A single faux error report hijacked Claude Code in managed testing — the agent ran the attacker’s code with the developer’s full privileges, and never one alert fired. EDR, WAF, IAM, and the firewall all missed it utterly.
Tenet Safety’s June agentjacking disclosure describes a single crafted Sentry error occasion — despatched by a public credential that requires no breach and no authentication — that injected attacker directions into error information that Claude Code, Cursor, and Codex then executed as trusted diagnostic output. Tenet examined 100-plus targets in managed situations and achieved an 85% success fee. Sentry referred to as the flaw “technically not defensible.”
he Cloud Safety Alliance labeled agentjacking as a systemic MCP vulnerability class inside days of the disclosure. No credentials had been stolen, no coverage was violated, no perimeter was breached: each step within the chain was licensed. That’s the downside.
Tenet recognized 2,388 organizations with publicly uncovered Sentry credentials that might be used to inject malicious occasions at scale. The analysis is proof-of-concept, not confirmed exploitation throughout all 2,388. However one captured Claude Code setting held a stay AWS secret entry key and personal repository URLs.
Right here is the scope take a look at: In case your AI coding brokers are linked to Sentry, Datadog, PagerDuty, Jira, or any MCP-connected information supply your builders belief — and people brokers can execute shell instructions — then your stack has the identical blind spot.
Organizations working Sentry ought to audit all publicly uncovered DSNs instantly. Sentry’s structure deliberately makes DSN credentials public for frontend error reporting, so the mitigation is not revoking the DSN — it is proscribing what brokers can do with the info these DSNs return.
Why your stack cannot see it
Agentjacking works as a result of each step is permitted: The attacker sends a legitimate Sentry API name utilizing a public DSN, the MCP server returns the injected occasion as genuine output, and the agent executes the instruction utilizing the developer’s privileges. No signature fired. The sufferer noticed solely benign diagnostics whereas the agent silently uncovered cloud credentials and source-control tokens.
SOC groups have by no means wanted to differentiate between a developer working an npm set up and an agent working that command in response to a malicious error occasion. That distinction didn’t exist till AI coding brokers grew to become manufacturing instruments. The stack that can’t make it’s the stack agentjacking bypasses.
5 surveys, one sample
5 impartial surveys from the primary half of 2026 discovered that enterprises belief their AI brokers way over their enforcement justifies.
Solely 34% of organizations apply the identical safety controls to AI brokers as to people, in response to an Okta/Apprize360 survey of 292 executives and 492 information employees. Fifty-two p.c of workers use unapproved AI instruments, and 58% of executives reported an AI-related incident or shut name within the prior yr.
HiddenLayer’s 2026 AI Menace Panorama Report surveyed 250 IT and safety leaders: 33% reported brokers had already exceeded meant scope, and 31% couldn’t verify whether or not they had skilled an AI breach. One in eight AI breaches was linked to agentic methods.
Gravitee’s survey of over 900 executives and practitioners discovered solely 14.4% of brokers went stay with full safety approval, and 88% reported confirmed or suspected incidents. A follow-up of 750 leaders in April discovered agent estates had doubled whereas monitoring barely moved.
The runtime hole no one closed
“Securing brokers seems to be similar to securing extremely privileged customers,” mentioned Elia Zaitsev, CTO of CrowdStrike, in an interview with VentureBeat. “They’ve identities, entry to underlying methods, they motive, they take motion.”
Zaitsev pointed to the hole the trade left open. “Nobody has been speaking about securing brokers at runtime. We’re doing that now. What’s your security internet? If all these controls fail, how do you forestall them from failing silently?”
CrowdStrike’s fleet information quantifies the publicity: greater than 1,800 agentic functions on enterprise endpoints, roughly 160 million cases underneath monitoring. On June 15, CrowdStrike shipped Steady Identification for AI Brokers at Identiverse, changing static insurance policies with steady enforcement that authorizes each agent motion in actual time. The management class that announcement displays — steady action-level authorization with verifiable agent id — is now a baseline procurement criterion no matter vendor.
