Blog

All Identity Authorization Compliance Architecture MCP Standards Supply Chain Security Research

Can You Prove What Your AI Agent Did? I Checked 8,216 MCP Servers.

security-research compliance mcp

74.9% of MCP servers have no mention of audit logging. The MCP spec defines zero audit primitives. Here's why that's a compliance problem.

March 30, 2026

4,500 MCP Servers, 7,840 Tools, Zero Input Validation. Here's the Attack Surface.

security-research mcp supply-chain

I analyzed the tool definitions of 8,216 MCP servers. 2,432 expose high-risk input parameters — SQL, file paths, shell commands — with no validation constraints.

March 29, 2026

I Classified 8,000+ MCP Servers by Auth Appropriateness. Most Get It Wrong.

security-research identity mcp

A static analysis of 8,216 MCP servers across 4 registries. 50.6% have no auth. But the real question is: do they have the right auth for what they do?

March 28, 2026

MCP Re-Auth: What ChatGPT Actually Needs When Tokens Expire

architecture mcp oauth

ChatGPT doesn't re-trigger OAuth on HTTP 401 or JSON-RPC errors. It needs a specific JSON-RPC success envelope with _meta. Here's the signal, why it exists, and how a gateway handles both layers of auth failure.

March 26, 2026

Why Not Just Use OPA and a Service Mesh?

architecture identity

A serious look at whether existing infrastructure — OPA, Istio, API gateways, IAM — already solves AI agent governance. Where it works, where it breaks, and what's actually missing.

March 25, 2026

I Audited 7,522 AI Agent Skills. Here's What I Found.

supply-chain mcp

A first-hand static analysis of every skill on ClawHub — the real numbers on credential leaks, prompt injection, and what registry moderation actually catches.

March 25, 2026

How an Agentic Control Plane Addresses Every OWASP Agentic Top 10 Risk

standards compliance

A risk-by-risk mapping of the OWASP Top 10 for Agentic Applications to specific control plane capabilities. No other vendor has published this from the governance layer perspective.

March 25, 2026

How to Trigger a Governed AI Agent from n8n, Zapier, or Any Webhook

agent-triggers

Step-by-step guide to invoking AI agents via HTTP from workflow automation tools. Every tool call is identity-verified, rate-limited, and audit-logged.

March 24, 2026

CSA Defines the Agentic Control Plane. Here's What We Built.

standards architecture

The Cloud Security Alliance just published their framework for the Agentic Control Plane. We've been building the infrastructure to solve it. Here's what's real vs. what's still theoretical.

March 23, 2026

Runtime Authorization for AI Agents: Why Static Policies Break

authorization

Traditional authorization was designed for users clicking buttons. AI agents make thousands of decisions per minute. Here's what runtime authorization looks like when the caller is autonomous.

March 20, 2026

WebMCP Ships Without Agent Identity. Here's Why That Matters.

standards mcp identity

The W3C WebMCP spec gives browsers a native API for AI agents to call website tools. It shipped without agent identity, scoped permissions, or delegation context. I filed the issue. Here's what's missing and why the browser layer is the right place to fix it.

March 19, 2026

Continuous Trust Validation for AI Agents

compliance authorization

Point-in-time audits don't work when agents make 10,000 decisions per hour. Continuous trust validation means verifying identity, policy, and behavior on every action — not once a quarter.

March 18, 2026

MCP Is the Data Plane. You Still Need a Control Plane.

architecture mcp

MCP defines how agents call tools — the data plane. It does not define who is allowed to call what, under which conditions, with what audit trail. That's the control plane. Here's why you need both.

March 17, 2026

NIST Just Defined Identity for AI Agents. Here's What Changes.

standards identity

NIST's AI Agent Standards Initiative is the first federal intervention on identity and authorization for autonomous AI agents. The architectural requirements are clear — and most teams aren't ready.

March 15, 2026

Your API Keys Already Give Agents Production Access

identity supply-chain

Every API key in your env vars is a standing invitation for an AI agent to act with full access and no user identity. Most teams don't realize it until something goes wrong.

March 14, 2026

Authentication Is Broken in AI Systems

identity mcp

AI agents call your backend APIs on behalf of users. Your backend has no idea who's asking. This isn't a bug — it's how every major agent framework works today.

March 10, 2026

AI Agent Identity: The Problem No One Has Solved Yet

identity

Your IAM stack handles human identity. AI agent identity — proving who an agent acts for across every tool call — requires a fundamentally different layer.

March 4, 2026

AI Agent Audit Trails: What CISOs Actually Need to Know

compliance

AI agent audit trails need identity-attributed logging — not generic API logs. Here's what CISOs actually need to know for compliance-ready governance.

March 1, 2026

What Is an MCP Control Plane?

architecture mcp

An MCP control plane adds identity verification, policy enforcement, and audit logging to Model Context Protocol servers — the missing governance layer.

February 26, 2026

Agentic Data Plane vs Agentic Control Plane

architecture mcp

Agentic data plane vs agentic control plane — what each layer does, why you need both, and how they work together to govern AI agents in production.

February 23, 2026

The Governance Controls Existed

authorization

Microsoft 365 Copilot bypassed its own DLP policies because every governance control lived inside the same vendor pipeline that failed.

February 20, 2026

Your AI Agents Are Acting on Behalf of Your Users

identity

AI agent identity is broken: agents call your backend on behalf of users, but your systems can't verify who initiated the request. Here's the real risk.

February 18, 2026

What Tools Is Your OpenClaw Agent Using?

supply-chain mcp

Your OpenClaw agent can read .env files and bypass permission skills. Here's what an MCP server security audit revealed — and how to lock it down.

February 15, 2026

OpenAI Frontier Proves AI Governance Can't Live Inside the Model Provider

architecture

Frontier gets the problem right — agent identity, permissions, and audit are the bottleneck. But building governance into the model provider creates a new problem it can't solve.

February 12, 2026

Compliance-Ready AI Governance

compliance

AI agents are accessing protected data on behalf of users — but HIPAA, SOC 2, and GDPR weren't built for this. Compliance-ready AI governance starts here.

January 22, 2026

The Cost of Running Agents Without Budget Controls

authorization

One runaway agent loop can burn through your entire monthly LLM budget in minutes. Here's how to prevent it.

January 2, 2026

Why API Gateways Don't Solve AI Governance

architecture

Traditional gateways handle routing and rate limits. But AI needs identity binding, PII detection, and policy enforcement they were never built for.

December 10, 2025

PII in Prompts: What You're Probably Leaking

compliance

Users paste PII into your AI app. It goes straight to the LLM. That's a compliance problem.

November 19, 2025

Identity in the Three-Party Trust Model

identity

The core problem in AI governance isn't authorization or audit — it's identity. If you can't identify who a request is for, nothing else works.

November 5, 2025

Why Agentic Control Planes Will Matter

architecture

AI is moving from chatbots to agents that take real actions. Without a governance layer, every tool call is a liability.

October 15, 2025