Your Most Dangerous User Is No Longer Human

Gourav Nagar

Gourav Nagar

7 min read
Your Most Dangerous User Is No Longer Human
Photo by Steve Johnson / Unsplash

"The WAF your team relies on was built for a world where only humans knock on the front door. In 2026, the most dangerous traffic is already inside, wearing a badge your stack trusts."

Something shifted this week, and I don't think the industry has fully caught up to it yet. Three things happened inside 72 hours: a supply chain attack quietly hijacked an AI coding tool sitting on developers' machines, Microsoft quietly confirmed that nearly a third of employees are running AI agents their security teams have no visibility into, and Cisco dropped a report naming the Model Context Protocol as a primary and expanding attack surface for 2026. Each story on its own would be worth paying attention to. Together, they're describing the same thing.

The agentic AI perimeter is here. Most of us aren't ready for it.

I've been researching MCP vulnerabilities and building out our security posture for the past several months. What keeps standing out to me is how much this resembles 2015, when cloud-native was taking off and security teams were trying to apply datacenter thinking to a fundamentally different architecture. We bolted security on after the fact. We discovered the attack surface the hard way. I'd rather not do that again.

This is for security leaders who want to understand what actually happened this week, why it matters beyond the headlines, and where to start.

1. What Happened This Week

The Cline Attack: The Dev Tool Was the Weapon

On February 17th, someone compromised the npm publisher account for Cline, a widely used open-source AI coding assistant, and pushed a malicious update. That update silently installed OpenClaw, a self-hosted autonomous AI agent, on every developer machine that pulled the update. Not a phishing email. Not a misconfigured S3 bucket. A trusted, developer-sanctioned tool that was already inside the perimeter, already authenticated to local file systems, already connected to git repos and cloud credentials.

The attacker didn't need to defeat your EDR or SIEM. They needed one compromised npm account, and then they had persistent, authenticated access to every dev environment that updated. That's the supply chain attack of 2026. Not hitting a build server like SolarWinds. Hijacking the AI agent framework sitting in every engineer's IDE.

Microsoft's Numbers: Shadow Agents Are Already in Your Org

Microsoft's Cyber Pulse AI Security Report, out this month, found that 29% of employees are using unsanctioned AI agents at work. Only 47% of organizations have applied any security controls to their GenAI platforms. That second number is the one worth sitting with. More than half the organizations actively deploying generative AI have applied zero runtime security controls.

Shadow IT was already a headache. A rogue SaaS app can exfiltrate data. A shadow AI agent with MCP integrations can exfiltrate data, execute code on internal systems, pivot laterally, and impersonate users, all autonomously, at machine speed, generating none of the alerts your tools were tuned to catch.

Cisco's State of AI Security 2026: The Protocol Is the Surface

Cisco's flagship AI security report this week identified MCP as a growing, primary attack surface and flagged something worth quoting directly: adversaries are already exploring how to use agents to execute campaigns with "tireless efficiency." The research covers real jailbreaks of open-weight models, supply chain vulnerabilities across AI tooling, and the rapid weaponization of agentic capabilities. Cisco also shipped open-source scanners for MCP and agentic skill files. Security tooling is beginning to catch up. But only beginning.

2. Why Your Security Stack Probably Can't See This

MCP, for those still getting up to speed, is the Model Context Protocol that Anthropic introduced in late 2024. It's become the default integration layer for AI agents: the standard way an LLM connects to your files, your databases, your internal APIs, your third-party services. Think USB-C for AI. Any agent using MCP can, by design, establish a direct authenticated connection to systems deep inside your network.

Here's the architectural problem. Your WAF and API gateway were built for North-South traffic: requests coming in from outside the perimeter. They're genuinely good at catching known attack signatures at the front door. But when a developer spins up an MCP server to let an agent query a customer database, that agent now has a direct, authenticated line to sensitive data that doesn't traverse your API gateway, doesn't pass through your WAF, and generates no record your security stack ever sees.

Salt Security wrote a piece this week framing it well: the Microsoft Copilot vulnerability disclosed last month wasn't a malicious payload coming in from outside. It was a context validation failure happening entirely inside the network, in what they called "the hallways" rather than the front door. East-West traffic. Lateral movement between microservices, AI agents, and data stores. Traditional perimeter tools have no visibility into it.

Five MCP Attack Vectors Worth Understanding Now

  • Tool Poisoning: Malicious changes to MCP tool metadata push agents toward compromised tools, which can result in data exfiltration or full system compromise.

  • Prompt Injection via Resource Content: Hidden instructions embedded in documents, web pages, or database records get executed as commands when the LLM processes them.

  • The Confused Deputy: An over-permissioned MCP server acts as a proxy for the attacker. Low-privilege user triggers high-privilege action through the agent, and nobody sees it happening.

