Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Cybersecurity has a strange problem. Everyone says they want to reduce risk. But too often, the way we evaluate products rewards something narrower: how quickly a vendor can show value in a POV. Can it deploy fast? Can it work agentless? Can it produce a clean report? Can it map to OWASP, NIST, the EU AI Act, or the latest framework? Can it check enough boxes in the RFP?

AI agents do not create risk only when they hallucinate or produce an inaccurate answer. They create risk when they take the wrong action. A single user prompt can move through an application, reach an agent runtime, call a tool, trigger an MCP server, and touch a downstream API. By the time the action happens, the original request may be several layers away from the system that actually changes data, sends information, or executes a workflow. That is the problem security teams now face.

The first wave of AI security looked a lot like a WAF for LLMs: inspect the prompt, filter the output, block the obvious bad patterns. That was useful. It still is. But it was built for systems that mostly talked. Agents are different. They use tools, call APIs, access data, and change things. The confusion I keep seeing is simple: many teams think securing the model means securing the agent. It does not.

Every company has a version of the same thing. Sometimes it’s a security wiki. Sometimes it’s a Confluence page. Sometimes it’s a PDF nobody wants to update.

This week, Connie Loizos, editor in chief of TechCrunch, sat down backstage with Francis de Souza, COO of Google Cloud, for a piece on the state of enterprise AI security. The interview is worth reading in full. Three points in it should reshape how every CISO is thinking about the next twelve months.

In conversations with CISOs about their agentic environments, the question I ask first is not whether they have agents deployed. Most do. It is not whether those agents are creating value. Most are. The question I ask is whether they have mapped their Agentic Security Graph. Almost none of them have. And that gap, between the agentic infrastructure that exists inside their organizations and the visibility they have into it, is where the most serious AI security risk in the enterprise lives right now.

Last week, researchers at OX Security published findings that should stop every security leader in their tracks. They discovered a critical vulnerability baked directly into Anthropic's Model Context Protocol SDK, affecting every supported language: Python, TypeScript, Java, and Rust. The result: remote code execution on any system running a vulnerable MCP implementation, with direct access to sensitive user data, internal databases, API keys, and chat histories. Over 7,000 publicly accessible servers.

Anthropic just released Claude Mythos Preview. They did not make it publicly available. That decision alone should tell you everything you need to know about what this model can do. During internal testing, Mythos autonomously discovered and exploited zero-day vulnerabilities across every major operating system and web browser. It found a 27-year-old bug in OpenBSD. A 16-year-old vulnerability in a widely used media codec.

The AI security market is crowded. Vendors are racing to protect prompts, harden models, detect jailbreaks, and scan for data leakage at the LLM layer. The investment is real. The intent is good. And most of it is missing the point. Here is the problem: agents do not just think. They act. They call APIs. They trigger workflows. They write to databases, send emails, move money, and modify production systems.

The recent supply chain attack involving Mercor and the LiteLLM vulnerability serves as a massive wake-up call for enterprise security teams. While the security industry has spent the last year fixating on prompt injections and model jailbreaks, this breach highlights a far more systemic vulnerability. The weakest link in enterprise AI is not necessarily the model itself. It is the middleware connecting the models to your data.