1.2 Why Choose Oracle Deep Data Security

Oracle Deep Data Security (Deep Sec), integrated with Oracle AI Database, provides a database-native, declarative access control framework. By securing data at its source, it helps you adopt AI while prioritizing data security, privacy, and compliance.

Most high-value enterprise data resides within the database. As organizations integrate agentic AI (autonomous systems that observe environments, reason through complex problems, and execute actions) to interact directly with this private and regulated data, they face a new set of privacy risks. While these agents boost productivity and decision-making, their autonomy introduces vulnerabilities that traditional security models cannot address. Historically, organizations have enforced complex privacy rules within application code. However, this approach is no longer sufficient; AI-generated applications can inadvertently omit or misapply these rules, and autonomous agents can bypass them entirely through direct SQL access.

Deep Sec addresses these vulnerabilities by enforcing privacy rules and access controls directly at the database layer, rather than relying on application code, prompts, or other fragile guardrails. By applying fine-grained, least-privilege policies, Deep Sec restricts users and AI agents to only the data they are explicitly authorized to access. This helps you adopt agentic AI, analytics, and enterprise applications with confidence, making it easier to address regulatory compliance and data privacy without constraining innovation.

Topics:

• The Security Challenge in Agentic AI

• Limitations of Existing Access Control Methods

• The Deep Data Security Solution

1.2.1 The Security Challenge in Agentic AI

Agentic AI systems frequently use protocols such as the Model Context Protocol (MCP) to inspect database structures, identify relevant data, construct queries, and execute database operations autonomously.

This dynamic access to the database introduces a new class of threats:

• Prompt injection: Malicious inputs that manipulate an AI agent into performing unintended actions, such as bypassing system instructions or retrieving unauthorized data.
• Excessive agency: Shared, highly privileged database connections that grant AI agents broad access, enabling them to disclose sensitive information or execute unapproved transactions. In this scenario, an AI agent can generate and execute arbitrary SQL using the application's inherited privileges.
• Unintended disclosure: Accidental or malicious disclosure of confidential data, including business, health, or personal information.

Traditional security controls, designed for conventional applications with predictable patterns, often fail to handle the dynamic and autonomous nature of agentic AI. Deep Sec addresses this gap by enforcing access control directly at the data source, rather than relying on application code, prompts, or other potentially vulnerable AI guardrails—allowing you to harness agentic AI capabilities without compromising oversight.

1.2.2 Limitations of Existing Access Control Methods

Existing access control techniques work well for predefined reporting and transactional workflows, but they are often inadequate for the dynamic SQL patterns that agentic AI introduces. Common approaches include traditional database security, application-level controls, and external authorization systems. Each carries limitations that can weaken privacy enforcement, increase bypass risk, or impede innovation.

Traditional database security

Standard database controls, such as row-level security and column-level security, lack the necessary precision and efficiency required for dynamic AI workflows.

• Performance overhead and obscurity: Traditional row-level security often relies on policies implemented through conditional logic in stored procedures. This code-based approach can impose performance costs and bury security rules within scripts, which can hinder oversight and complicate governance.
• Coarse granularity: ANSI SQL column security operates on an all-or-nothing basis; users either have full access to a column’s values or no access at all. This lacks the precision needed for granular, cell-level access control, such as allowing a manager to update a team member's job title (write access) while having read-only access to their own job title. Furthermore, queries that succeed for authorized users can trigger SQL errors for those lacking column-level access, causing application instability.
• Masking limitations: Data masking solutions are often limited to basic rules or suffer performance degradation with complex logic. They also remain susceptible to inference attacks, where users manipulate query filters to deduce masked values.
• Administrative strain: Mirroring external identities (such as those in Microsoft Entra ID) in the database creates significant provisioning burdens and synchronization challenges. Despite using external OAuth 2.0 authentication, databases typically require local user accounts and fail to propagate key IAM attributes, such as organization or location, required for real-time access decisions.

Application-level controls

Developers often embed hard-coded logic within applications to restrict data access and user actions. This approach creates liabilities that are amplified by modern AI workflows and by application security variability.

• Static rules and maintenance burden: Fixed rules are difficult to update, and adapting to new requirements demands code changes and deployment cycles that often delay critical security updates.
• Role explosion: Advanced applications implementing role-based access control (RBAC) often require thousands of roles. This complexity overwhelms administrators and increases the risk of policy misconfiguration.
• Bypass risk: In organizations with numerous applications and analytics tools, fragmented application policies are easily circumvented when data is accessed through alternative paths. Additionally, applications and analytics tools frequently use shared database user accounts with unrestricted database access, which can be exploited through SQL injection.
• Agentic evasion: Agents using the Model Context Protocol (MCP) can inspect schemas and execute SQL directly, bypassing application protections entirely. Workarounds to prevent this are impractical; embedding SQL parsers is prohibitively complex, while exposing REST APIs as MCP tools, with access rules enforced in the API logic, leads to a proliferation of interfaces and degraded performance compared to direct SQL execution.
• RAG vulnerabilities: Retrieval-Augmented Generation (RAG) application workflows chunk documents into vector embeddings for semantic search, creating unique security challenges. To authorize prompts for these searches, application code often relies on a secondary language model to validate and categorize prompts, then determines access based on the results. However, using another language model for authorization checks is prone to tampering and errors, while the alternative approach of post-processing search results to filter unauthorized content severely degrades performance.

