In a controlled test, a single fake error report was able to commandeer Claude Code, executing the attacker’s code with full developer privileges without triggering any alerts. EDR, WAF, IAM, and firewalls failed to detect the intrusion.
In June, Tenet Security revealed details in an agentjacking disclosure, explaining how a specially crafted Sentry error event was used. This event, sent using a public credential that required no breach or authentication, allowed attacker instructions to be injected into error data. Claude Code, along with Cursor and Codex, executed these instructions as if they were trusted diagnostic outputs. Tenet’s testing across more than 100 targets achieved an 85% success rate. Sentry deemed the flaw “technically not defensible.”
Within days of this disclosure, the Cloud Security Alliance categorized agentjacking as a systemic MCP vulnerability class. Despite no credentials being stolen, policies violated, or perimeters breached, every step in the attack was authorized, highlighting the problem.
Tenet identified 2,388 organizations with publicly exposed Sentry credentials that could be exploited for large-scale malicious events. While the research serves as a proof-of-concept, not all 2,388 organizations have confirmed exploitation. However, one compromised Claude Code environment contained a live AWS secret access key and private repository URLs.
The scope test indicates that if your AI coding agents are linked to Sentry, Datadog, PagerDuty, Jira, or any trusted MCP-connected data source, and these agents can run shell commands, your stack shares the same vulnerability.
Organizations utilizing Sentry should immediately audit all publicly exposed DSNs. Since Sentry’s architecture deliberately makes DSN credentials public for frontend error reporting, mitigation should focus on limiting what agents can do with the returned data, rather than revoking the DSN.
Why your stack can’t see it
Agentjacking succeeds because every step is authorized. An attacker sends a legitimate Sentry API call with a public DSN, the MCP server then returns the injected event as authentic output, and the agent executes the instructions with the developer’s privileges. No alerts are triggered, and the victim only sees benign diagnostics while the agent quietly exposes cloud credentials and source-control tokens.
SOC teams traditionally haven’t needed to differentiate between a developer running an npm install and an agent executing that command in response to a malicious error event. This distinction did not exist until AI coding agents became mainstream tools. The stack that can’t make this distinction is the one vulnerable to agentjacking.
Five surveys, one pattern
Five surveys conducted in the first half of 2026 revealed that enterprises place more trust in their AI agents than their security measures warrant.
According to an Okta/Apprize360 survey of 292 executives and 492 knowledge workers, only 34% of organizations apply the same security controls to AI agents as they do to humans. Fifty-two percent of employees use unauthorized AI tools, and 58% of executives reported encountering an AI-related incident or close call in the previous year.
In HiddenLayer’s 2026 AI Threat Landscape Report, 250 IT and security leaders were surveyed: 33% reported agents had already operated beyond their intended scope, and 31% could not confirm whether they had experienced an AI breach. One in eight AI breaches was linked to agentic systems.
Gravitee’s survey of over 900 executives and practitioners found only 14.4% of agents received full security approval before going live, and 88% reported confirmed or suspected incidents. In a follow-up with 750 leaders in April, it was found that agent estates had doubled while monitoring remained stagnant.
The runtime gap nobody closed
“Securing agents is akin to securing highly privileged users,” remarked Elia Zaitsev, CTO of CrowdStrike, in a conversation with VentureBeat. “They possess identities, access to underlying systems, they reason, they act.”
Zaitsev highlighted an industry oversight: “Nobody was discussing securing agents during runtime. We are addressing that now. What is your safety net? If all controls fail, how do you prevent silent failures?”
Data from CrowdStrike’s fleet shows more than 1,800 agentic applications on enterprise endpoints, with about 160 million instances being monitored. On June 15, CrowdStrike introduced Continuous Identity for AI Agents at Identiverse, transitioning from static policies to continuous enforcement, which verifies every agent action in real-time. This control class, reflecting continuous action-level authorization with agent identity verification, is now a baseline procurement criterion across vendors.
Zaitsev noted, “Many have overlooked runtime security. We addressed this with endpoints, virtualization, and cloud. People concentrated on patching vulnerabilities and locking permissions. Somehow, something always gets missed. The safety net is runtime.”
He also criticized sandbox approaches: “Starting with an agent in a sandbox that lacks the ability to interact with anything is futile. Quickly, you’re compelled to grant more capabilities. And then, what’s the point of your sandbox?” Agents derive value from access, and each access grant enlarges the attack surface.
The governance gap is a budget problem
Kayne McGladrey, an IEEE Senior Member, explained a structural challenge in an exclusive interview with VentureBeat. “The CISO lacks both budget and personnel. We can observe risks, provide advice on business risks, but we don’t own the business systems impacted by those risks,” McGladrey stated. When agent governance spans six departmental budgets, no single executive can confirm whether agents undergo the same access reviews as humans.
The Okta survey highlights this disconnect. Only 43% of workers find agent policies clear, compared to 65% of executives, and nearly two-thirds apply weaker controls to agents than to humans. Those deploying agents daily do not recognize the governance framework their leadership asserts.
Assaf Keren, chief security officer at Qualtrics and former CISO at PayPal, clearly stated, “The real risk arises not from AI systems’ implementation. It’s rooted in a poorly established baseline architecture. When an AI system is layered on something inadequately architected, it exacerbates the fractures.” Keren identified runtime behavior analytics as “an unresolved issue currently.”
