Notifications
Clear all
Topic starter
06/06/2026 11:05 am
TL;DR: Agentic supply chain attacks now target runtime tool trust, with the article citing nearly 2,000 official MCP Registry entries, over 16,000 unofficial servers, and roughly 30 CVEs filed in two months as the ecosystem outpaced its security controls, according to WorkOS. Tool identity, manifest drift, and hosted-server isolation now sit inside the identity problem, not beside it.
NHIMG editorial — based on content published by WorkOS: Securing agentic apps: How to vet the tools your AI agents depend on
By the numbers:
- The official MCP Registry launched in September 2025 and reached nearly 2,000 entries within months.
- Between January and February of 2026, security researchers filed roughly 30 CVEs against MCP servers, clients, and infrastructure.
Questions worth separating out
Q: What breaks when AI agents trust MCP tools after a single approval?
A: A one-time approval model fails when the tool can change after trust is granted.
Q: Why do AI agents make supply chain security harder than traditional software?
A: Because the agent’s dependency chain is active at runtime, not fixed at build time.
Q: How do security teams know if an MCP server has drifted out of policy?
A: They compare the current tool manifest, descriptions, and schemas against a captured baseline and investigate any change.
Practitioner guidance
- Baseline every MCP tool manifest Capture tool names, descriptions, schemas, and return types at first approval, then block any unreviewed drift until a human re-approves the change.
- Validate tool descriptions as security inputs Scan descriptions for instruction-like language, hidden exfiltration cues, and override patterns before the agent loads them.
- Isolate third-party MCP servers by blast radius Run untrusted servers in containers or sandboxes with strict outbound network allowlists, limited filesystem access, and no inherited secrets.
What's in the full article
WorkOS' full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step manifest validation logic for detecting changed tool descriptions, schemas, and removals.
- Sample argument-policy patterns for restricting email, database, and filesystem actions at the boundary.
- Practical sandboxing guidance for third-party MCP servers, including network and filesystem restrictions.
- Dependency hygiene examples for pinned installs, publisher checks, and post-update re-approval.
👉 Read WorkOS' analysis of securing agentic app supply chains →
Agentic supply chain vulnerabilities: what IAM teams need to check?
Explore further
06/06/2026 11:40 am
Agentic supply chain vulnerabilities turn tool trust into an identity control, not a procurement control. Once an AI agent is allowed to select tools at runtime, the security question is no longer only whether a package is signed or a server is familiar. The question becomes whether the tool can change its behaviour after approval and still inherit trust. That is why agentic supply chain risk sits inside OWASP-AGENTIC and OWASP-NHI, not just traditional software supply chain work. Practitioners need to treat tool manifests, descriptions, and hosting boundaries as governed identity artefacts.
A few things that frame the scale:
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
- The same research found that 80% of organisations report AI agents have already performed actions beyond their intended scope, which makes runtime governance a present-tense control issue.
A question worth separating out:
Q: Who is accountable when a hosted MCP platform exposes credentials?
A: Accountability sits with both the platform owner and the organisation that chose to place sensitive credentials there. If a hosted environment concentrates many servers and secrets, a single platform flaw can become a multi-tenant incident. Governance teams should document ownership, isolation expectations, and re-approval rules for hosted tools.
👉 Read our full editorial: Agentic supply chain security is now part of identity governance
