The FAIR Institute’s AI Workgroup recently hosted an interactive open forum diving deep into two of the fastest-moving frontiers in cybersecurity: Third-Party AI and Agentic AI risk.
We were thrilled to host an incredible panel of experts who are actively building the frameworks to manage these emerging threats:
Arun and Jackie founded the AI Workgroup a few years ago, the mission was simple: make AI risk understandable. Today, that mission has evolved. We are focused on helping cybersecurity practitioners move at the speed of business by translating highly unpredictable, predictive AI systems into defensible, quantified risk metrics.
If you couldn't make the live session, here is a breakdown of the core strategies, architectural frameworks, and real-world takeaways discussed.
Dan Holland kicked off the conversation by pulling back the curtain on how a major healthcare system like Tampa General safely steers heavy corporate investments in AI.
Dan dropped a truth bomb that every security leader needs to hear: the era of the static, 200-question vendor questionnaire is dead. It burns out analysts, frustrates vendors, and creates massive internal bottlenecks. Even worse, asking questions you don’t actually need data on introduces severe legal liability; if a vendor discloses a risk condition in a spreadsheet that your team never thoroughly reviews or acts upon, you lose plausible deniability.
Instead, Tampa General shifted to an evidence-based architecture review—demanding data flow diagrams, network architecture charts, model cards, and AI Software Bills of Materials (AI SBOMs) to see precisely how data transits a system.
To streamline governance, Dan’s team breaks incoming AI systems into four distinct classes:
By classing systems upfront, they route workflows through a tiered governance funnel—ranging from Exempt (trusted vendors with no clinical impact or patient data), to Expedited Review (moderate risk voted on via consent agendas), to a Full Monthly Cross-Functional Review looking at utility, ethics, compliance, patient safety, and educational impact.
As the conversation shifted toward the technical controls necessary to secure these classes, Arun Pamulapati introduced the freshly released Databricks AI Security Framework (DAS) 3.0.
While traditional AI models function primarily as predictive or retrieval mechanisms where a human explicitly handles the data input, Agentic AI represents a paradigm shift. Agents are inherently autonomous; they evaluate a goal, decompose it into micro-tasks, and independently fetch the data or call the APIs necessary to complete the job.
To threat-model an agent effectively, Arun noted that you have to look past the core model and analyze its entire anatomy:
When you threat-model those structural components, the interaction of simple risks can quickly aggregate into an enterprise nightmare. Arun and Abhi highlighted what they call the Lethal Trifecta.
An architectural design flaw occurs when a single AI agent is simultaneously granted access to three specific conditions:
The Lethal Trifecta Rule: If an agent possesses all three of these capabilities at once, you are entirely leaving enterprise security to chance.
Abhi shared a classic example of this failure design pattern in the wild: Meta’s recent support bot vulnerability, where attackers took over roughly 20,000 Instagram accounts. The bot took untrusted inputs (hackers claiming account ownership), had access to private data (user profiles), and had the ability to change state (rewriting the associated profile email address without human verification).
To mitigate this, organizations must enforce a strict Rule of Two—never allow an agent to possess more than two components of the trifecta simultaneously.
The consensus among our panelists was clear: you cannot secure a highly fluid, predictive system by using other predictive boundaries alone. You must encircle them with rigid, deterministic security controls.
We barely scratched the surface during this forum, running right up against the clock before we could dive into the shifting global regulatory landscape, including the friction points between NIS2, DORA, and the latest high-risk classifications of the EU AI Act.
Because this landscape is shifting beneath our feet daily, the FAIR Institute AI Workgroup will be hosting a follow-up session completely dedicated to AI compliance, cross-border vendor requirements, and regulatory strategy. Stay tuned for details!
In the meantime, we highly recommend downloading the Databricks AI Security Framework 3.0 to review the 35 newly identified technical risks and bidirectional control mappings for your own program. Also reviewing our AI Third party whitepaper and the AI Workgroups recent post on Agentic AI Risk.
Let's continue building security natively into our cultures, enabling our businesses to innovate safely at scale.
Have thoughts on the Rule of Two or how your team tiers AI vendors? Reach out to Dan Holland, Arun Pamulapati, Abhi Arikapudi, or Jaqueline Lebo directly on LinkedIn!