What happened in data and AI?
If February was about AI growing up, March is about AI actually doing things.
Actually running pipelines, detecting threats, writing and executing code, holding a real-time conversation in over 200 countries simultaneously. The stuff that came out this month are on the theme of autonomy. And the question of how much of that autonomy you hand over, and under what conditions, that’s becoming a lot harder to avoid.
Here’s what stood out.
Gemini 3.1 Flash Live
Google dropped 3.1 Flash Live this month, and it’s their most capable audio model yet.
And here’s the thing: most voice AI is trained on clean, structured dialogue. Someone asks a question, and the model answers. But that’s not how real conversations work, right? People interrupt themselves. They trail off. They include a “um, actually, wait, no…” and then completely change direction.
That’s exactly what 3.1 Flash Live is designed to handle. It picks up on acoustic cues and adjusts. In practice, if a customer sounds frustrated, it notices and responds differently than it would to someone who’s perfectly calm.
It’s available now through the Gemini Live API, Gemini Enterprise, and for regular users via Search Live and Gemini Live. Note that all audio output is watermarked with SynthID, Google’s imperceptible AI-content marker.
Claude Code: Auto Mode
Anthropic introduced auto mode for Claude Code this month, currently in research preview for Team plan users, with Enterprise and API access rolling out shortly.
It works with both Claude Sonnet 4.6 and Opus 4.6. The default behaviour in Claude Code has always been cautious: every file write and bash command triggers an approval prompt.
That’s safe, but it means you can’t hand off a substantial task and come back to finished work. The alternative, skipping permissions entirely with a flag called –dangerously-skip-permissions, does what it says on the tin and carries real risk.
Auto mode sits between those two options. Before each action runs, a classifier reviews it for potentially destructive behaviour: mass file deletion, sensitive data exfiltration, and malicious code execution. Safe actions proceed automatically. Risky ones are blocked, and Claude is redirected to find another approach. If it keeps hitting blocks, it eventually surfaces a prompt to the user.
Worth noting: Anthropic is transparent that this doesn’t eliminate risk. The classifier can misjudge in either direction, occasionally allowing something it shouldn’t, occasionally blocking something benign.
Databricks: Lakewatch
Attackers can now deploy AI agents that scan systems, probe vulnerabilities, and coordinate attacks continuously, at machine speed. And the tools defenders have been using weren’t designed for that world. Traditional SIEM platforms ( Security Information and Event Management tools), the things companies use to monitor and respond to threats, were built around human-speed workflows.
Manual triage, siloed data, and, according to Databricks, security teams currently have to throw away up to 75% of their data because the cost of storing and processing all of it is too high.
Lakewatch is their answer to that. It’s an open, agentic SIEM that pulls security, IT, and business data into one place, including multi-modal stuff like video and audio, for detecting things like social engineering or insider threats. Then it deploys AI agents to automate detection, triage, and threat hunting. The idea is to meet machine-speed attacks with machine-speed defence.
Claude models are powering the reasoning layer inside Lakewatch, correlating signals across data sources to surface threats faster. And Anthropic itself uses Databricks’ security lakehouse internally. It’s one of the more genuinely integrated partnerships we’ve seen recently, rather than just a co-marketing exercise.
Lakewatch is in private preview right now, with Adobe and Dropbox among the first customers.
Databricks: DASF Agentic AI Extension
Alongside Lakewatch, Databricks also published a significant update to their AI Security Framework.
Most AI security thinking has focused on what happens when a model gives a bad answer. But that’s kind of an old problem now. The new problem is what happens when the AI is acting. Querying databases, calling APIs, executing code, sending emails, and modifying records. And then deciding what to do next based on what it gets back. Each one of those steps is a potential vulnerability, and the existing security frameworks weren’t really built with that in mind.
Therefore, Databricks added 35 new risks and 6 new controls, organised around three areas. First, the agent’s reasoning loop itself. Second, the tool interface. And third, the connection layer.
The concept that really stood out is what they’re calling the “Lethal Trifecta.” The risk spikes when three things are true at once: the agent has access to sensitive data, it’s processing inputs from outside a trusted boundary, and it can take external actions. When all three are in play, a well-placed prompt injection can hijack the whole thing.
The fix? Scope the permissions down, add a human checkpoint, and validate intent before any tool gets called. The full framework now covers 97 risks and 73 controls.
Databricks: Genie Code
And then there’s Genie Code, which is probably the update with the biggest day-to-day implications for data teams, so let’s spend a bit of time on it.
Coding agents are good at code. But for data work, code is just the vehicle. The context lives in lineage, usage patterns, business semantics, and governance policies. And that’s why general coding agents tend to struggle when you point them at a data problem. They don’t know what the data means, who’s allowed to touch it, or what “correct” looks like in your specific environment.
