LLMjacking is now an identity governance problem, not just an application abuse problem. The article shows that exposed AI endpoints can be discovered, validated, and monetised at industrial scale. That means the governance question is no longer whether a model can answer a request, but whether the endpoint is a controlled non-human identity with enforceable boundaries. Practitioners should treat externally reachable AI services as governed access paths, not experimental infrastructure.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, according to AI Agents: The New Attack Surface.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete compliance and breach-investigation blind spot, according to AI Agents: The New Attack Surface.
A question worth separating out:
Q: Who is accountable when an exposed MCP server is used to reach internal systems?
A: Accountability sits with the team that owns the delegated access path, the network exposure, and the identity controls around the server. In practice, that means security, platform, and application owners must all understand whether the MCP trust boundary is intentionally public or accidentally exposed.
👉 Read our full editorial: LLMjacking is becoming a commercial supply chain risk for AI endpoints