John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
The AI agent gold rush has a security problem. Three separate research efforts dropped this week to prove it.
Doyensec found systematic auth flaws in the Model Context Protocol, the standard way AI agents connect to tools and data. Thirty-eight researchers spent two weeks breaking AI agents in a structured red team exercise called “Agents of Chaos.” And an academic study showed LLMs can strip pseudonymity from social media users at scale with unsettling accuracy.
These aren’t three unrelated stories. They’re three angles on the same reality: the AI ecosystem is deploying faster than it’s securing.
MCP: The Plumbing Has Leaks
MCP, developed by Anthropic and widely adopted across the AI agent ecosystem, is the protocol that lets AI agents talk to external tools, APIs, and data sources. When your AI assistant books a meeting, queries a database, or pushes code, MCP is often what’s making that happen.
Doyensec’s research found that MCP implementations have fundamental auth weaknesses. Not edge cases. Not config mistakes. Systemic flaws that say the protocol’s security model was an afterthought.
MCP sits in a trust position. If the auth layer is broken, an attacker who can influence the agent’s context through prompt injection or compromised integrations can escalate privileges, steal data, or hijack agent actions.
If your AI vendor can’t explain their MCP security model clearly, that’s your answer.
Agents of Chaos: What Breaks When You Push
The “Agents of Chaos” paper is the most comprehensive public red team exercise targeting AI agents to date. What broke? Prompt injection defenses. Access control enforcement. Tool-use boundaries. Researchers got AI agents to execute unintended tool calls, access data outside their authorized scope, and make decisions their operators never intended.
The agents didn’t fail because of exotic attacks. They failed because their safety assumptions were too optimistic for adversarial conditions.
The takeaway isn’t “don’t deploy AI agents.” It’s “deploy them with the same security rigor you’d apply to any new infrastructure.” Threat model the agent’s capabilities. Test it adversarially before production. Monitor it for weird tool use. And assume prompt injection is a real, exploitable vulnerability class until proven otherwise.
LLM Deanonymization: Capabilities Outrunning Privacy
The third piece comes from a different direction. Research covered by Ars Technica shows LLMs can identify pseudonymous social media users by analyzing writing patterns and cross-platform behavior. At scale. With surprising accuracy.
Pseudonymity has been a cornerstone of online safety for journalists, activists, and abuse survivors. If an LLM can reliably pierce that veil using publicly available data, the threat model for anyone depending on anonymity just changed.
What to Do About It
If your organization deploys AI agents, three things should happen this week:
- Audit MCP implementations for auth controls. If you don’t know whether your agents use MCP, find out.
- Red team your agents before an attacker does. Test for prompt injection, tool misuse, and scope violations.
- Treat AI agent infrastructure like cloud infrastructure. Same access controls. Same monitoring. Same incident response planning.
The research is in. The vulnerabilities are documented. The only question is whether you address them before or after something goes wrong.