Genie Code is built directly on top of Unity Catalog, which gives it access to all of that natively. It monitors Lakeflow pipelines and AI models in the background proactively. So if a pipeline breaks because a column type changed from integer to string, it spots it, figures out the cause, validates a fix in a sandbox, and applies it before anyone on the team has even noticed something’s wrong. It also connects to external tools like Jira, GitHub, and Confluence via MCP, so it can pick up a ticket, do the work, and update the ticket when it’s done. And through persistent memory, it learns your team’s preferences over time.
On the governance side, It only surfaces data the user is authorised to see, tracks every edit through Databricks’ versioning system, and asks for confirmation before touching underlying tables.
Snowflake: Data Governance Skills for Cortex Code
If you’ve ever sat in a room where someone says “governance is critical” and then also “governance is a bottleneck”, Snowflake heard you. And this month they’re trying to fix both problems at once.
What Snowflake launched is Data Governance Skills for Cortex Code, basically a set of AI capabilities built directly into the platform that let you govern your data through natural language. No SQL required. You describe what you need, and Cortex Code figures out the right query, runs it, and takes the action. Things like “where is the sensitive data in warehouse X?”, “what downstream objects will break if I change this table?”, or “set up an alert if data quality drops below 90%.”
Governance in Snowflake lives in the same platform as the data itself, so when you classify a column, that classification immediately shows up in lineage. When a quality metric fails, you can trace it upstream through the same graph. And the Skills themselves are built on over 100 verified query patterns purpose-built for Snowflake’s governance views.
Power BI
The big one is Translytical task flows hitting general availability. Up until now, reports were read-only; you looked at the data, you made a decision, and then you went somewhere else to act on it. Translytical task flows change that. Users can now update records, add data, and trigger workflows in external systems, all without leaving the report. So instead of “here’s what the data says, now go open a different tool”, it’s just “here’s what the data says, fix it.” Common use cases include editing records in place, adding annotations, and calling external APIs. It supports Fabric SQL databases, warehouses, and lakehouses. If your team has been stitching together reports and separate data entry workflows, this is worth a proper look.
Second thing worth flagging is Direct Lake in OneLake, also now generally available. Your semantic models can query directly against OneLake without you having to manage data refreshes. It works from Power BI Desktop, plays nicely with OneLake security, and gives you faster query performance without the usual refresh overhead.
On the cosmetic side, modern visual defaults are now in preview. Reports get a Fluent 2 design refresh out of the box. Cleaner lines, better padding, and dropdown slicers by default. Nothing groundbreaking, but it means new reports look good without anyone having to manually format everything from scratch.
And one smaller one that’ll make a lot of analysts quietly happy: custom totals. You can now control what the total row actually shows in a table or matrix: sum, min, max, count , instead of just getting whatever the measure evaluates to across the full filter context.
Looker
Looker had a pretty packed month, a lot of things moving from preview to generally available, plus some genuinely useful AI additions. Let’s run through.
First up, Conversational Analytics got two new modes. Fast mode with quicker answers for straightforward questions. Thinking mode is for the more complex stuff, where you want the agent to actually reason through the problem before responding. And on top of that, it’ll now ask you clarifying questions when your original query is ambiguous.
The Visualization Assistant is now generally available. This one lets you customise chart formatting using natural language through Gemini, you just describe what you want. Small change, but the kind of thing that saves a surprising amount of time across a week.
Self-Service Explores also hit GA this month, including support for uploading data directly from Google Sheets. If you’ve got non-technical teammates who’ve been waiting on analysts to pull data for them, this is the update that starts to close that gap.
Content Certification has been expanded and is now generally available too. It now covers LookML Explores alongside dashboards, admins can auto-certify content, and when Enhanced Search is enabled, you can filter search results by certification status.
Tabbed dashboards are now GA as well. You can organise dashboard content across multiple tabs within a single dashboard, and only the active tab loads at any given time, which means better performance and less clutter.
And finally, Enhanced Search is now in preview. It uses Gemini to move beyond keyword matching, so instead of needing to remember the exact name of a dashboard or dataset, you can search using business terms or analytical questions. “Total customer acquisition cost” finds the right thing, even if nobody named it that. Worth enabling and testing if your instance has a lot of content to navigate.
A question for you
Every tool we covered is moving faster, acting more autonomously, and requiring less human input to get things done. But all of that autonomy is only as good as the foundations underneath it. The data quality. The access controls. The classification policies. The ownership.
If those are solid, agentic AI is a multiplier. If they’re not and honestly, for most companies they’re not fully there yet, then handing more autonomy to the tools just means moving faster in the wrong direction.
So grab your rubber duck and have that conversation. Or take a colleague for a coffee and talk it through:
Before you give the tools more autonomy, are your governance foundations actually ready for what that means?
