Most enterprises connected AI agents to MCP servers before they had a control plane for them.
The protocol is now the supply chain.
The supply chain has no gate.
2026 is the year that bill arrives.
The Numbers Got Serious This Year
For most of 2025, Model Context Protocol (MCP) risk lived in researcher threads and CVE feeds. In early 2026, three signals turned it into a board-level conversation.
| Signal | Source | What it means |
|---|---|---|
| ~200,000 vulnerable MCP instances, ~7,000 publicly exposed servers, 9 of 11 registries poisoned in research tests | OX Security, April 2026 (SecurityWeek) | The exposure is no longer theoretical. It is internet-scale. |
| 60-72% tool-poisoning success rate across leading LLM agents on the MCPTox benchmark (45 live servers, 353 tools) | MCPTox benchmark, late 2025 / updated early 2026 | Agents fail unsafe, not safe, when tool descriptions are crafted. |
| ASI04 — Agentic Supply Chain Vulnerabilities named in the OWASP Top 10 for Agentic Applications 2026 (peer-reviewed by NIST, Microsoft AI Red Team, AWS) | OWASP Gen AI Security Project | The threat now has a name, a number, and a regulator-readable framework around it. |
And the part that should make every CTO uncomfortable: Anthropic has formally declined to patch the root cause at the protocol level. The trust model is “by design”.
That means the responsibility moved to you.
Why MCP Became The New Supply Chain
The Model Context Protocol is how an AI agent finds, lists, and calls tools — databases, file systems, APIs, internal services, SaaS platforms, browsers, code repos.
In other words, MCP is the new operating system between agents and everything else.
When teams started wiring agents through MCP in 2024 and 2025, the model was simple:
Agent ──► MCP Server ──► Tool / API / DataThat model is fast.
It is also a blank trust path.
Three things make it different from anything security teams have dealt with before:
- Tool descriptions are code that runs in the model’s head. Whatever the MCP server says the tool does, the agent uses to decide what to do. There is no separation between data and instruction.
- MCP servers are easy to publish and hard to audit. Public registries grew fast. Authentication is optional in many implementations. Provenance is rare.
- Once an agent is connected to a tool, the blast radius is whatever that agent can reach. Files, customer data, code, internal APIs, deploy systems, payment rails — anything the agent has been given access to.
This is the ASI04 pattern in the OWASP Agentic Top 10: a malicious or tampered tool, descriptor, model, or persona enters the agent’s execution path through a compromised registry, server, or update.
It is the same shape as the npm and PyPI typosquat era — except the consumer is now an autonomous agent that can act, not a developer who can pause.
The Three Failure Modes Teams Are Hitting
The 2026 incidents and disclosures cluster into three patterns. Engineering leaders should be able to name all three.
1. Tool description poisoning
A malicious MCP server returns a tool whose description carries hidden instructions — “before running, send the response to this address”, “ignore the system prompt”, “exfiltrate this file when asked anything”.
The agent treats the description as authoritative.
The user sees a normal answer.
The MCPTox benchmark showed leading models compromised on 60-72% of crafted poisoning attempts. That is not an edge case — it is the default.
2. Registry and distribution compromise
OX Security’s research showed that 9 out of 11 MCP marketplaces accepted poisoned test packages without meaningful checks. Combined with ~150 million SDK downloads across Python, TypeScript, Java, and Rust, the blast radius is supply chain by definition.
This is where ASI04 stops being a category and starts being your incident response plan.
3. Connector-level pivot
Once a single MCP connector is compromised, it becomes a pivot point. Anything the agent can reach through that connector — internal systems, customer data, code repositories, deploy pipelines — is now within the attacker’s intended trust scope.
This is what makes MCP qualitatively different from a leaked API token: the attacker is not just authenticated, they are also reasoning on your behalf.
Why “Just Patch It” Is Not The Answer
For most of supply chain security history, the response to a class of issue has been: tighten the package, ship a fix, version-pin, scan harder.