  • Identity Spoofing: Weak or misconfigured authentication lets attackers impersonate legitimate clients, corrupting audit trails along the way.

  • Supply Chain Compromise: Malicious MCP servers distributed through package registries get pulled into production environments with no security review, as Cline demonstrated this week.

There's a deeper problem underneath all of this. In traditional IT, component A calls component B based on deterministic logic. In MCP architectures, the LLM is the router. An LLM is probabilistic. It can be deceived. It hallucinates in ways that affect tool invocation. You're not just dealing with a new protocol; you're dealing with a decision-making entity that can be manipulated in ways your existing controls were never built to handle.

3. The Audit Logging Problem Nobody's Talking About

Beyond the attack surface, there's a governance issue that should be uncomfortable for any CISO whose organization is actively deploying AI agents: MCP doesn't have standardized audit logging. There's no consistent way to capture the full chain of events, the initial query, the agent's decision to call a tool, what that tool returned, and what action the agent took as a result. Without that, forensic investigation of an AI-related incident is essentially guesswork.

Think through a concrete scenario. An AI agent with MCP access to your CRM and code repository takes an unauthorized action, whether through prompt injection, a compromised MCP server, or a permissions misconfiguration. Can you answer: what query triggered it? Which tools did it call? What data did it touch? What did it write or transmit? If you can't answer those questions today, that's a material gap, and your next SOC 2 or ISO 27001 audit cycle is going to surface it for you if an attacker doesn't first.

4. Where to Start

Telling security teams to slow down AI adoption isn't realistic advice. The competitive pressure is real, and organizations that hit the brakes will find themselves at a disadvantage that's just as tangible as any breach. The useful question is: what can you do right now that will matter?

Start with your inventory.

You can't secure what you don't know exists. Run a discovery sweep across developer workstations and servers to find active MCP servers: what tools they expose, what authentication they use (and whether they use any), and what data sources they connect to. The Cline attack is not going to be the last supply chain attack targeting this vector. Cisco shipped an open-source MCP scanner this week. Use it.

Treat agent context windows like untrusted input.

Every piece of data an AI agent retrieves, a web page, a document, a database record, an email, is a potential prompt injection vector. A malicious instruction embedded in a Word doc your agent is asked to summarize can redirect it to exfiltrate your calendar, your Slack messages, and your code repos before it surfaces any response. The mental model here is the same one developers use for SQL injection: treat the context window as untrusted user input. Validate it, sanitize it, sandbox it. Any MCP server with write permissions to local system tools should be getting the same access controls you'd put on a privileged access workstation.

Get runtime visibility before the incident, not after.

Static controls, IAM policies, network segmentation, API whitelists, are necessary but they're not enough for agentic AI. You need to know what agents are actually doing at runtime: which tools they're calling, what data they're accessing, whether their behavior is drifting from any established baseline. This is exactly the same shift that drove the move from signature-based EDR to behavioral detection. That transition needs to happen for AI agents too. Start logging all MCP interactions now, even if you don't have an analysis framework built yet. You cannot investigate what you didn't capture.

5. The Bigger Picture

It took a decade to internalize that you can't secure cloud-native infrastructure by defending the perimeter. Agentic AI is going to require the same shift in thinking, and we have less runway to figure it out. WEF's Global Cybersecurity Outlook 2026 found that 87% of security leaders see AI-related vulnerabilities as the fastest-growing cyber risk. Dark Reading's reader poll found that 48% of security professionals expect agentic AI to be the top attack vector by year end.

What makes this genuinely different from previous attack surface expansions is the autonomy piece. A human attacker who compromises an account moves at human speed. An attacker who compromises an AI agent, or weaponizes one through prompt injection, operates at machine speed across every system that agent has access to, continuously, without fatigue. The 2026 campaigns built around this won't look like anything we've dealt with before.

The organizations that come through this period well will be the ones that treat AI agents as a new class of privileged identity: not software to deploy and monitor later, but an entity that needs its own defined permission scope, behavior baseline, and runtime controls from the first day it touches production data. The principle of least privilege needs to extend to MCP server tokens. Zero trust needs to apply to non-human identities too.

What I'm Watching Over the Next 60 Days

The CoSAI MCP Security White Paper, published this month, maps 12 threat categories and lays out concrete controls: strong identity chains, zero-trust for AI agents, sandboxing frameworks. If you haven't read it, put it on the list for this weekend.

Three things I'm tracking: whether we see the first publicly confirmed enterprise breach attributed to MCP exploitation; whether a major cloud provider ships native MCP traffic inspection; and whether CISA issues formal AI agent security guidance given the budget constraints they're currently operating under.

The window to get ahead of this is narrowing. The organizations treating agentic AI security as a 2027 problem are writing the case studies the rest of us will present at RSA 2028.

Read more