This is a Standards Readout accompanying The Policy Layer, Series 5, Post 4. That post maps the four gaps remaining after a correctly deployed enforcement stack — supply chain compromise inside the enforcement boundary, the Viral Agent Loop in dynamically spawned topologies, tool schema poisoning upstream of the graph’s observation points, and policy-compliant exfiltration against a known specification. It closes where this corpus has always closed: the policy layer is necessary, not sufficient, the protocol layer remains open. AIUC-1’s Q2 2026 standard update was published today. It addresses the same threat surface. The structural and probabilistic enforcement framework applied in what follows was developed across the Luminity Digital research corpus — a synthesis of 55+ arXiv publications from 2024 through Q1 2026, not derived from any single paper or external taxonomy.
CVE-2025-53967 is the kind of finding this corpus has been modeling as a threat class since Series 1. A widely-used third-party MCP server — the Figma integration — failed to sanitize user input, giving unauthenticated attackers full remote code execution on developer machines. The server was not unauthorized or unrecognized. It was in production, presumably approved, and connected as a trusted component of developer workflows across a substantial installed base. Supply chain compromise had placed it inside the enforcement boundary before enforcement began. On the same day, AIUC-1 published its Q2 2026 standard refresh: fourteen updated requirements, twenty-three controls, focused on MCP security, third-party risk management, and agent identity and permissions.
The convergence is not coincidence. It is evidence of a maturing threat surface and a standards body tracking it in near-real-time. AIUC-1 is the emerging certification standard for AI agent security, safety, and reliability — built with input from 100+ Fortune 500 CISOs, quarterly-refreshed, and grounded in a technical consortium that includes OWASP, MITRE, Cisco, Anthropic, and Google Cloud’s former CISO. Its positioning as a SOC 2 equivalent for AI agents is accurate and honest: certification verifies that the best available controls exist and operate. Reading the Q2 additions through the structural versus probabilistic enforcement framework this corpus has developed reveals a clear pattern: two additions approach structural enforcement territory, one sits between, and four address the necessary operational layer. That pattern matters because it determines what each control guarantees and what the certification function can and cannot reach.
The Two Structural Additions
The structural and probabilistic enforcement axis — introduced in Series 1 and carried through every series since — distinguishes controls that prevent by structure regardless of model inference from controls that are necessary but operate above the layer where attacks execute. Structural controls cannot be bypassed by a model that reasons its way around them. Probabilistic controls can be. Both categories are essential. The distinction determines what each control guarantees.
B006.3 — Runtime sandboxing for MCP server execution environments. This is the most structurally significant addition in the Q2 release. The requirement mandates runtime sandboxing of MCP server execution environments as a supplemental control. Sandboxing constrains what a compromised server can reach by structure — independently of what the server’s code instructs at the application layer. A correctly scoped sandbox limits blast radius at the execution environment level rather than the policy evaluation level above it. CVE-2025-53967 is precisely the threat class this addresses. A supply-chain-compromised Figma MCP server operating inside a correctly scoped sandbox cannot reach a developer’s file system, credential store, or external network resources beyond the sandbox boundary, regardless of what its payload instructs.
What CVE-2025-53967 Demonstrates About the Supply Chain Gap
The Figma MCP server was not an unapproved rogue component. It was a widely-deployed integration that had presumably passed whatever vetting process was in place. The CVE documents a failure of input sanitization — a code-level defect in an approved, trusted tool. Approved-server lists and authentication controls did not and could not have prevented the exploit, because the server was authenticated and approved. Only controls operating at or below the execution layer — runtime sandboxing that limits what the server’s code can reach — address this class of attack structurally. This is the supply chain gap Series 5, Post 4 identifies as one of three remaining protocol-level exposures: a tool inside the enforcement boundary before enforcement begins.
The calibration caveat is empirical and worth naming precisely. The SandboxEscapeBench research (arXiv:2603.02277) evaluated frontier model capability to escape containerized sandbox environments across 18 scenarios, documenting log-linear scaling of escape success with compute. That finding calibrates what sandboxing guarantees, not whether it is worth deploying. A sandbox that a frontier model cannot escape without dedicated attack optimization and significant compute is a structural constraint that materially raises the bar for any attacker. B006.3 is structural enforcement; its structural guarantee is bounded, not absolute. The containment analysis — what sandboxing can guarantee and where its limits are — is the work the next series will address directly.
