StormView

The latest enterprise AI security guidance points to a simple conclusion: the agent problem is no longer about prompts. It is about permissions.

For the last year, most teams have judged AI agents by whether they can complete a task. Can they search a knowledge base? Can they update a ticket? Can they query a CRM? Can they call an internal API without breaking the workflow? Those are useful questions during a pilot. They are not enough for production.

Once an agent can act across business systems, the risk profile changes. The agent is no longer just producing text. It is using credentials, invoking tools, reading sensitive data, and chaining actions through infrastructure that was originally designed for humans and conventional software services.

That is why the new focus on MCP governance matters. The Model Context Protocol has become one of the main ways AI systems connect to tools, data sources and operational services. It gives developers a common integration layer instead of a pile of one-off connectors. That is useful. It also creates a new control plane that security teams need to understand.

MCP turns integration into infrastructure

The practical value of MCP is obvious. A model can discover available tools, call them in a structured way, and return results through a consistent protocol. That makes agent development faster and more portable.

The mistake is treating that protocol layer as plumbing nobody needs to govern. In a production environment, MCP servers can become gateways into ticketing systems, databases, file stores, cloud platforms, finance systems and customer records. If those gateways are loosely configured, over-permissioned or poorly logged, the organisation has not deployed an AI assistant. It has deployed a non-human operator with unclear boundaries.

The Center for Internet Security’s recent MCP guidance lands at the right time because it reframes agent security around access control, identity, auditability and tool-level governance. That is the correct frame. The model is not the only thing that needs scrutiny. The more important question is what the model is allowed to touch.

Identity is necessary, but not sufficient

Enterprises already know how to manage human identities and service accounts. Agents complicate both categories. They may act on behalf of a user, operate as their own service identity, or move between tools using delegated OAuth tokens and API keys. In each case, the organisation needs a clear answer to a basic question: who did what?

That answer cannot live in a policy document. It has to be enforced in the architecture. Each agent should have a narrow purpose, explicit tool grants, scoped credentials, and logging that records which agent called which tool, under which authority, against which data. Without that, incident response becomes guesswork.

The hard part is least privilege. A sales support agent does not need broad CRM export rights. A finance reconciliation agent does not need write access to HR records. A research agent should not be able to trigger infrastructure changes. These boundaries sound obvious when written down, but they often disappear when teams wire a general-purpose agent into a broad connector and call it productivity.

Prompt injection becomes a systems problem

Prompt injection is usually discussed as a model weakness. In agentic systems, it is also an integration weakness. If an agent reads untrusted content from a webpage, email, document or tool response, that content can try to steer the agent’s next action. The damage depends on what tools the agent can reach.

A prompt injection against a chatbot is annoying. A prompt injection against an agent with write access to customer data, cloud infrastructure or financial workflows is a control failure. The defence is not just better instructions. It is reducing blast radius: separating trusted and untrusted context, limiting tool access, requiring confirmation for high-risk actions, and validating tool calls before they execute.

What production readiness now looks like

For businesses moving from AI pilots to production, the checklist is becoming clearer. Inventory every agent and MCP server. Define what each agent is for. Grant only the tools it needs. Bind credentials to that purpose. Log every tool call. Put human approval around irreversible or high-impact actions. Monitor for unusual behaviour. Retire experimental connectors before they become shadow infrastructure.

This is not bureaucracy. It is what lets useful automation scale without turning into an unmanaged risk. The companies that get this right will not be the ones with the flashiest demos. They will be the ones whose agents can operate safely inside real business workflows.

That is the real shift. AI agents are becoming part of the enterprise execution layer. Once that happens, security has to move from model review to system design. Prompts matter. Permissions matter more.

Sources: CIS MCP Companion Guide reporting from Security Boulevard; Salt Security 1H 2026 State of AI and API Security coverage; recent enterprise AI agent reporting from Forbes.