprise data or take action, with role-based permissions and a complete audit trail of agent activity, all enforced within the Snowflake environment. Agents making decisions from enterprise data should be governed where that data lives, not at a separate identity layer that has no understanding of what the data means or how the agent is using it.
Horizon Context, announced alongside Agent Identity, makes the semantic dimension explicit. It brings together business definitions, SQL logic, and operational knowledge from across an organization's data estate so that every agent draws from the same governed understanding of the data, including how revenue is calculated, how a customer is defined, and where risk thresholds sit. BlackRock is already using it to ensure AI operates on what the press release calls a shared definition of enterprise truth.
A financial firm operating AI agents across global markets cannot afford agents that calculate revenue differently in different systems. The semantic layer is not optional when agents are driving decisions at that scale. Snowflake's argument is that the semantic layer should live in the data platform, not in a separate catalog that has to stay synchronized with it.
CoWork is the commercial proof point
CoWork is where the architectural argument meets commercial reality. Knowledge worker AI is where Microsoft Copilot has the incumbency advantage, embedded in the productivity suite most enterprise users open every morning. Snowflake's counter is not a feature set. It is a data argument: an agent that answers questions about revenue, pipeline, or operational performance is more useful when it runs inside the environment where that data is governed, versioned, and defined.
The accuracy figure is the sharpest counter-argument Snowflake has. CoWork reportedly hits 86% on structured questions with full business context, compared to 24% for generic frontier models without it. That gap comes from running inside the environment where the business data is already defined, not from the model itself.
Synopsys has built more than 20 purpose-built agents for revenue operations, legal, finance, product management, and IT, all connected back to Snowflake. WHOOP reports that routing routine queries through CoWork has reduced the load on its data team while giving non-technical employees direct access to trusted answers. Both are telling the same story: the value is not in the agent, it is in what the agent already knows about the business.
"What used to require specialized analysts and manual requests is now accessible to hundreds of employees in real time." — WHOOP
The open question is what happens when the answer requires data that does not live in Snowflake. CoWork's MCP connectors to Salesforce, Google Drive, and Slack are how Snowflake is extending its reach. The Natoma acquisition, covered here in May, is the architecture behind those connectors: identity-aware authorization and auditability for agent actions taken in external systems. For organizations evaluating CoWork, the useful question is how completely the MCP governance layer extends outside Snowflake, and at what maturity level.
Where the architecture gets complicated
The Natoma-powered MCP integration is still maturing. Governance of data read from Snowflake is not the same as governance of actions taken in Salesforce on behalf of a Snowflake agent. When an agent updates a Salesforce opportunity, sends a Slack message, or modifies a shared Drive file, the audit trail has to cross system boundaries, each with its own identity model and compliance posture.
Snowflake's security posture management additions to the Horizon Catalog address the internal monitoring question. They help security teams continuously monitor AI systems, investigate violations faster, and respond to emerging risks. What they do not address, at least not yet at general availability, is federated governance across external systems where Snowflake is not the authoritative source.
This is not a reason to dismiss the architecture. It is a reason to ask the right question before deployment. Organizations evaluating CoWork for knowledge worker AI need to map which systems their agents will act in, not just which systems they will read from, and confirm that the MCP governance layer extends meaningfully into each of them.
The interoperability story adds a third dimension. Apache Iceberg v3 support at general availability, Snowflake Storage for Apache Iceberg Tables, and bi-directional read and write access through Horizon Catalog powered by Apache Polaris are meaningful for organizations with data sitting outside Snowflake in external lakes. The pitch is a single governed copy of enterprise data, wherever it lives, without duplication. Organizations including Affirm and NTT DOCOMO are already operating on this model at scale. Worth noting: Databricks shipped Apache Iceberg v3 support the same week. The open table format is not contested. Governance on top of it is where the differentiation sits, and both companies are making the same claim. That tension will be worth watching at Databricks Summit next week.
Cortex Training changes the cost calculus
One Summit announcement that has received less coverage is Cortex Training, which lets enterprises customize open-weight foundation models such as the Qwen or Mistral families on their own data, without moving that data to an external training environment. Resolve AI made a multi-million-dollar, two-year commitment to use it for reinforcement learning on proprietary production operations data.
Organizations paying frontier model API rates for use cases where a smaller domain-specific model would outperform them can now build and maintain those models inside their governed data environment. GPU capacity is managed rather than owned. Training happens where the data already lives. That changes the build-versus-buy math for any team running high-volume, domain-specific inference workloads.
Cortex Training, Agent Identity, and CoWork are not three separate bets. They are one bet placed three ways: that governance embedded in the data platform is worth more than governance bolted onto it. The part of that bet still unpriced is what happens at the MCP boundary.
Agent Identity is a strong governance story for data that lives in Snowflake. Before deploying agents into external systems through the Natoma-powered MCP layer, confirm two things: whether Snowflake's permission and audit policies extend to those external systems at the action level, not just the data read level, and what the maturity timeline is for that coverage given that the integration is still maturing toward general availability. The gap between those two timelines is where deployment risk concentrates.
- Snowflake. "Snowflake CoWork Powers the Agentic Enterprise as the Personal Agent for Knowledge Workers to Work Smarter." Snowflake Newsroom, 2 Jun. 2026. snowflake.com
- Snowflake. "Snowflake Advances Trusted AI with Snowflake Horizon Catalog Centralizing Governance, Context, and Security Across the Enterprise." Snowflake Newsroom, 2 Jun. 2026. snowflake.com
- Snowflake. "Snowflake Pioneers New Open Framework for Interoperable Enterprise Data and AI." Snowflake Newsroom, 2 Jun. 2026. snowflake.com
- Snowflake. "Snowflake and Anthropic Accelerate Enterprise AI Adoption Driven by Rising Demand for Governed AI." Snowflake Newsroom, 1 Jun. 2026. snowflake.com
- McKinsey & Company. "State of AI Trust in 2026: Shifting to the Agentic Era." McKinsey, 2026. mckinsey.com
- Bellamkonda, Shashi. "The Company Storing Your Data Now Wants to Police Your AI." shashi.co, 27 May 2026. shashi.co
- Bellamkonda, Shashi. "$7.88 Billion RPO: The Silent Signal That Snowflake's AI Strategy Is Already Locked In." shashi.co, Dec. 2025. shashi.co
