TL;DR: June’s roundup of MCP, model, and client risks highlights misconfigured servers, cross-tenant data exposure, prompt injection, and zero-click exfiltration across agentic systems, according to Pomerium and the cited sources. Access control assumptions are now failing at runtime, where agents can chain tools, leak data, and widen blast radius faster than traditional IAM review cycles.
NHIMG editorial — based on content published by Pomerium: Top 10 Articles in Agentic Access - MCP, Models, and Clients (June 2025)
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
- 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.
- 7,000 misconfigured MCP servers are live on the public web, with many wide open to remote code execution.
Questions worth separating out
Q: How should security teams govern AI agents that can call tools and APIs?
A: Treat each agent as a governed identity with explicit scope, logging, and approval boundaries.
Q: Why do MCP servers increase the risk of agentic access abuse?
A: MCP servers connect agents to real systems, so a weakly controlled server becomes a privilege bridge rather than a simple integration layer.
Q: What do security teams get wrong about prompt injection in agentic systems?
A: They often treat prompt injection as a text problem instead of an execution problem.
Practitioner guidance
- Inventory every agent-to-tool path Map each MCP server, model client, and downstream API that an agent can reach.
- Move policy checks to runtime Require authorisation at the moment of access for every high-risk tool call.
- Separate untrusted content from action prompts Isolate retrieved text, user input, and external content from any prompt that can trigger a tool call.
What's in the full article
Pomerium's full blog post covers the operational detail this post intentionally leaves for the source:
- The source article names each June story and gives the original publication context for the MCP and agentic access developments.
- It provides the vendor's selection criteria for why these stories matter to practitioners tracking agentic access risk.
- It includes the surrounding commentary on why Pomerium sees access control as the defining challenge of the agentic era.
- It links readers to the underlying articles that describe the vulnerabilities, leaks, and zero-click behaviours in more detail.
👉 Read Pomerium's roundup of June 2025 agentic access risks →
MCP abuse and zero-click exfiltration: what IAM teams need to know?
Explore further
Agentic access is becoming an identity governance problem before it becomes an AI problem. The June stories are not mainly about model quality. They show that the control failure sits at the junction of identity, tools, and runtime decision-making, where access is granted to software that can act. That makes governance, not novelty, the central issue. Practitioners should treat agentic workflows as governed identities with explicit scope and audit requirements.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface report.
- 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to SailPoint.
A question worth separating out:
Q: Who is accountable when an AI agent exposes data or performs unauthorised actions?
A: Accountability should sit with the team that owns the agent, the connected system, and the policy that allowed the access path. If no one can explain who approved the scope, what data was reachable, and how the action was logged, the governance model is incomplete.
👉 Read our full editorial: Agentic access is exposing MCP and AI control-plane gaps