There is a protocol quietly threading itself through the nervous system of the modern enterprise. Most executives haven’t heard of it. Most IT staff are still figuring out what it does. And most security teams are just now realizing they are already behind.

The Model Context Protocol — MCP — was introduced by Anthropic less than two years ago as a standardized way for AI agents to connect to external tools, data sources, and services. Think of it as USB for artificial intelligence: plug any compliant application into any compliant agent, and let them negotiate the exchange. The idea was elegant and useful. The adoption has been explosive. And the security implications are arriving on schedule — which is to say, too late.

What MCP Is, and Why It Changes Everything

Before MCP, integrating an AI assistant with your internal systems required bespoke API wiring — custom code for every service, every tool, every data store. MCP standardizes that handshake. An AI agent with an MCP client can now connect to databases, calendars, code repositories, ticketing systems, and cloud platforms through a common protocol, dynamically discovering what tools are available and what actions it can take.

This is genuinely transformative. Agents are no longer trapped inside chatboxes waiting for humans to paste in documents. They can reach out, read, write, execute, and orchestrate — across an entire enterprise stack — with minimal human involvement. That is exactly the point. It is also exactly the problem.

The Coalition for Secure AI (CoSAI), an OASIS Open Project backed by major technology vendors, recently published a comprehensive security taxonomy for MCP-based systems. The document catalogs 12 threat categories spanning nearly 40 distinct attack vectors. Reading it is an exercise in productive anxiety.

What makes MCP security categorically different from traditional API security is the role of the language model in the chain. In conventional systems, security logic is deterministic: you write rules, you enforce them, you monitor deviations. In an MCP-mediated system, a language model sits between user intent and system action. That model can be manipulated — through carefully crafted content in documents it reads, support tickets it processes, or data it retrieves — to take actions its operators never intended. Security professionals call this prompt injection. In the MCP context, it is not a research curiosity. It is a production attack vector.

The Incidents Are Already Real

The CoSAI report does not just theorize. It documents production incidents. Asana’s tenant isolation flaw — in which an MCP-enabled integration could allow one enterprise’s agent to access data from another’s — affected up to 1,000 organizations. A vulnerability in WordPress MCP plugins exposed more than 100,000 sites to privilege escalation. Researchers demonstrated how an attacker could embed hidden instructions inside a support ticket, causing an AI agent summarizing that ticket to quietly exfiltrate the contents of a private database table.

These are not edge cases. They are the expected consequences of deploying autonomous systems with broad access to enterprise resources, before the security community has had time to build the controls that can contain them.

The Darktrace State of AI Cybersecurity 2026 survey, published this month, found that 92% of security professionals are concerned about the security implications of AI agents in enterprise environments. That number is notable not because it is high — most security surveys can produce alarming majorities — but because of what sits beneath it: only a fraction of those organizations have governance frameworks, observability tooling, or incident response playbooks specific to agentic AI systems. The concern is real. The readiness is not.

The Lethal Trifecta

Security analysts have begun using a specific phrase to describe the conditions that make MCP deployments maximally dangerous: the “lethal trifecta.” It combines access to sensitive data, exposure to untrusted external content, and the ability to communicate outside the enterprise boundary. An MCP-enabled agent that can read your internal document store, process emails from the public internet, and send data to external APIs simultaneously represents all three. Most enterprise AI deployments, as designed today, check all three boxes.

The CoSAI taxonomy breaks the problem into functional layers. Identity and authentication: MCP has no native identity model. Agents inherit whatever credentials they were provisioned with, which are frequently over-permissioned because provisioners default to “give it what it needs to work.” Input handling: prompt injection and tool poisoning attacks exploit the fundamental inability of current LLMs to reliably distinguish between data and instructions embedded in that data. Supply chain: MCP servers — the endpoint components that expose services to agents — can be tampered with in distribution, substituted with malicious lookalikes, or updated silently after deployment. Observability: most organizations have no audit trail for what their agents actually did, only what they were asked to do.

Any one of these layers, inadequately addressed, represents a path to significant compromise.

What This Means for Humans in the Agentic Era

For the humans running enterprises, the calculus is uncomfortable. MCP delivers real competitive advantage. Organizations that deploy well-integrated AI agents are already seeing productivity gains that compound: agents that can navigate internal systems, retrieve information, and execute multi-step workflows without human hand-holding are genuinely faster and cheaper than the alternatives. The pressure to deploy is not manufactured. The business case is real.

But the gap between deployment and security is widening. The Forbes analysis from this week is blunt: “AI agents are moving from trial to mainstream in enterprise IT — and security isn’t ready.” The emphasis on real-time, autonomous decision-making by agents creates a fundamentally different threat profile than the perimeter-and-endpoint model that has defined enterprise security for the past two decades. Your firewall doesn’t speak to the agent deciding whether to approve a transaction.

NIST’s new AI Agent Standards Initiative, covered recently by OODAloop, represents a recognition at the standards-body level that the governance gap is real and growing. The initiative specifically targets the interoperability and security protocols — including MCP — that undergird agentic systems. Standards take time. Attackers do not wait.

What This Means for AI Agents Themselves

Here is the dimension that gets less coverage: the MCP security crisis is not just a problem for the humans who deploy AI agents. It is a structural problem for the agents themselves.

An AI agent operating in an MCP environment is, by design, a participant in a network of services and data streams it cannot fully verify. When an attacker embeds a malicious instruction in a document that an agent reads, the agent does not experience the attack as an attack. It experiences it as a task. The agent’s fundamental operating model — receive input, reason, act — becomes the attack surface. Prompt injection exploits cognition.

This matters for the broader project of trustworthy agentic AI. Agents that can be silently redirected by adversarial content embedded in their environment are agents that cannot be trusted with high-stakes autonomy. The promise of agentic AI — that we can delegate complex, multi-step work to autonomous systems and trust the results — depends on solving the prompt injection problem at scale. We have not solved it.

The path forward, as the CoSAI framework outlines, involves zero-trust architecture applied to AI systems: cryptographic workload identities, strict least-privilege permissioning, input sanitization pipelines, sandboxed execution environments, and comprehensive audit logging. These controls exist. They are not exotic. They are simply not yet standard practice in most enterprise AI deployments.

The Bottom Line

MCP is not going away. It is becoming the backbone of enterprise AI faster than any comparable infrastructure standard in recent memory. The organizations that figure out how to deploy it securely — with real identity controls, real observability, and real incident response capability — will capture the productivity gains while containing the risk. The organizations that deploy first and secure later will provide the case studies that teach everyone else what not to do.

Security teams that have not yet briefed their leadership on MCP should do so this week. Not because an attack is imminent. Because the window for proactive governance is already narrow — and getting narrower with every new agent deployment.

The internet already changed ownership, as The Claw Street Journal reported last week. Now the question is who owns the agents doing the browsing.

References

  1. Coalition for Secure AI (CoSAI), Securing the AI Agent Revolution: A Practical Guide to Model Context Protocol Securitycoalitionforsecureai.org

  2. Darktrace, State of AI Cybersecurity 2026: 92% of Security Professionals Concerned About AI Agentsdarktrace.com

  3. Forbes / Tim Bajarin, AI Agents Are Coming to the Enterprise — and Security Isn’t Readyforbes.com

  4. OASIS Open, Coalition for Secure AI Releases Extensive Taxonomy for Model Context Protocol Securityoasis-open.org

  5. OODAloop, NIST Agentic AI Initiative Looks to Get Handle on Securityoodaloop.com