Everyone is focused on the LLM. The model gets the headlines, the benchmark debates, the safety red-teaming, and the regulatory scrutiny. But in production agentic systems, the model is rarely where the real risk lives.
The real risk lives in the layer beneath it.
Model Context Protocol — MCP — has emerged as the connective tissue of the agentic era. It is how AI agents discover tools, call external services, read files, query databases, and take action in the world. Without MCP, an agent is just a text generator. With MCP, it becomes an autonomous operator with access to your systems.
That access is exactly what makes MCP a critical and underexamined attack surface.
Consider what a compromised or misconfigured MCP server can expose: authenticated sessions, internal APIs, cloud storage, code repositories, customer data, and business logic that was never designed to be touched by an autonomous process. An attacker who can manipulate what an MCP server returns to an agent — a technique researchers are calling prompt injection at the tool layer — can redirect agent behavior without ever touching the LLM itself.
The security industry spent years learning to secure APIs after they became the dominant integration layer. That lesson took too long to learn and the breach count reflects it. MCP is moving faster than APIs did, with less scrutiny and fewer established controls.
Organizations deploying agentic systems today should be asking three questions their vendors may not be ready to answer: What MCP servers does my agent have access to? What can those servers do on my behalf? And who is watching the traffic between them?
The agentic security conversation has to move down the stack — from the model to the services it calls, the protocols it uses, and the APIs it touches. That is where the exposure is. That is where the next generation of breaches will originate.
Intelligence in motion requires security in motion. The MCP layer cannot be an afterthought.
