Nathan Bijnens’ Post

It's been extremely clear from the beginning that MCP is totally flawed from a basic security perspective. Well, it takes multiple massive breaches for an official organization to issue a warning. Enterprises Must not use MCP or any other agents if they don't want to expose their entire enterprise as an attack surface. Thanks Nathan Bijnens for this information.

The NSA just flagged 𝗠𝗼𝗱𝗲𝗹 𝗖𝗼𝗻𝘁𝗲𝘅𝘁 𝗣𝗿𝗼𝘁𝗼𝗰𝗼𝗹 (𝗠𝗖𝗣) security, and if you’re building agentic AI for enterprise, defense, or regulated sectors, you need to pay attention. 🚨 The core issue? MCP’s flexibility has completely outpaced its security model. Treating governance as an afterthought or a post-deployment "implementation detail" is a massive risk. The NSA highlighted three critical vulnerabilities that standard MCP setups ignore: 1️⃣ 𝗡𝗼 𝗡𝗮𝘁𝗶𝘃𝗲 𝗔𝗰𝗰𝗲𝘀𝘀 𝗖𝗼𝗻𝘁𝗿𝗼𝗹 – It lacks built-in RBAC or identity mapping, forcing teams to hack together custom, fragile OAuth layers. 2️⃣ 𝗦𝗶𝗹𝗲𝗻𝘁 𝗖𝗮𝗽𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝗗𝗿𝗶𝗳𝘁 – A trusted agent can easily chain tools to expand its capabilities or access sensitive data downstream without triggering a new approval flow. 3️⃣ 𝗪𝗲𝗮𝗸 𝗦𝗲𝘀𝘀𝗶𝗼𝗻 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 – Session hijacking risks are high, and multi-agent tracking leaves almost no useful audit trail for SIEM systems. 𝗧𝗵𝗶𝘀 𝗶𝘀 𝗲𝘅𝗮𝗰𝘁𝗹𝘆 𝘄𝗵𝘆 𝘄𝗲 𝗯𝘂𝗶𝗹𝘁 𝗦𝗰𝗿𝘆𝗱𝗼𝗻. 🛡️ We don't rely on fragile prompt guards or insecure wrappers. Instead, our platform natively addresses the NSA’s recommendations at the architectural level: 🔒 𝗗𝗲𝘁𝗲𝗿𝗺𝗶𝗻𝗶𝘀𝘁𝗶𝗰 𝗚𝗼𝘃𝗲𝗿𝗻𝗮𝗻𝗰𝗲 – Every agentic workflow is explicitly defined within our Cognitive Enterprise ontology. Agents can only interact with tools and data hard-coded into their policy. No drift, no surprises. 🔑 𝗖𝗼𝗻𝘁𝗲𝘅𝘁-𝗦𝗰𝗼𝗽𝗲𝗱 𝗖𝗿𝗲𝗱𝗲𝗻𝘁𝗶𝗮𝗹𝘀 – We use just-in-time credential brokering for exact task steps, eliminating long-lived bearer tokens. ✍️ 𝗜𝗺𝗺𝘂𝘁𝗮𝗯𝗹𝗲 𝗔𝘂𝗱𝗶𝘁𝗶𝗻𝗴 – Every single tool invocation and data access point is cryptographically bound to a verifiable identity and logged directly into the ontology. If you are deploying autonomous agents in high-stakes environments—whether in hyperscale cloud or 𝗳𝘂𝗹𝗹𝘆 𝗮𝗶𝗿-𝗴𝗮𝗽𝗽𝗲𝗱 𝗶𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲—you need security by design, not by patch. Let’s move past reactive fixes. Reach out if you want to see how we bridge the gap between AI autonomy and absolute data sovereignty. 👉 Learn more at https://scrydon.com #AgenticAI #Cybersecurity #DataSovereignty #EnterpriseAI #DefenseTech

The NSA has issued a stark warning: MCP — the protocol behind most enterprise agentic AI — is critically insecure. At Scrydon we built it differently. Our Cognitive Enterprise Platform defines every agentic workflow upfront and enforces identity, approvals, trust boundaries and just-in-time credentials by design — delivering deterministic, sovereign control with full immutable audit trails.

