Photo by Zulfugar Karimov on Unsplash
- Noma Security has extended its platform to provide runtime visibility and access governance specifically for AI agents connected via Model Context Protocol (MCP) servers — a largely unmonitored attack surface as of June 2, 2026.
- The core problem is architectural: most enterprises deploying autonomous AI have no centralized inventory of which agents can call which tools, under what conditions, or with what data permissions.
- MCP, the protocol Anthropic introduced in late 2024 and now adopted broadly across agent frameworks, creates a standardized but ungoverned bridge between AI models and external systems — databases, APIs, code execution environments, and file stores.
- Security analysts increasingly frame ungoverned agent tool-use as a higher-order risk than prompt injection alone, because a single misconfigured MCP server can grant an agent write access to production infrastructure.
What Happened
Roughly 340 days after Model Context Protocol became an open standard, the enterprise security industry is catching up to what developers already know: connecting an AI agent to a tool via MCP is trivially easy, and auditing that connection is not. As of June 2, 2026, according to reporting by Google News covering a Help Net Security feature, Noma Security has announced expanded platform capabilities targeting exactly this gap — bringing structured visibility and access governance to both AI agents and the MCP servers they depend on.
The announcement positions Noma as one of the first dedicated security vendors to treat MCP infrastructure as a governed asset class rather than a developer convenience. The platform now claims the ability to enumerate deployed MCP servers across an organization's environment, map which agents hold active connections to each server, classify what data scopes those connections expose, and flag policy violations in near-real time. Think of it as a firewall policy table — but instead of IP addresses and ports, the rows are AI agents and the columns are tool capabilities: read file system, execute shell command, query customer database, send outbound HTTP request.
This matters because the alternative — the status quo at most organizations deploying AI workflows today — is that no such table exists anywhere. Agents are spun up by individual teams, MCP servers are self-hosted or pulled from public registries without vetting, and the only governance checkpoint is the LLM's own judgment about whether a given tool call is appropriate. That is not a governance model. That is wishful thinking at production scale.
Photo by kenny cheng on Unsplash
Why It Matters for Your Business Automation And AI Strategy
Here is the pattern Noma is responding to, stated plainly: the ReAct (Reasoning + Acting) loop that powers most autonomous AI agents today is a tool-call machine. The agent reasons about a task, selects a tool from its available MCP connections, executes the call, observes the result, and loops. Each iteration potentially touches external systems — and each external system represents a permission boundary that was designed for human operators, not for an agent running 500 iterations per hour on a background cron.
As of Q1 2026, industry research from multiple security firms — including analysis cited by Help Net Security and parallel reporting from firms like Wiz and Orca Security covering the adjacent cloud-native agent space — suggests the governance gap is widening faster than tooling can close it. The chart below illustrates where enterprise readiness currently clusters:
Chart: Enterprise AI Agent Governance Readiness, Q1 2026. Source: Composite from Help Net Security coverage and industry analyst surveys cited in parallel reporting. Figures reflect organizations with 500+ employees actively deploying AI agents.
The implementation gap — between planning governance and actually logging MCP server access calls — is the most revealing number in that chart. Nearly two-thirds of enterprises say they intend to govern their AI agents, but fewer than one in four can currently tell you what an agent called last Tuesday. That delta is where breaches live.
The financial planning analogy is useful here. Imagine managing an investment portfolio where you can see the account balance but not the individual positions — no line-item breakdown of what assets are held, no transaction log, no alert when a position exceeds its allocation limit. No serious financial planning discipline would accept that opacity. Yet that is precisely the visibility posture most organizations maintain over their AI agent infrastructure today. The AI investing tools built into modern SIEM (Security Information and Event Management) platforms were not designed for agent-native environments; they were retro-fitted, and it shows.
Noma's architectural bet is that MCP creates a natural instrumentation point. Because all agent-to-tool communication routes through the MCP handshake layer, a governance proxy sitting at that layer can observe everything without requiring changes to the underlying agent code or the tools themselves. That is the same logic that made API gateways the preferred control point for microservice security — intercept the protocol, own the policy. The difference is that MCP traffic carries LLM-generated arguments, not human-typed requests, which means the variance in what gets sent is orders of magnitude higher and harder to policy-match with static rules.
The broader AI workflow security market is responding to exactly this pressure. This echoes a pattern AI Shield Daily documented in its Carnival breach analysis — that organizations routinely underestimate the blast radius of a single access-control failure when automated systems, rather than humans, are the initiating actors. AI agents amplify that blast radius by operating continuously, at scale, without fatigue-driven caution.
Photo by Xavier Cee on Unsplash
The AI Angle
The deeper technical story here sits at the intersection of two trends: the explosion of multi-agent orchestration frameworks (LangChain, AutoGen, CrewAI, and their successors) and the rapid standardization of MCP as the tool-connectivity layer underneath all of them. As of June 2, 2026, the MCP registry lists over 2,400 publicly available servers spanning everything from GitHub repository access to Stripe payment execution to internal Postgres query interfaces. Each of those servers, when connected to an agent, extends the agent's effective permission surface into a new domain.
What Noma is building maps conceptually onto what identity providers like Okta or CyberArk do for human users — a centralized plane that answers the question: who (or what) has access to what, and should it? The difference is that AI agents don't authenticate the way humans do. They inherit credentials from their runtime environment, act on behalf of whatever principal launched them, and often lack the session boundaries that make human access patterns auditable. Tools like Noma are attempting to impose those boundaries retroactively, at the protocol layer, without requiring agents to be rebuilt from scratch. For teams building on Python-based orchestration stacks, pairing this governance visibility with a solid foundation — a Python programming book covering async tool-calling patterns, for instance — helps developers write agent code that exposes fewer unintended permission scopes from the start.
