Long-form, technically grounded analysis on AI agent security — structural controls, real incidents, and the thinking behind them. No fluff, no hedging.
Six incidents this week. One root cause: agents deployed with no structural limits on what they can reach. Deny-by-default isn't a hardening option — it's the foundation everything else depends on.
One crafted GitHub issue title. One triage bot that couldn't tell the difference between a developer instruction and an attacker payload. One backdoored npm release. Four thousand machines. Clinejection isn't a novel attack — it's a template for what happens when AI dev tooling holds privileged supply chain access and trusts the wrong inputs.
CVE-2026-27825 is CVSS 9.1, public PoC, and two HTTP requests to root shell. Here's exactly how the mcp-atlassian exploit chain works — and what it means for every organization running MCP servers.
Config files execute code. Protocol messages become system commands. Hallucinated package names become malware delivery vectors. Traditional security assumes data and code are different things. AI agents have erased that distinction at every layer — and the industry hasn't caught up.
The principle hasn't changed. The principal has. Here's how to apply least privilege to the three surfaces — data access, action authority, and exfiltration channels — that make AI agents fundamentally different from every principal you've secured before.
Every major AI agent breach in the past year followed the same pattern: behavioral controls, circumvented. The problem isn't the controls — it's the architecture.