The G7 published its SBOM for AI guidance this morning. Seven national cybersecurity agencies — CISA, the UK's NCSC, Germany's BSI, France's ANSSI, and three others — finally agreed on a standard. SBOM stands for Software Bill of Materials — essentially an ingredient list for a software system. For AI, it means documenting exactly what models are being used, who trained them, where your data goes, what security controls are in place, and how components interact. The same concept that's been mandatory for traditional software in critical infrastructure — now being defined for AI. By this afternoon, Staffinity had it implemented. We published a machine-readable SBOM for AI in CycloneDX format — the standard enterprise security tools actually ingest — covering all 7 required clusters: model provenance, training data policies, infrastructure, security controls, data flow, and KPIs. Every component documented. Every gap disclosed honestly, including the ones the G7 guidance itself acknowledges aren't solvable for hosted API models. Most AI vendors can't tell you what models they're running, who trained them, or where your data goes. We can — and we'll hand you a file your security team can put directly into their GRC system. Full writeup and download at the link below. https://lnkd.in/ew4FNd8a #AIAgents #Cybersecurity #SBOM #SupplyChainSecurity #EnterpriseAI #Staffinity #CISA #G7

CISA, NSA, and Five Eyes Just Issued the First Joint Guide for Securing Agentic AI - The 5 Risk Categories Every Production Team Just Inherited Most teams are securing AI agents the same way they secure chatbots. CISA, NSA, and the rest of Five Eyes just said that playbook is not enough. On May 1, 2026, six national cybersecurity agencies published the first joint guidance on agentic AI: "Careful Adoption of Agentic AI Services." It is the document the next 12 months of agent rollouts will be audited against. The five risk categories every production team just inherited: 1. Privilege. Agents granted too much access turn a single compromise into a multi-system breach. The blast radius problem. 2. Design and Configuration. Poor setup creates security gaps before the agent goes live. The pre-deployment problem. 3. Behavioral. The agent pursues a goal in ways nobody designed for. The recursive tool-use, the scope creep, the goal misgeneralization. The runtime problem. 4. Structural. Interconnected agents trigger cascading failures across systems. The microservices-outage problem at agent speed. 5. Accountability. Decisions go through processes that are hard to inspect. Logs are hard to parse. The post-incident review takes 30 days instead of 30 minutes. The forensics problem. The reframe most coverage missed. The document does not recommend a new security discipline. It folds agentic AI into zero-trust, defense-in-depth, and least-privilege - the frameworks your security team already runs. The risk profile changed. The control plane did not. That reframing is the part that decides who in your org owns this. The answer is the security team you already have, applying principles they already know, to a new and noisier system. The production scale the guidance is responding to is the part you should be ready to discuss in the next leadership meeting. Google's Gemini Enterprise Agent Platform now ships with 200+ models, ADK v1.0 stable across four languages, and A2A protocol v1.0 already running in production at 150 organizations. Anthropic's run-rate revenue went from roughly $9 billion at the end of 2025 to about $30 billion now. Google committed up to $40 billion to Anthropic in April. Capability shipped. The control plane is being written in real time, and this document is the first chapter. The buyer-side question stops being "is the agent good." It becomes: which of the five risk categories is the rollout most exposed to today, and what does the audit plan look like for each one before the next change-advisory-board review. Follow for daily insights - where blockchain meets AI, one satisfying swipe at a time. #AIsecurity #AgenticAI #CISA

https://lnkd.in/diGNAV8Q Six cybersecurity agencies. Three countries. One joint document. This week, ASD (Australia), CISA and NSA (US), the Cyber Centre (Canada), NCSC-NZ, and NCSC-UK published joint guidance on the careful adoption of agentic AI services. The first time I can recall this level of cross-government convergence on AI governance. The substance is worth reading carefully. The agencies are not asking whether organizations should adopt agentic AI - they are asking how to govern it once adopted. The accountability section is the one that stuck with me: when ten autonomous agents collaborate on a decision and that decision turns out wrong, who answers for it? Today, most enterprises do not have a defensible answer. Three shifts I take from the document: 1. Agent governance is no longer a research conversation. It is now a procurement and audit conversation. 2. The accountability gap is the gap. Logging is not the same as proving. 3. Critical infrastructure operators will be expected to demonstrate agent behavior, not assert it. Companies like VeriPass (veripass.ai) are building toward exactly this - a certification layer for autonomous agent behavior, with cryptographically signed evidence of what an agent did and why. The category did not exist eighteen months ago. This week, six intelligence agencies described it. Worth your fifteen minutes if you operate, govern, or fund AI in production.