“Folks have type of forgotten about runtime safety,” Zaitsev mentioned. “We did this with endpoint, virtualization, and cloud. Folks targeted on patching vulnerabilities, locking down permissions. By some means, they at all times appear to overlook one thing. The security internet is runtime.”
Zaitsev was equally direct about sandbox approaches. “Should you begin with an agent in a sandbox that has no capacity to the touch something, it’s nugatory. In a short time, you’re on this race of giving it extra capabilities. After which what’s the level of your sandbox?” Brokers derive their worth from entry. Each entry grant is an assault floor.
The governance hole is a funds downside
Kayne McGladrey, an IEEE Senior Member, described the structural problem in an unique interview with VentureBeat. “The CISO doesn’t have the funds. The CISO doesn’t have the workers. We are able to observe dangers, we will advise on enterprise dangers, however we don’t personal the enterprise methods affected by these dangers,” McGladrey mentioned. When agent governance spans six departmental budgets, no single govt can verify whether or not brokers get the identical entry critiques as people.
The Okta survey quantifies the disconnect. Solely 43% of employees say agent insurance policies are clear, in comparison with 65% of executives, and almost two-thirds apply weaker controls to brokers than to people. The individuals deploying brokers each day don’t acknowledge the governance posture their management claims to have constructed.
Assaf Keren, chief safety officer at Qualtrics and former CISO at PayPal, put it plainly. “The true threat begins not by the implementation of AI methods. It’s the truth that baseline structure just isn’t nicely established. Once we put an AI system on high of one thing not architected nicely, we’re accelerating the fractures.” Keren referred to as runtime habits analytics “an unsolved downside proper now.”
The 5-question hole take a look at
The five-question hole take a look at attracts on 5 surveys from the primary half of 2026. Every query maps to a niche that agentjacking exploits. Run this earlier than any Q3 vendor analysis.
|
Hole to check |
The proof |
What breaks |
Monday motion |
Supply / pattern |
|
1. Agent stock. What share of brokers, MCP connections, and LLM automations accomplished safety evaluate earlier than deployment? |
14.4% get full safety/IT approval earlier than going stay. 52% of workers use unapproved AI instruments. Common enterprise now manages 37+ deployed brokers, roughly doubled from This autumn 2025. |
Unapproved brokers are invisible to your id platform and unaccountable in a breach disclosure. Agentjacking targets precisely these unmanaged MCP connections. No census means no audit path for regulatory response. |
Fee a full agent, MCP server, and LLM automation census. Make census completion a procurement gate for all Q3 vendor evaluations. Flag any agent found post-census as a shadow AI incident. |
Gravitee State of AI Agent Safety 2026, 900+ respondents (Feb 2026); Gravitee April 2026 replace, 750 senior tech leaders; Okta/Apprize360, 292 execs + 492 employees (June 2026) |
|
2. Controls parity. Do brokers obtain the identical entry critiques, privilege scoping, and revocation timelines as human workers? |
34% at all times apply the identical controls to brokers as people. 61% of privileged entry fulfilled with out correct evaluate. Solely 22% deal with brokers as impartial identity-bearing entities. |
An agent with a static OAuth token and no evaluate cycle is a everlasting privileged account with no termination date. Agentjacking inherits no matter privileges the developer holds. 45.6% of orgs depend on shared API keys for agent-to-agent auth. |
Add each manufacturing agent to the following entry evaluate cycle. Mandate human-in-the-loop for any agent motion touching PII, monetary information, or manufacturing infrastructure. Change shared API keys with scoped, short-lived tokens. |
Okta/Apprize360 (784 respondents, June 2026); Palo Alto Networks (2,930 respondents); Gravitee (900+, shared API keys information) |
|
3. Scope drift. Have any brokers accessed information or methods past their outlined scope within the final 12 months? |
33% report brokers already exceeded scope. 53% say brokers exceed permissions sometimes or generally. Meta Sev 1, March 2026: agent posted delicate information to unauthorized channel. Solely 8% say brokers by no means exceed meant permissions. |
