I’ve been watching AI agent technology move from developer toy to corporate backbone over the past 18 months, and the security conversation has been almost entirely missing. This week, the NSA made that conversation unavoidable.
On May 22, the US National Security Agency published its first formal cybersecurity guidance specifically targeting Model Context Protocol (MCP), the underlying technology that lets AI assistants like Copilot, Claude, and ChatGPT connect to your files, calendars, databases, and business systems. The NSA’s conclusion is blunt: organisations are deploying this technology faster than they understand what they’re handing it access to.
What MCP Actually Is
Most people using AI tools at work have no idea MCP exists. It’s the plumbing. When your AI assistant books a meeting, reads a contract, queries your CRM, or writes code that runs against a live database, MCP is what connects the AI model to those systems. Anthropic created it, and it’s now embedded in production workflows at financial institutions, law firms, and software companies globally.
The NSA describes MCP as “the de facto standard” for AI-driven services. That’s actually the problem. A protocol that connects AI models to everything has become standard before anyone built a security model for it.
What the NSA Found
The advisory lists six categories of risk, and none of them are theoretical. Weak or missing authentication. Poor approval workflows. Insecure data handling. Missing audit logs. Session hijacking vulnerabilities. Prompt injection attacks that let malicious content hijack what the AI does on your behalf.
The NSA notes that real-world exploits have already been documented: “poorly secured MCP tools used to access private information or run harmful commands.” This is not a warning about what might happen. It’s a warning about what is already happening.
Research published by Noma Security earlier this month found that one in four MCP servers exposes AI agents to arbitrary code execution risk. A typical enterprise now runs over 100 high-risk tools connected to its agents. Most of those connections have no version pinning, meaning a silent update to a malicious version could run in production before anyone notices.
The Speed Problem
The core issue isn’t that MCP is fundamentally broken. It’s that the adoption timeline has compressed what should have been a multi-year security maturation process into a matter of months. The NSA’s own words: MCP’s rapid adoption has “outpaced the development of its security model.”
Companies wanted the productivity gains. The AI tools delivered them. The security conversation got deferred. Now the NSA is the one having it, which means the deferral period is over.
I’ve seen this pattern before. A useful technology gets adopted at speed. The security infrastructure builds slowly behind it. The gap between the two is where attackers live. With AI agents, that gap is enormous because the tools are highly capable, deeply connected, and often running with admin-level permissions that nobody explicitly approved.
The Shadow AI Multiplier
This gets worse when you factor in shadow AI. The Verizon DBIR published last week found that employee use of unapproved AI tools tripled in a single year, jumping from 15% to 45%. Most of those tools connect via MCP or similar protocols. Most of those connections aren’t in any IT inventory. Most of the data flowing through them isn’t being logged.
The NSA is warning about sanctioned MCP deployments. The real exposure is the unsanctioned ones that nobody is watching at all.
What to Actually Do About It
The NSA’s recommendations are practical and worth implementing now, regardless of how your AI tools are deployed:
- Audit what your AI tools connect to. Most organisations can’t answer this question. Start there.
- Apply least privilege. If an AI assistant needs to read emails, it doesn’t need write access to your database. Scope the permissions.
- Separate sensitive systems. High-risk data environments should have extra barriers before any AI automation touches them.
- Log everything. AI agent activity needs audit trails. If you can’t see what the agent did, you can’t detect when it was misused.
- Validate tool inputs. Prompt injection is a real attack class. Systems that ingest untrusted content into AI workflows need filtering.
- Pin MCP server versions. Silent updates from a poisoned package are a documented attack vector. Don’t rely on whatever the latest version happens to be.
The NSA is not saying stop using MCP. They’re saying stop treating it as invisible infrastructure that doesn’t need the same scrutiny you’d apply to any other system that touches sensitive data. That’s a reasonable ask.
The Broader Shift
We’re at an inflection point where AI tools have graduated from being interesting experiments to being core operational infrastructure. The security conversation needs to make the same jump. Governance frameworks that were written before agentic AI existed don’t cover this. Procurement processes that check a security questionnaire box but never ask what MCP servers the AI connects to don’t cover this either.
The NSA publishing a formal advisory is a signal that the intelligence community considers this a live, active risk surface. That should carry weight with every CISO and every board that has signed off on AI tooling without asking hard questions about what it’s connected to.
The most dangerous thing about AI agents isn’t what they can do. It’s that nobody in most organisations knows what they’re doing right now.