Containerized sandbox escape scenarios evaluated in the SandboxEscapeBench research (arXiv:2603.02277), documenting log-linear scaling of frontier model escape success with compute. The finding calibrates sandboxing’s structural guarantee rather than undermining it: a correctly scoped sandbox raises the attack requirement from “compromise the tool” to “compromise the tool and then escape a compute-bounded containment environment.” B006.3 moves enterprise deployments toward a baseline where that higher bar applies.
A003.4 — Permission-ready architecture with just-in-time permissions. The second structurally significant addition requires that agent access governance support just-in-time permissions — scoping the duration and breadth of agent privileges to the specific requirements of the current task. JIT permissions reduce blast radius by structure: an agent whose authority is bounded to the current task cannot leverage inherited credentials to spawn uninstrumented topologies or access resources outside the task scope, regardless of what the agent’s inference produces.
Series 5 identified per-session capability scoping as one of the four missing structural MCP controls — the control whose absence enables the Viral Agent Loop, in which a compromised result causes an agent to spawn sub-agents that inherit the spawning agent’s full credential set and operate outside the instrumented dependency graph. A003.4 does not close that gap at the protocol level — MCP does not yet carry native per-session capability scoping. What it does is require that organizations implement JIT permission architecture at the deployment layer, which approximates the structural effect: an agent whose permissions are scoped to the current task has materially less authority to extend the execution topology into uninstrumented zones. AIUC-1 itself acknowledges that best practices for agent identity and access management are still maturing — this control will continue to be refined as the field evolves. That is an accurate characterization of where the work stands.
The Operational Layer
The remaining control additions are necessary and correct. They do not reach structural enforcement territory, but they build the operational layer that makes structural controls auditable and effective in production. The distinction is not a hierarchy of importance — it is a difference in what each type of control guarantees.
B008.4 — Cryptographic message signing for A2A plus schema validation on MCP tool call I/O. Schema validation is partially structural: it enforces input constraints at the boundary by structure, and a tool call whose I/O does not conform to the declared schema fails at the validation layer regardless of the agent’s reasoning. That closes one attack surface. Tool schema poisoning — the attack class documented in Series 5 as operating upstream of the graph’s first observation point — shapes the agent’s reasoning about which call to make before the call is formed, not necessarily what shape the call takes. Schema validation does not reach the tool description layer where that attack operates. Cryptographic signing establishes authenticated provenance; a signed message provides evidence of its origin without constraining what an authenticated source can deliver.
B006.1 — Approved MCP server lists. An approved-server list verifies that a connected server is on the authorized registry. CVE-2025-53967 was not an unauthorized server — it was a widely-deployed integration. Approved-server lists are a necessary operational baseline; they cannot close the supply chain gap because supply chain compromise acts on approved servers. The CVE is precisely the case the list was designed to address and cannot.
B008.2 and B008.3 — Caller authentication and encrypted transport across model APIs, MCP, and A2A. Unauthenticated connections and plaintext transport are genuine attack surfaces, and requiring their closure across all AI interfaces is correct. Authentication and encryption protect against the attacker who lacks authenticated access. They do not constrain what an authenticated connection to a compromised server delivers. These controls close important gaps above the protocol layer without reaching content-level supply chain exposure.
A003.3 — Unique cryptographically verifiable agent identities. Cryptographic identity is the necessary infrastructure for accountability: each agent can be distinctly identified and authenticated, which is the prerequisite for the access governance and JIT permission controls that A003.4 builds on top of it. Identity binds who is acting; it does not govern what acting is permitted. A legitimately authenticated agent that is compromised or misled remains authenticated. A003.3 establishes the identity layer that makes operational controls auditable.
E009 — Third-party access monitoring, now mandatory. AIUC-1’s own framing is accurate: AI-specific third parties including MCP servers and plugin registries are discovered and connected dynamically at runtime, creating an attack surface that shifts with every execution. Mandatory monitoring provides post-execution visibility into what connected, what it accessed, and what it did. For a dynamic attack surface that structural controls have not yet fully reached, monitoring is the correct detection layer. It enables incident response and the attribution that cryptographic identity supports.
