惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Hacker News
The Hacker News
F
Full Disclosure
Cloudbric
Cloudbric
Blog — PlanetScale
Blog — PlanetScale
W
WeLiveSecurity
N
News and Events Feed by Topic
T
Troy Hunt's Blog
V2EX - 技术
V2EX - 技术
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
B
Blog
GbyAI
GbyAI
C
Check Point Blog
B
Blog RSS Feed
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Recorded Future
Recorded Future
The Last Watchdog
The Last Watchdog
N
News and Events Feed by Topic
T
The Blog of Author Tim Ferriss
O
OpenAI News
V
V2EX
人人都是产品经理
人人都是产品经理
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
IT之家
IT之家
WordPress大学
WordPress大学
www.infosecurity-magazine.com
www.infosecurity-magazine.com
S
Security @ Cisco Blogs
C
Cisco Blogs
Security Latest
Security Latest
S
Security Affairs
V
Visual Studio Blog
C
Cybersecurity and Infrastructure Security Agency CISA
Hacker News - Newest:
Hacker News - Newest: "LLM"
博客园 - 司徒正美
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Microsoft Azure Blog
Microsoft Azure Blog
Last Week in AI
Last Week in AI
AWS News Blog
AWS News Blog
雷峰网
雷峰网
Apple Machine Learning Research
Apple Machine Learning Research
PCI Perspectives
PCI Perspectives
博客园_首页
U
Unit 42
Google DeepMind News
Google DeepMind News
Hugging Face - Blog
Hugging Face - Blog
Project Zero
Project Zero
Cisco Talos Blog
Cisco Talos Blog
The Register - Security
The Register - Security
N
Netflix TechBlog - Medium
L
LINUX DO - 热门话题
H
Hacker News: Front Page

Opinion

Op-Ed: Microsoft’s July Patch Tuesday reveals 622 vulnerabilities Op-Ed: The transaction was legitimate; the crime was hidden in the system Op-Ed: Why CISOs are drowning in alerts but missing the real threat Op-Ed: The reality of data-centric security and attribute-based access control Op-Ed: Australia’s cyber law is stuck in the past – the Slay Review is our chance to fix it Australian federal budget 2026: The industry perspective Op-Ed: Redefining performance in the AI-powered SOC Op-Ed: AI won’t patch the holes in your SOC Op-Ed: Australia inspired the EU’s online age restrictions, now it’s time for us to learn from them Op-Ed: Microsoft April Patch Tuesday reveals 167 vulnerabilities The industry speaks: World Identity Management Day 2026 Op-Ed: Why zero trust for OT should start at the boundary, not the boiler room The industry speaks: World Cloud Security Day 2026 The industry speaks: World Backup Day 2026 Op-Ed: Information sharing of cyber threats vital to national security Op-Ed: Building secure foundations for AI in the cloud Op-Ed: Why Australia’s schools are becoming strategic targets for organised crime Op-Ed: Australia’s National AI Plan looks good on paper, but where are the teeth? Op-Ed: Australian organisations need federated authority to stay secure at scale Supply chain risk: Understanding the weakest link in cyber security
Op-Ed: AI isn’t the threat, poor design is
2026-03-04 · via Opinion

The conversation around AI security has become saturated with anxiety.

Each week brings fresh headlines warning of jailbreaks, prompt injection, rogue agents, and AI-powered cyber crime.

You’re out of free articles for this month

To continue reading the rest of this article, please log in.

It’s easy to walk away with the impression that AI is inherently uncontrollable – something that must be locked down before it spirals beyond our grasp.

But as a security practitioner, I’ve learnt to be cautious about narratives built on hypotheticals.

Many of the loudest warnings rely on engineered demos or theoretical exploits. They raise valid concerns, but rarely answer a more fundamental question: what does the real attack surface of today’s AI systems actually look like?

So instead of adding another opinion to the pile, I ran the numbers.

To ground the debate in reality, I focused on the Model Context Protocol (MCP), a framework widely used to allow language models to interact with tools, APIs and external systems. MCP is open source, replicated across environments, and built for practical integration. In other words, it’s a strong test case for understanding real-world exposure.

There were no adversarial prompts and no artificial exploits in this research. We analysed active, runnable MCP servers, examined their tool schemas, and measured what capabilities they actually exposed.

What we found was striking in its familiarity.

The MCP servers that met our criteria exposed well-understood primitives: filesystem access, HTTP requests, database queries, local script execution, orchestration workflows and read-only API searches. These are not exotic AI-only risks. They are the same building blocks embedded in cloud automation, infrastructure-as-code, and modern DevOps stacks.

MCP doesn’t invent new capabilities. It structures existing ones.

One of the most surprising findings was what we didn’t see. Despite media warnings, arbitrary code execution was rare among operational MCP servers. High-severity risk was the exception, not the rule.

That matters.

It suggests that most real-world AI deployments are not as reckless as some narratives imply. The most common issues we observed were familiar ones: weak defaults, excessive permissions, and poor input handling. These are longstanding security challenges, not novel AI failures.

Where risk meaningfully increases is in composition.

Individually, most MCP servers presented low risk. But when orchestration enters the equation, when tools can be chained together, the attack surface expands.

We observed realistic combinations such as HTTP fetch paired with filesystem writes enabling persistence or content injection; database queries combined with orchestration enabling stealthy exfiltration; and planning logic linked with execution, creating multi-stage attack paths.

None of this is new in principle.

Adversaries have long chained primitives together in traditional environments. MCP reduces friction in assembling those components, but it does not fundamentally change the playbook.

That said, a critical counterpoint deserves attention. Secure-by-design architectures, particularly tightly scoped schemas, create clear boundaries. But as the ecosystem evolves, not every AI application will be built securely.

Some developers will ship systems with overly permissive tool access or weak schema constraints. In those environments, security teams may be forced to rely on non-deterministic, “best effort” defences such as prompt injection mitigation rather than influencing inherently secure application design.

We must plan for that hybrid reality: championing architectural security wherever possible, while building resilient runtime controls to contain the fallout from insecure implementations.

As AI agents embed deeper into operational systems, control points are shifting. Historically, we validated inputs at the UI, enforced roles through IAM, and encapsulated logic in application code. With AI agents, security boundaries move to orchestration layers, schema contracts, tool composition workflows and execution sandboxes.

Security must follow that shift.

That means auditing tool chains, tightening schema definitions, isolating execution contexts and rigorously applying least privilege and defence-in-depth. It means treating orchestration workflows as critical automation infrastructure. And it means recognising that most AI tooling exposes capabilities we already understand.

AI introduces scale and complexity. It does not repeal fundamental security principles.

The real challenge is not that AI is uncontrollable. It’s whether security teams can adapt existing controls quickly enough, and influence developers early enough, to ensure that secure design becomes the norm rather than an afterthought.

If we focus on measurable exposure instead of headline panic, we can separate signal from noise – and build AI systems that are resilient, not reckless.

You can read my full analysis here.

Cyber DailyWant to see more stories from trusted news sources?
Make Cyber Daily a preferred news source on Google.