Key Points
- Security leaders at RSAC 2026 warned that Model Context Protocol (MCP) is emerging as a hidden execution layer that enables AI agents to act autonomously, reintroducing familiar vulnerabilities like SSRF and privilege escalation at agent speed.
- Research showed that small input changes can turn routine automation into silent data exposure, with researchers finding that more than a third of MCP servers showed serious security gaps.
- IANS Faculty advise securing MCP at the execution layer by enforcing strong identity controls, limiting sprawl, hardening data paths, and adding deep monitoring to detect abuse early
RSAC 2026: Why Model Context Protocol Is Becoming AI’s Riskiest Execution Layer
Speaking at RSAC 2026, industry leaders warned that one of the most immediate AI risks is the early, but accelerating, adoption of Model Context Protocol, which is often deployed without the same monitoring and guardrails applied to traditional execution layers.
MCP servers control how AI agents interact with enterprise tools and data, effectively turning AI systems into autonomous operators in production environments. In doing so, they reintroduce familiar vulnerabilities such as Server‑Side Request Forgery and privilege escalation, but at agent speed, scale and unpredictability.
An unbounded tool call, combined with an LLM’s discretion over when and how to invoke it, has emerged as a new and largely ungoverned attack surface.
Research presented by Blue Rock Chief Product Officer Harold Byun and IANS Faculty George Gerchow showed that, under normal operation, MCP servers allow AI agents to select tools, pass parameters like file paths, and return structured outputs. But altering a single input, such as a file’s URI, can fundamentally change that behavior, enabling access to sensitive data the agent was never intended or authorized to retrieve.
In this model, routine automation can quietly cross into unauthorized access without any malicious code. The findings highlight growing pressure on security teams as agentic AI becomes more deeply embedded in enterprise workflows.
“We ran an analysis on over 10,000 MCP servers at this point, and roughly 36% [showed what we consider a serious exposure]," said Blue Rock Chief Product Officer Harold Byun.
The research underscores that MCP‑related exposure is a systemic risk tied to the operation of AI at scale.
Big Picture
The rapid adoption of agentic AI is colliding with security models that were never designed for non‑deterministic execution.
Traditional controls assume predictable behavior, clear intent, and well‑defined execution paths. MCP‑based systems, however, can behave legitimately while still producing dangerous outcomes, making it difficult for defenders to distinguish normal automation from abuse until sensitive data is already exposed.
“Identity can only be pushed so far. We have to start getting better at defense-in-depth and looking at these from the point of view of data entitlements, enrichment [and AI].” George Gershow, IANS Faculty
That shift has practical implications for security teams. MCP servers are becoming core infrastructure that mediates interactions between AI agents, enterprise tools and sensitive data. Without proper visibility and governance, they introduce material risk to critical systems and information.
IANS Faculty Recommendations
- Put an API gateway in front of MCP servers and treat MCP as an API surface: Enforce stronger authentication and authorization, and gain better logging and monitoring than native MCP controls alone provide.
- Enforce end‑to‑end identity with OAuth‑constrained delegation: Require traceable user and system identities on every MCP interaction, using short‑lived, tightly scoped tokens and avoiding token exposure in configurations.
- Harden data‑path connections with mutual authentication: Use workload identities and short‑lived certificates (e.g., SPIFFE/SPIRE) for MCP‑to‑data source connections to reduce unauthorized back‑end access.
- Prevent MCP sprawl through execution controls and allowlisting: Restrict where MCP code can run, block unauthorized local or community servers, and maintain a vetted internal registry of approved servers and tools.
- Instrument for detection and response: Implement immutable audit logging and runtime monitoring, stream MCP telemetry into SIEM/SOAR platforms, and enable alerting to support forensics and explainability.
Authors & Contributors
Nuria Diaz Munoz - Author
George Gershow, IANS Faculty
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our News & blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.