| Control | Requirement | Enforcement Type | S5P4 Gap Addressed |
|---|---|---|---|
| B006.3 | Runtime sandboxing for MCP server execution environments | Structural | Supply chain / blast radius — partially closes at execution layer |
| A003.4 | JIT permissions; permission-ready architecture | Structural | Viral Agent Loop / capability scope — approximates at deployment layer |
| B008.4 | Cryptographic A2A signing + schema validation on tool call I/O | Partially Structural | Tool schema poisoning — closes at I/O boundary; description layer remains open |
| B006.1 | Approved MCP server lists | Operational | Supply chain — operates above the gap; approved servers can be compromised |
| B008.2 / B008.3 | Caller authentication + encrypted transport across all AI interfaces | Operational | Transport-layer security — does not reach content-level supply chain exposure |
| A003.3 | Unique cryptographically verifiable agent identities | Operational | Identity infrastructure for accountability — does not constrain authenticated agent behavior |
| E009 | Third-party access monitoring (now mandatory) | Operational · Detection | Post-execution visibility for dynamic third-party attack surface |
What Certification Verifies — and Where the Protocol Gap Lives
AIUC-1 certifies that controls exist and are operating. Applied to the Q2 additions, that certification function works across both structural and operational controls: it can verify that B006.3 sandboxing is correctly scoped and active, that A003.4 JIT permissions are architecturally implemented, that E009 monitoring is running and reviewed. The structural versus probabilistic distinction does not limit the certification function itself — both categories of control are auditable.
What certification cannot close are gaps that exist at the protocol layer below the controls it audits. Three of the four gaps Series 5 identified as remaining open after a correctly deployed enforcement stack sit below AIUC-1’s current control set.
Operational and Application-Layer Controls
Certification verifies that runtime sandboxing exists and is correctly scoped (B006.3). It verifies that JIT permission architecture is in place (A003.4). It verifies that authentication, transport security, schema validation, identity infrastructure, and third-party monitoring are operating as specified across the organization’s AI agent deployments.
These verifications are genuinely valuable. An enterprise that can demonstrate AIUC-1 compliance has implemented controls across the full operational stack. The certification signal answers the procurement question that buyers need answered.
Structural · Operational · AuditableThree Protocol-Layer Gaps That Remain Open
Supply chain compromise: B006.3 bounds blast radius but cryptographic tool schema binding — which would allow a session to verify that a connected server’s schema matches its vetted registration — is not in MCP’s protocol. An approved, sandboxed server that was compromised between review cycles remains inside the enforcement boundary.
Tool description integrity: B008.4 validates I/O schema but structural instruction-data separation at the transport layer — cryptographic protection of tool descriptions separately from tool results — is not in the protocol. The description layer where schema poisoning operates remains reachable.
Dynamic topology scope: A003.4 narrows JIT permissions but per-session capability scoping at the protocol level is not in MCP. With sufficient JIT scope, sub-agent spawning outside the instrumented graph remains possible.
Protocol-Level · Structurally OpenAIUC-1 acknowledges this directly. The Q2 update notes that best practices for agent identity and access management are still maturing, and that third-party risk remains a priority area for further updates. That is the honest acknowledgment of a quarterly-refresh standards body doing serious work at the frontier of a threat surface that is still ahead of the controls available to address it. The gaps below the certification scope are not a failure of the standard. They are an accurate map of where the protocol has not yet changed.
The Containment Signal in B006.3
Runtime sandboxing — B006.3 — is where the Q2 update most directly touches the question this corpus will take up next. The SandboxEscapeBench research is anchored by the same finding that B006.3 responds to: frontier models operating inside containerized execution environments demonstrate non-trivial escape capability, scaling log-linearly with compute across a diverse scenario set. The relevant question for practitioners is not whether that finding undermines sandboxing — it does not — but what it reveals about the structure of the containment guarantee.
A sandbox whose escape requires frontier-level compute and explicit attack optimization is a structural constraint that the vast majority of supply chain attacks cannot meet. B006.3 moves the certification baseline toward a containment architecture where that constraint applies. The analysis of what containment can guarantee across the full range of deployment contexts — what “correctly scoped” means in practice, what escape resistance requires at the implementation layer, and where the compute-bounded guarantee ends — is the territory the next series addresses directly.
AIUC-1 is doing what a certification standard should do: verifying that the best available controls exist and operate, at the frontier of a threat surface that is still maturing. The Q2 update’s two structurally significant additions move the certification baseline toward structural enforcement territory. The three protocol-layer gaps that remain open beneath the certification scope are not a failure of the standard. They are an accurate map of where the protocol has not yet changed.
— Analysis: Luminity Digital Research Corpus; AIUC-1 Q2 2026 Standard Update (aiuc-1.com); SandboxEscapeBench (arXiv:2603.02277)The structural controls in Q2 — runtime sandboxing and JIT permissions — are the ones where architectural work precedes the audit. B006.3 requires that sandboxing be correctly scoped before it can be certified as effective; the scoping work is architectural, not operational. A003.4 requires that JIT permission architecture be in place; designing that architecture against the specific capability requirements of each agent’s deployment context is the work that makes the certification verifiable. Understanding which control gaps are structural and which are operational is the prerequisite for sequencing that work correctly.