External authorization systems

External authorization systems centralize policy management and often support attribute-based access control (ABAC). While they offer stronger governance than hard-coded rules by evaluating user, environment, and resource attributes, they face significant limitations in database environments.

• Lack of database context: As general-purpose systems, they are not optimized for database-specific constructs, such as schemas, table relationships, and SQL semantics. This can lead to policies with limited depth and precision.
• Integration overhead: Each database operation and privilege check requires custom integration, increasing development and maintenance costs. Authorization decisions must ultimately be enforced by application logic at runtime to adjust queries, perpetuating the reliance on custom code.
• Persistent vulnerabilities: Despite centralized management, many challenges associated with application-level controls remain. AI-generated SQL is difficult to secure, alternative access paths can still bypass controls, and continued reliance on privileged database connections elevates the risk of data breaches.
• Latency and scaling challenges: Runtime queries to external authorization services introduce latency, particularly when per-row or per-cell privilege checks are required to enforce access. SQL-intercepting proxies add comparable overhead and typically depend on nonstandard client drivers that either lag certification for new database releases or introduce risks not present in standard drivers.

1.2.3 The Deep Data Security Solution

Oracle Deep Data Security (Deep Sec) overcomes the limitations of traditional strategies by embedding a declarative access control framework directly into Oracle AI Database.

By enforcing policies at the database layer for every query, whether from an application, an analytics tool, or an AI agent, it reduces bypass risks. It helps align access with organizational security, privacy, and compliance requirements while improving operational efficiency.

Architected for AI with cell-level precision

Deep Sec enforces cell-level access control, enabling policies that target specific intersections of rows and columns. AI agents access only the exact data points they need, overcoming the limitations of broad row or column security. This minimizes the risks of data inference and excessive privilege, and enforces policy-compliant access to sensitive data.

Transparent governance through declarative SQL

Deep Sec replaces complex procedural logic (such as PL/SQL) and API-driven approaches with clear, human-readable declarative SQL for defining access rules.

This design provides the following benefits:

• Clear and auditable controls: Policies are decoupled from application logic, providing transparent, easy-to-audit access rules.
• Rapid adaptation: Centralized policy management integrates with the full continuous integration/continuous deployment (CI/CD) cycle, allowing you to adjust policies quickly in response to evolving security or regulatory requirements.
• Low learning curve: Standard SQL policy definitions make Deep Sec easy to adopt and administer.

Zero trust through native IAM integration

Deep Sec enforces zero trust security by seamlessly integrating with external identity and access management (IAM) systems, and applying identity-aware, context-driven controls at the row, column, and cell levels. Zero trust is a security approach that assumes no implicit trust for any user or application; instead, access is determined dynamically based on verified identity and policy at the time of each request.

This design provides the following key security capabilities:

• Secure identity propagation: Deep Sec supports native identity and context propagation, ensuring that end-user identities flow from the IAM system directly to the database without requiring a separate database user for every individual. The propagation mechanism uses standard OAuth 2.0 tokens to carry end-user and application identities from IAM to the database. Tokens travel with each SQL request through Oracle client drivers, and the database validates these tokens to establish the security context, differentiating between the end user's identity (for policy enforcement) and the application's authorization (for database access). See End-User Security Context.
• Least-privilege enforcement: Deep Sec eliminates the need for highly privileged, shared database connections. At runtime, only the specific privileges associated with the end user and application identity are applied, ensuring least-privilege access. For AI workloads, this mitigates excessive-agency risk by authorizing AI-generated SQL based on the end user who initiated the task, not a broadly privileged shared account.
• Application isolation through protection domains: Deep Sec uses the IAM-issued credentials to identify each application or AI agent and maps it to a database identity that acts as a protection domain—a boundary that defines which data roles the application can use. For each SQL execution, the database creates a lightweight sandbox scoped to those roles. This restricts the application to only the data its roles permit, even if the end user who initiated the task has broader access.

Unified, enterprise-ready security

Deep Sec provides a unified, standards-based security model that applies consistently across agentic AI, analytics, and traditional applications. It also offers the following distinct advantages for enterprises:

• Optimized performance: Unlike external authorization services that introduce latency, Deep Sec's database-native enforcement reduces external network round-trips to evaluate security policies. By filtering data at the source, Deep Sec can reduce database I/O operations and improve query performance.
• Scalability: Designed for deployments of any size or complexity, Deep Sec streamlines development and administration while ensuring consistent, auditable governance.
• Support for modern data types: Deep Sec handles diverse data formats within the Oracle AI Database, including relational data, JSON through Duality Views, and vector embeddings for RAG workflows that ground AI responses in enterprise knowledge.