Five Security Teams Identify Critical Gaps in AI Agent Security, Highlighting Risks for Enterprise Adoption
In the week ending June 29, 2026, five independent security research teams uncovered a shared vulnerability in AI agent systems, revealing structural weaknesses that could compromise enterprise environments. The findings, published without coordination, highlight a growing risk as AI agents operate with human-level permissions in systems not designed for their unique behaviors, according to Akamai’s analysis of the Model Context Protocol (MCP).
The Protocol-Level Problem
The MCP, an emerging standard for agent-to-tool communication in enterprise AI environments, was updated on June 26, 2026. Akamai’s review of the specification found that the protocol is “stateless,” meaning each tool call starts without memory of previous interactions. This design leaves security responsibilities entirely to developers, as the protocol does not enforce security measures itself, according to Maxim Zavodchik, senior manager for threat research at Akamai.

For organizations in the Gulf region advancing AI-driven workflows under Vision 2030 initiatives, this creates a governance challenge. Regional frameworks like Saudi Arabia’s National Cybersecurity Authority Essential Cybersecurity Controls and the UAE Information Assurance Regulation require demonstrable control over automated systems, but MCP’s architecture shifts this responsibility to the application layer, the report states.
The Identity Gap
Orchid Security’s research, published the same week, identified a critical flaw in how identity management systems (IAM) interact with AI agents. IAM systems were designed for human users, who authenticate, receive tokens, and operate within session boundaries. AI agents, however, operate continuously, chain actions across services, and may run unattended, creating a mismatch in security controls. Orchid termed this issue “identity dark matter,” where agents function with human-level permissions in environments not built to monitor their activities.
This gap is particularly concerning for regulated sectors. Financial institutions under DIFC or ADGM regulations, healthcare organizations under HAAD or DHA frameworks, and government entities handling sensitive data face new requirements to demonstrate control over automated systems. Without runtime policy enforcement—evaluating an agent’s actions in real time—these organizations cannot meet compliance standards, the report notes.
The Social Engineering Dimension
Push Security’s disclosure of the “Poisoned Tenant” campaign revealed a targeted social engineering attack. Threat actors created fraudulent OpenAI organizations, distributing invitations from a domain that passed SPF, DKIM, and DMARC authentication. Cybersecurity firms that accepted these invitations gained Owner-level privileges, exposing API keys and sensitive data. The campaign exploits gaps in email security tools, which classify the fraudulent communications as legitimate, according to the report.

This threat vector is especially alarming for Middle Eastern organizations, where AI adoption is accelerating across public and private sectors. The attack operates outside traditional network perimeters, highlighting the need for updated security strategies, the analysis states.
Governance Recommendations
Security experts outlined three immediate steps to mitigate risks:
1. Scope agent access explicitly. AI agents should be granted the minimum permissions required for their function, treated as privileged users with rigorous onboarding processes.
2. Treat MCP configuration files and agent inputs as supply chain risks. Signed and verified inputs from controlled repositories reduce exposure to attacks like the Amazon Q Developer vulnerability and the Claude Code DNS attack.
3. Invest in runtime visibility. Organizations must monitor agent activities in real time to ensure compliance with regulatory requirements and detect anomalies before they escalate.
“AI agents are not inherently ungovernable. They are currently ungoverned in most enterprise deployments. That is a choice, and it can be reversed,” the report concludes.