Traditional threat modeling frameworks like STRIDE were built around predictable applications with fixed execution paths and relatively static trust boundaries. AI agents operate in a fundamentally different way: they combine user input, retrieved data, tools, and external system interactions to make decisions dynamically at runtime.
The attack surface isn’t just different — it’s significantly more dynamic and less deterministic. STRIDE wasn’t designed for this.
Enter MAESTRO
The MAESTRO framework (from the Cloud Security Alliance) provides layered threat modeling designed specifically for AI and agentic systems. It breaks architecture into seven operational layers:
- Foundation Models
- Data Operations
- Agent Frameworks
- Deployment & Infrastructure
- Evaluation & Observability
- Security & Compliance
- Agent Ecosystem
Each layer has its own attack surface. An attacker can operate at any of them simultaneously — manipulate prompts, poison retrieval data, abuse delegated agent permissions, exploit infrastructure misconfigurations. Defense in depth means applying controls across all these layers, not just one.
Microsoft SQL as a Governed Execution Boundary
This is the interesting architectural claim the article makes: Microsoft SQL is no longer just a database. In an agentic architecture, it becomes a governed execution boundary — the layer where agent actions touch real enterprise data, and where you have the best opportunity to enforce controls.
Here’s how SQL Server 2025’s capabilities map to MAESTRO:
Data Operations layer:
- Row-level security and column-level permissions — agents can only see what they’re authorized to see
- Dynamic data masking — sensitive columns are masked by default, unmasked only for privileged roles
AI_GENERATE_EMBEDDINGS— embeddings generated inside the database boundary, never exfiltrating raw data to external services unnecessarily
Agent Framework layer:
- Stored procedures as tool boundaries — agents call named procedures, not arbitrary SQL, limiting the blast radius
- Parameterized queries prevent injection — the model can’t construct arbitrary SQL when it only has access to procedure interfaces
Evaluation & Observability layer:
- Audit logging at the T-SQL level — every data access is logged, not just application-layer calls
- Query Store — tracks and analyzes query patterns, can surface anomalous agent behavior
The Defense-in-Depth Principle for AI
The article makes an important point worth repeating: there is no single security control that “solves” AI risk. AI systems require:
- reducing blast radius (least privilege, fine-grained permissions)
- maintaining observability (you can’t govern what you can’t see)
- constraining execution pathways (tools over arbitrary queries)
- preserving accountability (audit logs that cover every layer)
Prompt injection, data poisoning, and over-privileged agents are real. They become manageable when each layer has independent controls, so a failure in one layer doesn’t compromise the entire system.
Wrapping Up
If you’re building agentic AI systems that touch SQL Server data, MAESTRO is a useful mental model for identifying where your gaps are. Microsoft SQL’s 2025 capabilities map well to the framework — the combination gives you a way to reason about and govern agent actions at the data layer.
Original post: Microsoft SQL Security Across the MAESTRO Stack: Building Secure Agentic AI with Defense-in-Depth