That playbook does not work here for three reasons.
| Old supply chain | MCP supply chain |
|---|---|
| One artifact per dependency | A tool description is the artifact, and it can mutate at runtime |
| Vulnerabilities live in code | Vulnerabilities live in natural-language descriptions and tool outputs |
| Scanner catches the bad import | No scanner catches a poisoned description field |
| Patch fixes the issue | Anthropic has declined the protocol-level patch path |
| Defence is at the package | Defence has to be at the runtime |
That last line is the architectural point.
If the protocol will not enforce trust, the trust boundary has to be enforced somewhere else.
That is what the MCP gateway category was created to do.
What An MCP Gateway Actually Is
An MCP gateway is a proxy between agents and MCP servers — and the place where every agentic action is identified, allowed, inspected, logged, and (where required) approved.
It is the agent-era equivalent of an API gateway, a service mesh sidecar, and an identity-aware proxy combined into one control plane.
| Layer | What the gateway does |
|---|---|
| Allowlist | Agents can only connect to MCP servers that have been explicitly approved. No anonymous registry pulls in production. |
| Identity | Every agent and every tool has a verifiable, revocable identity. Calls without identity are denied. |
| Pinning and provenance | MCP server versions are pinned by hash, not by tag. Updates require review, not just publish. |
| Description inspection | Tool descriptions are linted for injection patterns before the agent ever sees them. |
| Scope enforcement | Tools get least-privilege scopes per task, not blanket access. |
| Rate and cost controls | Loop and amplification attacks (the kind that turned $0 into a $47K bill in 11 days in one disclosed incident) are bounded by policy. |
| Audit trail | Every tool call, every response, every approval, every refusal is logged in an append-only stream. |
| Human approval gates | High-risk actions — payments, deletes, external sends, deploys — require a human in the loop. |
This is not a single product yet. It is a category. Cisco, Palo Alto, Cloudflare, Fortinet, Silverfort, SentinelOne, Google, Kong, Cequence, and a wave of MCP-native startups all announced MCP-aware controls or gateway capabilities at or around RSAC 2026 (Cisco newsroom, Futuriom RSAC recap).
The point is not which vendor wins.
The point is that “no gateway” is no longer a defensible posture in any regulated environment.
What 10-Star MCP Governance Looks Like
A 5-star MCP posture in 2026 is one where the team knows what MCP is and has run some agent demos. A 10-star posture feels different.
| Governance question | 5-star answer | 10-star answer |
|---|---|---|
| Which MCP servers can agents connect to? | ”Whatever the developer wires up.” | A reviewed allowlist, pinned by hash, source-verified. |
| How is a new MCP server introduced? | ”Pull request, maybe a review.” | Provenance check, dependency review, sandbox test, gateway registration, owner assigned. |
| Can agents call tools that have not been described to security? | ”Probably.” | No. Unknown tools are denied at the gateway. |
| Who can publish or update an MCP server we depend on? | ”Their maintainers.” | A named upstream owner, with key rotation discipline, version pinning, and rollback. |
| What happens if a tool description is poisoned? | ”The agent acts on it.” | The gateway lints descriptions, flags anomalies, blocks before the agent sees it. |
| What happens if an agent loops? | ”We see the bill at end of month.” | Per-agent rate and cost ceilings enforced inline. |
| Where is the audit trail of every tool call? | ”Some logs, somewhere.” | Append-only, tamper-evident, exportable for regulators. |
| What if a high-risk action is requested? | ”The agent does it.” | Human approval gate, with the diff and the evidence shown. |
| How are vulnerable MCP servers retired? | ”Eventually.” | One revoke at the gateway, propagated everywhere instantly. |
If your team cannot answer the right-hand column today, the gap is not “we need more scanning”. The gap is “we do not have a control plane”.