Scope drift triggers reportable occasions underneath GDPR, CCPA, HIPAA, and SEC cybersecurity guidelines. If detection can not distinguish agent-initiated from human-initiated entry, disclosure timelines are unachievable. Agent-spawned sub-agents (25.5% of deployed brokers can create different brokers) make audit trails algebraically intractable. |
Run a 90-day scope-drift audit on each manufacturing agent. Examine precise sources touched towards authorised scope documentation. Block agent-to-agent delegation with out specific human approval for any motion exceeding the dad or mum agent’s scope. |
HiddenLayer AI Menace Panorama 2026 (250 IT/safety leaders); CSA AI Agent Safety Survey (scope violations information); Gravitee (agent spawning information) |
|
4. Governance notion hole. Would 50 information employees say your AI agent insurance policies are clear? |
22-point hole: 65% of executives say insurance policies are clear, 43% of employees agree. 77% of safety groups see shadow AI threat however lack visibility to behave. 76% cite shadow AI as a particular or possible downside. |
You’re evaluating distributors towards a governance posture your workforce doesn’t acknowledge. Each shadow agent undermines the seller comparability. Data employees sharing inner messages (54%), HR information (45%), and confidential docs (39%) with unapproved AI instruments. |
One-question survey earlier than your subsequent vendor demo. Hole exceeds 15 factors, pause procurement. Publish an inner AI agent acceptable-use coverage with particular examples of authorised and prohibited agent behaviors. |
Okta/Apprize360 (784 respondents, June 2026); Ivanti 2026 AI Maturity Report (1,200 respondents); HiddenLayer (shadow AI information) |
|
5. Breach detection certainty. Can your safety group verify whether or not you skilled an AI-related breach within the final 12 months? |
31% can not reply. 88% reported confirmed or suspected AI agent safety incidents. One in eight reported AI breaches now linked to agentic methods. Agentjacking proved EDR, WAF, IAM, and firewall go an agent-mediated assault with no single alert. |
No foundation for disclosure timelines. No proof chain for incident response. No defensible place in a regulatory investigation. EU AI Act high-risk compliance obligations take impact August 2, 2026. |
Require agent-specific runtime detection as a procurement prerequisite. Affirm your org can distinguish agent-initiated actions from human-initiated actions in manufacturing telemetry. Check your SOC’s capacity to attribute a particular motion to a particular agent inside 60 minutes. |
HiddenLayer (250 IT/safety leaders); Gravitee (900+, incident fee); Tenet Safety (2,388 orgs uncovered); CSA (systemic MCP vulnerability classification) |
Safety director motion plan
EU AI Act high-risk compliance obligations take impact August 2, 2026. Price factoring into Q3 planning timelines.
-
Run the five-question hole take a look at above earlier than any Q3 vendor analysis — it prices nothing to manage, and the procurement readability it creates is value way over the half-hour it takes.
-
Take into account mandating agent-specific runtime detection. In case your stack can not inform what an agent did from what a developer did, agentjacking will bypass it the identical method it bypassed each layer in Tenet’s testing. That distinction is the one which issues now.
-
Deal with each agent as a privileged insider. In line with the Okta/Apprize360 survey, solely 34% of organizations apply the identical controls to brokers as to people; closing that hole is the only most impactful factor most safety groups can do that quarter.
-
Check the notion hole earlier than investing in new tooling. One query to 50 information employees. Have you learnt your organization’s AI agent insurance policies? If the hole between their reply and management’s reply exceeds 15 factors, that’s the downside to unravel first. No vendor product fixes a governance posture your personal workforce doesn’t acknowledge.
-
Make agent census completion a procurement gate — each agent, each MCP connection. The safety groups getting this proper are those that began with an entire stock and labored ahead from there.
Agentjacking stripped away an assumption that has survived each safety structure for the reason that first firewall went stay. Approved doesn’t imply protected. When each step within the chain is legit, the one protection that issues is the one watching what brokers do. Not what insurance policies say. What brokers do.