Snowflake announced Thursday at the closing keynote of Snowflake Summit that Cortex Agents is now generally available. The product is a model-orchestration layer that runs against data already inside the customer’s Snowflake warehouse. The session API accepts Anthropic Claude Fable 5, Google Gemini 3 Pro, OpenAI GPT-5.5, and Snowflake’s in-house Arctic family as routable backends. The customer’s data does not leave the warehouse. Snowflake’s existing row-level security, dynamic data masking, and tag-based governance apply to every model call. Pricing is per-token markup on top of the underlying vendor rates, plus standard Snowflake compute for the orchestration runtime.
The competitive shape is sharper than the press release lets on. Databricks has spent the last year making AI/BI Genie the centerpiece of its enterprise pitch, with the same general idea (agents that talk to your data without you exporting it) but a stronger lean on Databricks-native models. Snowflake’s answer is to lean the other way. Cortex Agents reads as multi-vendor by default, with Arctic positioned as the cheap fallback rather than the assumed primary. The thesis being sold to the buyer: the model is a commodity, the data is the moat, and the warehouse vendor that lets you pick the model du jour without re-platforming wins the procurement cycle.
The interesting question for the second half of the year is whether the actual data-governance story holds up under a real production agentic workload. The reason enterprise legal teams have been slow-walking model-routing platforms is that the moment an agent starts joining tables and shipping context windows full of customer PII to four different inference providers, the compliance surface area explodes. Snowflake’s pitch is that every call inherits the warehouse’s existing access controls automatically, which means a healthcare customer running HIPAA-governed data does not have to re-implement controls per vendor. If that holds, Snowflake just turned its decade of governance plumbing into a moat against the entire “BYO model” category. If it does not hold, every enterprise CISO is going to have a very long Friday afternoon meeting later this year. Both are still on the table.