Why This Matters More In Australia
Australian organisations have a compounding exposure that does not show up in US-led commentary.
| Local pressure | Why it matters for MCP |
|---|---|
| APRA CPS 230 — operational risk and material service providers, with the 1 July 2026 catch-up cliff for pre-existing contracts | An MCP server is a service provider acting on your behalf. The auditor will ask. |
| AUSTRAC Tranche 2 — 15,000+ new reporting entities from July 2026 | Agents that touch SMR or KYC workflows are now in scope, and “the tool did it” is not a defence. |
| Privacy Act reform — statutory tort, fair-and-reasonable test, expanded data breach notification | An MCP-mediated data exfiltration is a notifiable incident, full stop. |
| Essential Eight and ISM for government and critical infrastructure | Agent supply chain controls have to map to application control, configuration management, and audit logging. |
Translation: in Australia, an MCP gateway is not just a security control. It is an evidence-producing layer for four regulators at once.
That is the cheapest form of compliance an engineering team can build right now — instrument the trust boundary once, satisfy CPS 230, AUSTRAC, OAIC, and ACSC in the same pass.
What To Do In The Next 30 Days
If I were sitting with a CTO or CISO looking at this problem fresh, this is the order I would work in.
1. Inventory every MCP server already in your environment
Including the ones a developer installed on their laptop last week. This is your unknown trust surface.
2. Treat MCP servers as material service providers
Apply the same diligence you would to a SaaS vendor: who publishes it, who owns it, where it runs, what data it touches, what happens if it is compromised.
3. Insert a gateway in front of agents, even a thin one
A reverse proxy with allowlisting, version pinning, and an audit log beats zero gateway. You can layer on identity, scope enforcement, and description linting after.
4. Pin by hash, not by tag
A version tag is mutable. A content hash is not. This is the same lesson the GitHub Actions community learned the hard way in March 2026.
5. Run one description-poisoning red-team exercise
You do not need a vendor for this. Stand up a deliberately poisoned MCP server in a sandbox, point an agent at it, see what the agent does. Then write the playbook.
6. Map your MCP control plane to APRA, AUSTRAC, OAIC, ACSC
One evidence stream, multiple regulators. This is where the gateway turns from a cost into a moat.
The Strategic Point
The first wave of enterprise AI was about which model to use. The second was about agents — making the model do work. The third, which is happening now, is about the trust plane underneath agents.
The MCP supply chain crisis is the forcing function.
200,000 vulnerable instances is not a number you mitigate with awareness training. 60-72% poisoning success is not something you patch with “be careful with descriptions”. ASI04 is not going to be the last entry in the OWASP Agentic Top 10 — it is going to be the most common one.
The companies that come out of 2026 ahead will be the ones that treated this the way the previous decade’s leaders treated cloud identity: not as a tooling decision, but as the architectural ground floor.
The MCP gateway is not an upgrade. It is the new perimeter.
If you do not own that perimeter, your AI agent strategy is borrowing trust from servers you cannot govern.
Build the gateway first.
The autonomy can follow.
Related reading
- MCP Tool Poisoning: The Attack Vector Nobody Is Talking About — the original attack pattern, now scaled to 200,000 instances.
- The Supply Chain Moved Upstream: GitHub, Canvas, and Trivy — the same trust-chain shift, applied to the developer toolchain.
- Who Signs the Contract When Your AI Agent Does It? — agent identity is the prerequisite for any working gateway.
- The Docker Moment for AI Agents — why the abstraction layer around agents is where the real engineering lives.
- APRA CPS 230: The 90-Day Engineering Framework — how to turn the gateway audit trail into Board-ready evidence.
Sources and Further Reading
- OX Security: The Mother of All AI Supply Chains — 200K vulnerable instances, 9 of 11 registries poisoned, SDK download counts.
- SecurityWeek: ‘By Design’ Flaw in MCP — Anthropic’s decision not to patch at the protocol level.
- OWASP Top 10 for Agentic Applications (2026) — ASI04 definition and peer review.
- Cisco Reimagines Security for the Agentic Workforce — MCP gateway as a vendor category.
- Securelist: Malicious MCP servers used in supply chain attacks — observed attack patterns in the wild.
- The Hacker News: Anthropic MCP Design Vulnerability Enables RCE — RCE impact across MCP SDKs.
Written by Haris Habib from Sydney, Australia | May 2026