AI security is moving down into the tool layer. The model still matters, but the dangerous surface is increasingly what the agent can call: MCP servers, plugins, shell adapters, browser tools, data connectors, package managers, cloud credentials, and internal APIs.
What Is Happening
servers, open browsers, create pull requests, edit files, and touch SaaS systems. Prompt injection becomes more serious when the next step is an unauthorized tool call rather than a bad answer.
GitHub has already moved security checks closer to the agent workflow. Its May 2026 changelog says secret scanning with the GitHub MCP Server is generally available, and dependency scanning with the GitHub MCP Server is in public preview. GitHub’s docs frame MCP secret scanning as a pre-commit safety check for AI coding agents.
Anthropic’s Claude Code security docs also make the boundary clear: MCP servers are configured by users and third parties, so teams need to review them rather than assume the model provider audits every tool. OWASP’s Top 10 for Agentic Applications adds a broader taxonomy for 2026, including risks around tool misuse, excessive agency, identity, memory, and supply-chain dependencies.
Why It Matters
The old question was “can the model be tricked?” The new question is “what authority does the agent have after it is tricked?”
A malicious document, issue, repository, website, dependency, or support ticket can steer an agent into calling a tool it should not call. If that tool can read secrets, mutate files, open network paths, install packages, or deploy code, the incident becomes a real compromise.
Who Is Winning
Security-first coding platforms, MCP gateways, sandboxed runtimes, and tools with clear permission boundaries gain importance. GitHub’s MCP scanning path matters because it brings secret and dependency checks into the same surfaces where developers ask agents to work. Products that expose per-tool allowlists, read/write splits, approval prompts, and audit trails become easier to approve for teams.
Products that auto-enable broad local access, hide connector permissions, or treat MCP servers as harmless plugins will become harder to recommend.
Buyer Checklist
| Review area | What to ask |
|---|---|
| MCP inventory | Which MCP servers are installed, who approved them, and where are configs stored? |
| Credential scope | Can the agent reach production tokens, cloud keys, package registries, or deployment secrets? |
| Read/write split | Which tools are read-only and which can mutate state? |
| Sandbox boundary | Does the agent run commands in a restricted workspace, VM, container, or production host? |
| Pre-commit checks | Can changed files be scanned for secrets and vulnerable dependencies before commit? |
| Audit trail | Can you attribute every tool call to a user, agent, tool, repo, branch, and credential? |
What To Watch Next
Watch for signed MCP registries, gateway products, stronger default sandboxing, and agent policies that block high-risk tools unless a human approves. Also watch whether security findings become durable records; pre-commit scans are valuable, but they do not replace repository-level alerts and incident response.
AiPedia Take
The AI supply chain now includes every model, tool host, MCP server, plugin, credential, generated dependency, and action the agent can take. If an AI tool can act inside your environment, it belongs in the security review.
Sources
- GitHub Changelog: secret scanning with GitHub MCP Server, verified 2026-06-27.
- GitHub Changelog: dependency scanning with GitHub MCP Server, verified 2026-06-27.
- GitHub Docs: scan for secrets with GitHub MCP Server, verified 2026-06-27.
- Claude Code security docs, verified 2026-06-27.
- OWASP Top 10 for Agentic Applications 2026, verified 2026-06-27.
- OpenAI Agents SDK guardrails, verified 2026-06-27.