Expose your site functions to AI agents and you build a new kind of API, one whose client does whatever a prompt tells it. That is an attack surface: prompt injection through tool descriptions, rate-limit bypass, orders placed at the wrong price. One security review logged 30 MCP vulnerabilities in 60 days.
Security researchers logged more than 30 MCP vulnerabilities in 60 days, including a 9.6-severity remote code execution bug. The wave was predictable: the Model Context Protocol leaves authentication and access control to whoever builds the server. Here is the short checklist enterprise buyers should run before connecting any MCP server to their data.
Most MCP deployments lock the entrance with OAuth and call it secure. That is perimeter authentication: it decides who connects. It says nothing about which tools on the server an authenticated agent can actually call. That second layer, per-tool authorization, is the one most teams skip, and skipping it hands every connected agent the keys to everything.
NIST closed public comment on AI agent security on March 9, 2026, after naming three risk classes: adversarial inputs, backdoored models, and misaligned objectives. The guidance that follows will become the vendor questionnaire template. The defenses NIST points toward - scoped context, bounded tools, escalation paths - are workflow design, available now.