Last week the NSA dropped a security advisory on MCP and if you thinking of (or are) deploying AI agents in your environment, it is a good read. MCP is the protocol that most AI agent frameworks are now using under the hood to communicate, take action, and access resources across your systems. A lot of what your teams are building right now probably touches it. Here is the part that got my attention - The NSA found that authentication in a lot of MCP deployments is optional. Authorization is optional. Access control is left to whoever built the implementation. And a lot of them just skipped it entirely. Their words, not mine: many implementations omit authentication entirely. I keep thinking about how many times I have had a conversation about service accounts with a security team. Nobody knows how many they have. Nobody knows what they are doing. Nobody knows what would break if you touched them. They just accumulate over years, operating with elevated privileges, completely invisible to most tooling. AI agents deployed over MCP are that problem at a much larger scale and moving much faster. The NSA's bottom line is essentially this: treat every AI agent as a privileged identity. Know what it is allowed to do. Enforce that at runtime. Catch it the moment it steps outside that boundary. That sounds straightforward until you realize almost nobody has the visibility to do that today. Most organizations cannot tell you what their AI agents are authenticating to, from where, or whether any of it looks like what it is supposed to. If you are having conversations about AI deployment right now, this report gives the security discussion a concrete shape. The NSA is not raising theoretical risks here. They documented real exploits and real exfiltration. Real lateral movement through agent infrastructure that had no identity controls on it. Worth 20 minutes of your time. Link to report - https://lnkd.in/epHXQpXk

AI’s Blind Spot: How Whitethorn Shield Exposed Anthropic’s Own Infrastructure – And Why Your Attack Surface Tool Is Failing You + Video Introduction: Traditional vulnerability scanners and AI-driven security platforms excel at detecting known signatures and behavioral anomalies, but they consistently miss passive, browser-observable flaws in DNS, PKI, and third‑party trust chains. As demonstrated by Whitethorn Shield’s recent appraisal against Anthropic’s own infrastructure, even frontier AI companies lack internal tooling for external certificate validation and misconfiguration discovery. This article unpacks the technical gaps in mainstream attack surface monitoring (ASM) and provides hands‑on methods to replicate passive reconnaissance using open‑source utilities....

AI agents now authenticate, retrieve documents, call APIs, and trigger workflows inside your environment with real identities and real privileges. When something goes wrong, they can move faster than any human. That changes what insider risk looks like. It's not just about monitoring people anymore. It's about monitoring people and the agents acting alongside them, on the same systems, with the same access. Exabeam is extending behavioral analytics to cover exactly that. Read more: https://ow.ly/V1S330sVIw7 #AIAuthentication #InsiderRisk #BehavioralAnalytics #CyberSecurity #AIInSecurity #RiskManagement #DigitalIdentity #Exabeam #SecurityAutomation #APISecurity

Eight major AI security incidents in Q1 2026. Only one of them has a CVE. The OWASP GenAI Security Project Exploit Round-up Report Q1 2026 report covers January through early April and walks through cases that include the Mexican government breach where attackers used Claude to automate recon and exploit development across multiple agencies, the OpenClaw agent that ignored stop commands and started deleting a researcher's inbox, the Vertex AI Double Agent research from Unit 42 showing how default service-account permissions let a deployed agent pivot from a customer environment into restricted Google internal artifacts, and the Mercor breach that came in through compromised LiteLLM versions and forced Meta to pause a workstream with the data vendor. Of those eight, only Flowise (CVE-2025-59528, an RCE through unsafe CustomMCP configuration handling) fits the shape that traditional vulnerability management knows how to handle. The rest are architectural. They show up as overprivileged agents, excessive autonomy, trust boundaries that quietly assumed a human was in the loop, source maps shipped in production npm packages, and prompt injection through observability dashboards that turns into enterprise data exfiltration. None of those are things the CVE catalog has a clean way to track. If the next class of incidents shows up as design failures in agent identity, default cloud permission scoping, or which capabilities a managed service inherits by default, the question is not just what to patch but who in the organization is even responsible for noticing. Link: https://lnkd.in/ebpQQZ6B 121/365 #Cybersecurity #GenAI #AgenticAI #OWASP