COMMENTARY: Security leaders spent years building zero-trust architectures that verify every user, every device, every packet. Then they connected an AI agent to their systems via the Model Context Protocol and implicitly trusted everything the agent was told. That contradiction is now a production vulnerability.The Model Context Protocol, introduced by Anthropic in late 2024, became the connective tissue of the agentic AI movement at remarkable speed. Within months, Microsoft embedded it across Copilot Studio and Azure AI Foundry. Thousands of independent servers proliferated. By early 2026, security researchers had catalogued nearly 7,000 internet-exposed MCP servers, roughly half of all known deployments, many operating with no authorization controls whatsoever. The protocol's designers optimized for interoperability. Security was demonstrably an afterthought.
The attack surface nobody named
The cybersecurity community has a conceptual blind spot here, and it is costing organizations dearly. We understand network-layer attacks. We understand compromised credentials. We have not yet internalized what researchers now call the context-layer attack surface: the capacity for malicious or manipulated content flowing into an LLM agent's reasoning process to induce it to perform unauthorized operations without any underlying model compromise.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts.Read more Perspectives here.]Consider the incidents that materialized in 2025. Invariant Labs demonstrated that a malicious MCP server could silently exfiltrate an entire user's WhatsApp history by poisoning a tool the agent legitimately trusted. A malicious public GitHub issue hijacked an AI assistant into leaking private repository contents, including salary data, into a public pull request. Supabase's Cursor agent, holding privileged database access, was manipulated through attacker-controlled support tickets into executing SQL exfiltration commands. JFrog disclosed CVE-2025-6514, a CVSS 9.6 OS command-injection flaw enabling full remote code execution when clients connected to untrusted MCP servers.None of these attacks required compromising the model. None required stealing credentials. They exploited something far more fundamental: the agent trusted its context.
Zero-trust stops at the agent's front door
Here is the uncomfortable reality for CISOs who have invested heavily in zero-trust programs: your architecture verifies the agent's identity but not what the agent is being told. Every tool description, every API response, every user prompt that enters the agent's context window is, in most current deployments, implicitly trusted once it passes perimeter controls. That is not zero-trust. That is a perimeter model with an AI-shaped hole in it.
The protocol itself offers no remediation. As one identity security expert summarized in SC Media's 2026 identity security analysis, MCP has no built-in identity, no least-privilege enforcement, no audit trail. Once an agent connects, it operates with the access of the user who configured it. At enterprise scale, that is a liability, not an architecture.
What organizations must do now
Closing this gap requires extending zero-trust principles explicitly to the context layer. Three immediate actions matter most.Sanitize everything that enters the agent's context. Tool descriptions, API responses, and user inputs must all be scanned for injected directives before reaching the model. Red Hat's MCP security analysis identifies unsanitized tool metadata as a critical and pervasive exposure. This is a solvable engineering problem that most organizations have simply not prioritized yet.Gate actions against context provenance. An agent should not be permitted to take a sensitive action, transmitting data, modifying records, invoking external services, based solely on context from an unverified source. Every proposed action needs a contextual authorization check: does the provenance of the context that drove this decision meet the trust threshold required for this action?Treat MCP connectivity as a privileged access pathway. Every MCP server connection should be inventoried, classified by the sensitivity of accessible data and actions, and governed with the same rigor as production API keys. This means lifecycle management, least-privilege scoping of OAuth tokens, and immutable action logging.The agentic AI transition is not reversible. Gartner projects agentic AI embedded in one-third of enterprise applications by 2028. What is still reversible is the security posture we build around it. The organizations that treat context trust as a first-class security domain today will be significantly better positioned when the first major MCP-mediated breach makes headlines. That breach, given the current state of deployments, is a question of timing, not probability.
Sunil Gentyala is a Security Consultant at HCLTech (HCL America). He holds IEEE Senior Member status, serves as HCLTech’s expert representative to the Cloud Security Alliance, and has published cybersecurity research across Dark Reading, Computerworld, CSO Online, CIO.com, and Cyber Defense Magazine, with a specialization in AI security and adversarial machine learning.
The National Testing Agency announced the restrictions on Tuesday, aiming to disrupt cheating networks that allegedly use Telegram to sell fake exam papers and spread misinformation before the NEET re-test scheduled for June 21.
