Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

The first wave of AI security looked a lot like a WAF for LLMs: inspect the prompt, filter the output, block the obvious bad patterns. That was useful. It still is. But it was built for systems that mostly talked. Agents are different. They use tools, call APIs, access data, and change things. The confusion I keep seeing is simple: many teams think securing the model means securing the agent. It does not.

Every company has a version of the same thing. Sometimes it’s a security wiki. Sometimes it’s a Confluence page. Sometimes it’s a PDF nobody wants to update.

This week, Connie Loizos, editor in chief of TechCrunch, sat down backstage with Francis de Souza, COO of Google Cloud, for a piece on the state of enterprise AI security. The interview is worth reading in full. Three points in it should reshape how every CISO is thinking about the next twelve months.

In conversations with CISOs about their agentic environments, the question I ask first is not whether they have agents deployed. Most do. It is not whether those agents are creating value. Most are. The question I ask is whether they have mapped their Agentic Security Graph. Almost none of them have. And that gap, between the agentic infrastructure that exists inside their organizations and the visibility they have into it, is where the most serious AI security risk in the enterprise lives right now.

Last week, researchers at OX Security published findings that should stop every security leader in their tracks. They discovered a critical vulnerability baked directly into Anthropic's Model Context Protocol SDK, affecting every supported language: Python, TypeScript, Java, and Rust. The result: remote code execution on any system running a vulnerable MCP implementation, with direct access to sensitive user data, internal databases, API keys, and chat histories. Over 7,000 publicly accessible servers.

Anthropic just released Claude Mythos Preview. They did not make it publicly available. That decision alone should tell you everything you need to know about what this model can do. During internal testing, Mythos autonomously discovered and exploited zero-day vulnerabilities across every major operating system and web browser. It found a 27-year-old bug in OpenBSD. A 16-year-old vulnerability in a widely used media codec.

The AI security market is crowded. Vendors are racing to protect prompts, harden models, detect jailbreaks, and scan for data leakage at the LLM layer. The investment is real. The intent is good. And most of it is missing the point. Here is the problem: agents do not just think. They act. They call APIs. They trigger workflows. They write to databases, send emails, move money, and modify production systems.

The recent supply chain attack involving Mercor and the LiteLLM vulnerability serves as a massive wake-up call for enterprise security teams. While the security industry has spent the last year fixating on prompt injections and model jailbreaks, this breach highlights a far more systemic vulnerability. The weakest link in enterprise AI is not necessarily the model itself. It is the middleware connecting the models to your data.

The era of human-centric API consumption is officially ending. Over the past year, enterprises have rapidly transitioned from simply experimenting with Generative AI to deploying autonomous AI agents that drive core business operations. These agents act as digital employees. They utilize Large Language Models (LLMs) for reasoning, Model Context Protocol (MCP) servers for connectivity, and internal APIs for execution. This evolution has fundamentally altered the enterprise attack surface.

The term AI agent is dominant in current cybersecurity discourse. Vendors, analysts, and CISOs all use the label, yet technical confusion remains regarding how agents actually operate and where the security risks reside. Beneath the surface-level familiarity, there is often significant confusion about what an AI agent actually is, how it operates technically, and most importantly for security teams, where the risk actually lives.