What Should You Do? 3 Action Steps
The first step in any AI workflow security program is enumeration — knowing what MCP servers are deployed, who provisioned them, and which agents hold live connections. Start by pulling your container and serverless deployment logs and grepping for MCP server process signatures. Many teams are surprised to find MCP servers running in environments they didn't explicitly authorize. Document every server, its exposed tool set, and the minimum permission scope it actually requires. This inventory becomes the foundation for every governance policy you write afterward. If your team is scaling up AI agent development and needs a structured architecture reference, an AI workstation paired with LangChain-native logging libraries gives developers the local environment to test governance controls before pushing to production.
Today, most organizations ship their LLM inference logs to observability platforms but discard or ignore the tool-call traces — the actual record of what external systems the agent touched, what arguments it passed, and what data it received back. That is the wrong priority ordering. Tool-call traces are the forensic record for agent incidents. Instrument your MCP layer to emit structured logs for every tool invocation: timestamp, agent ID, tool name, input arguments (redacted for PII), output summary, and exit status. Feed those logs into your SIEM with the same retention policy you apply to privileged human access logs. The stock market today for AI security tooling includes purpose-built solutions like Noma, but even a simple structured logger wired to your existing SIEM is vastly better than silence.
The most durable governance intervention happens at agent design time, not at incident response time. Establish an organizational standard requiring every MCP server connection to declare its minimum required scope in a machine-readable manifest — analogous to the permissions manifest in a mobile app. Require code review sign-off before any agent is granted write access to production systems, external APIs with financial planning or data-modification capabilities, or any store containing PII. Use Noma or equivalent tooling to enforce that declared scopes match runtime behavior, and alert on drift. Teams that build this discipline early find that their AI agents are not just more secure — they're more predictable, which makes debugging tool-call loops and context window blowups significantly faster when they inevitably occur.
Frequently Asked Questions
What is an MCP server and why does it create a security risk for AI agents?
MCP (Model Context Protocol) is an open standard, originally developed by Anthropic and now widely adopted, that defines how AI agents connect to and call external tools — databases, APIs, file systems, code execution environments, and more. The security risk arises because MCP creates a standardized, programmatic bridge between an AI model and real-world systems with real permissions. Unlike a human clicking a button, an agent can invoke an MCP tool call thousands of times per hour, potentially reading sensitive data, modifying records, or triggering downstream actions at a scale and speed that bypasses normal human review checkpoints. Without access governance at the MCP layer, any agent that gains access to a misconfigured server effectively inherits that server's full permission scope.
How does AI agent access governance differ from traditional API security controls?
Traditional API security — rate limiting, API keys, OAuth scopes — was designed assuming a human or a deterministic software process on the other end. AI agents are neither. They generate tool-call arguments dynamically based on LLM reasoning, meaning the inputs to an API can be highly variable and context-dependent in ways static security rules struggle to anticipate. AI agent governance layers like Noma's attempt to address this by adding behavioral analysis on top of credential checks — monitoring not just whether a tool call is authenticated, but whether the pattern of calls across a session is consistent with the agent's declared purpose, flagging anomalies like sudden data exfiltration volume spikes or calls to tools the agent has never used in prior sessions.
Can existing SIEM or CASB tools handle AI agent monitoring without a dedicated solution?
Partially. Existing SIEM (Security Information and Event Management) and CASB (Cloud Access Security Broker) platforms can ingest logs from MCP servers if those servers are instrumented to emit structured events — but most MCP server implementations as of mid-2026 do not emit governance-grade telemetry by default. The deeper gap is context: a SIEM can tell you that an agent made 400 database calls in ten minutes, but it cannot easily tell you whether those calls were in-scope for the agent's task, whether the data returned was subsequently exfiltrated through a different tool, or whether the agent's reasoning chain shows signs of prompt injection manipulation. Dedicated AI agent security platforms are designed to correlate across the full agent session rather than treating each tool call as an independent event.
Is MCP server governance relevant for small teams or only large enterprise AI deployments?
It is relevant at any scale where agents have write access to real systems or access to sensitive data — which describes most production AI deployments regardless of team size. Small teams often face higher risk per-agent because they have fewer layers of compensating controls: no dedicated security team reviewing agent behavior, no change management process gating new MCP server connections, and often a single developer who both builds and deploys the agent. The financial planning parallel holds here too: you do not need to manage a large investment portfolio before basic position-tracking discipline matters. The first time an agent with a misconfigured MCP server deletes production records or leaks customer data, team size does not limit the blast radius.
What are the most common failure modes when AI agents lose access control in production workflows?
Three failure modes dominate incident reports as of mid-2026. First, credential leakage through tool-call arguments: an agent passes an API key or database password as a string argument to a logging or search tool, which stores it in plaintext. Second, tool-call loops with destructive side effects: an agent in a ReAct loop misinterprets an error response as a signal to retry, executing the same write operation dozens or hundreds of times before a human notices. Third, scope creep through chained tool calls: an agent legitimately authorized to read one dataset uses that data as input to a second tool call that touches a system it was never intended to access, effectively traversing permission boundaries through multi-hop reasoning. Governance layers that model the full session graph, rather than evaluating individual calls in isolation, are best positioned to catch the third failure mode before it causes damage.
Disclaimer: This article is for informational and educational purposes only and does not constitute financial, legal, or security advice. Readers should consult qualified professionals before making decisions based on information presented here. Research based on publicly available sources current as of June 2, 2026.
No comments:
Post a Comment