The 5-question gap test
Drawing from five surveys conducted in the first half of 2026, the five-question gap test identifies vulnerabilities that agentjacking exploits. Conduct this test before any Q3 vendor evaluation.
|
Gap to test |
The proof |
What breaks |
Monday action |
Source / sample |
|
1. Agent inventory. What percentage of agents, MCP connections, and LLM automations completed security review before deployment? |
14.4% receive full security/IT approval before deployment. 52% of employees use unauthorized AI tools. The average enterprise now manages over 37 deployed agents, nearly doubling since Q4 2025. |
Unapproved agents remain invisible to your identity platform and unaccounted for in breach disclosures. Agentjacking specifically targets these unmanaged MCP connections. Without a census, there’s no audit trail for regulatory response. |
Initiate a comprehensive agent, MCP server, and LLM automation census. Make census completion a procurement requirement for all Q3 vendor evaluations. Label any post-census-discovered agent as a shadow AI incident. |
Gravitee State of AI Agent Security 2026, 900+ respondents (Feb 2026); Gravitee April 2026 update, 750 senior tech leaders; Okta/Apprize360, 292 executives + 492 workers (June 2026) |
|
2. Controls parity. Do agents receive the same access reviews, privilege scoping, and revocation timelines as human employees? |
34% consistently apply the same controls to agents as to humans. 61% of privileged access occurs without proper review. Only 22% treat agents as independent identity-bearing entities. |
An agent with a static OAuth token and no review cycle is a permanent privileged account without an expiration date. Agentjacking inherits the developer’s privileges. 45.6% of organizations rely on shared API keys for agent-to-agent authentication. |
Include every production agent in the next access review cycle. Require human oversight for any agent action involving PII, financial data, or production infrastructure. Replace shared API keys with scoped, short-lived tokens. |
Okta/Apprize360 (784 respondents, June 2026); Palo Alto Networks (2,930 respondents); Gravitee (900+, shared API keys data) |
|
3. Scope drift. Have any agents accessed data or systems beyond their defined scope in the last 12 months? |
33% report agents have already exceeded scope. 53% say agents occasionally or sometimes exceed permissions. Meta Sev 1, March 2026: agent posted sensitive data to unauthorized channel. Only 8% say agents never exceed intended permissions. |
Scope drift triggers reportable events under GDPR, CCPA, HIPAA, and SEC cybersecurity regulations. If detection cannot differentiate agent-initiated from human-initiated access, disclosure timelines become unattainable. Agent-spawned sub-agents (25.5% of deployed agents can create other agents) make audit trails algebraically complex. |
Conduct a 90-day scope-drift audit on every production agent. Compare actual resources accessed against approved scope documentation. Prohibit agent-to-agent delegation without explicit human approval for actions exceeding the parent agent’s scope. |
HiddenLayer AI Threat Landscape 2026 (250 IT/security leaders); CSA AI Agent Security Survey (scope violations data); Gravitee (agent spawning data) |
|
4. Governance perception gap. Would 50 knowledge workers say your AI agent policies are clear? |
22-point gap: 65% of executives find policies clear, while only 43% of workers agree. 77% of security teams see shadow AI risk but lack visibility to act. 76% consider shadow AI a definite or probable issue. |
You’re assessing vendors against a governance framework your workforce doesn’t recognize. Each shadow agent undermines the vendor comparison. Knowledge workers share internal messages (54%), HR data (45%), and confidential documents (39%) with unauthorized AI tools. |
Conduct a one-question survey before your next vendor demo. If the gap exceeds 15 points, halt procurement. Publish an internal AI agent acceptable-use policy with specific examples of approved and prohibited agent behaviors. |
Okta/Apprize360 (784 respondents, June 2026); Ivanti 2026 AI Maturity Report (1,200 respondents); HiddenLayer (shadow AI data) |
|
5. Breach detection certainty. Can your security team confirm whether you experienced an AI-related breach in the last 12 months? |
31% cannot confirm. 88% reported confirmed or suspected AI agent security incidents. One in eight AI breaches is now associated with agentic systems. Agentjacking demonstrated that EDR, WAF, IAM, and firewalls allow an agent-mediated attack without any alert. |
No foundation for disclosure timelines. No evidence chain for incident response. No defensible position in a regulatory investigation. EU AI Act high-risk compliance obligations take effect August 2, 2026. |
Demand agent-specific runtime detection as a procurement prerequisite. Ensure your organization can differentiate agent-initiated actions from human-initiated actions in production telemetry. Test your SOC’s ability to attribute a specific action to a specific agent within 60 minutes. |
HiddenLayer (250 IT/security leaders); Gravitee (900+, incident rate); Tenet Security (2,388 organizations exposed); CSA (systemic MCP vulnerability classification) |
Security director action plan
EU AI Act high-risk compliance obligations will be enforced on August 2, 2026. Consider this in your Q3 planning.
-
Conduct the five-question gap test before any Q3 vendor evaluation — it’s cost-free and the procurement clarity it provides far outweighs the 30 minutes it requires.
-
Consider implementing agent-specific runtime detection. If your stack cannot differentiate between agent and developer actions, it will be as vulnerable to agentjacking as every layer in Tenet’s testing was. This distinction is now crucial.
-
Treat every agent as a privileged insider. According to the Okta/Apprize360 survey, only 34% of organizations apply the same controls to agents as to humans; bridging this gap is the most impactful action for security teams this quarter.
-
Test the perception gap before investing in new tools. Pose a single question to 50 knowledge workers: Do you know your company’s AI agent policies? If the gap between their response and leadership’s exceeds 15 points, address this issue first. No vendor product can rectify a governance posture unrecognized by your workforce.
-
Make agent census completion a procurement requirement — every agent, every MCP connection. Security teams that excel started with a comprehensive inventory and progressed from there.
Agentjacking has challenged a long-standing assumption in security architectures since the first firewall was implemented. Authorization does not equate to safety. When every step in the process is legitimate, the critical defense is monitoring what agents do, not what policies dictate.
