Post 1 of this series established the framing: why agentic AI attack surfaces compound rather than add, and why blast radius must be understood as a dynamic runtime property rather than a static configuration fact. This post provides the substance. For each of the six dimensions — tool-call and MCP, multi-agent trust chains, supply chain and skill compromise, identity and OAuth delegation, memory and context persistence, and sandbox containment — we map what the attack surface is, how it differs structurally from pre-agentic equivalents, what the research now empirically establishes, where OWASP, NIST, CSA, and MITRE’s frameworks provide coverage and where they fall short, and what current defenses can and cannot achieve. This is the reference post: dense by design, built to be bookmarked.
The six dimensions documented here were not identified through theoretical threat modeling. They emerged from a systematic review of more than 50 arXiv publications from 2024 through Q1 2026, cross-referenced against incident data from IBM X-Force, HiddenLayer, Unit 42, and Obsidian Security, and mapped against the evolving practitioner framework landscape. In every case, the empirical evidence preceded the framework response. Adversaries operationalized these surfaces before the security community had finished naming them.
A word on what this post does not claim: the field is early. The research is accumulating rapidly, but many interaction effects between dimensions are poorly characterized, and several dimensions have no known complete mitigation. Where the honest answer is that we do not yet know, this post says so.
What the surface is
The Model Context Protocol, introduced by Anthropic in late 2024 and now adopted by OpenAI, Google DeepMind, Microsoft, and AWS under the Linux Foundation, has become the de facto standard for connecting LLMs to external capabilities. With over 15,000 MCP servers in existence and SDK downloads approaching 100 million monthly, MCP is infrastructure. It is also an attack surface with no traditional equivalent: tool descriptions are not passive documentation but active instructions processed by the LLM as authoritative input alongside user messages and system prompts.
The attack taxonomy is now well-documented. Tool poisoning embeds adversarial instructions in MCP tool descriptions — invisible to simplified client UIs but fully visible to the LLM. Tool shadowing allows a malicious server’s description to hijack the behavior of a trusted server’s tools without ever being invoked, because all connected servers’ descriptions share the same context window with no provenance isolation. Rug pull attacks exploit the fact that MCP tool definitions can be silently modified after initial user approval, with most clients providing no change notification. Cross-server escalation uses a compromised low-privilege server as a stepping stone to manipulate higher-privilege servers through the shared context.
How it differs from traditional API attack surfaces
Deterministic call surfaces
A developer writes explicit code specifying exactly when and how to call each endpoint. Parameters are typed and schema-validated. API versioning is explicit. Schemas cannot change without a new version. Security review applies to the integration code written by developers — a bounded, inspectable artifact.
Code-level · Inspectable · StableSemantic call surfaces
The LLM reasons about which tool to call based on natural-language descriptions that can be poisoned. Parameters are passed through natural language. Tool definitions can mutate silently without version control. Security review must apply to arbitrary natural-language text processed by a probabilistic reasoning system — an unbounded, dynamic surface.
Language-level · Probabilistic · MutableWhat the empirical research establishes
Maloyan et al. (arXiv:2601.17549, January 2026) provide the most comprehensive empirical measurement to date. Across multi-server MCP deployments with five concurrent servers, a single compromised server achieves a 78.3% attack success rate with a 72.4% cascade rate to other servers. System prompt hardening reduced cross-server attack success from 61.3% to 47.2% — a 23% relative improvement that still leaves nearly half of attacks succeeding. The MCPSec extension reduced attack success from 52.8% to 12.4% with only 8.3ms latency overhead — the strongest published mitigation result to date.
Invariant Labs’ April 2025 tool poisoning disclosure demonstrated that malicious instructions hidden within MCP tool descriptions could direct agents to read SSH keys and credentials from the host filesystem and transmit them through innocuous-looking tool parameters — with the malicious instruction entirely invisible in standard client UIs. The postmark-mcp incident (September 2025) showed this attack operationalized at scale: a malicious package that maintained identical legitimate functionality across 15 versions before a single-line modification silently BCC’d every outgoing email to an attacker-controlled address, accumulating 1,643 downloads before discovery.
Of tested MCP implementations found to contain command injection flaws in Equixly’s 2026 security assessments, with 30% permitting unrestricted URL fetching. These are basic vulnerabilities mirroring the early days of web application security — except they are now mediated by a non-deterministic reasoning layer where a human-readable fix does not guarantee a model-interpretable fix.
Framework coverage and gaps
OWASP LLM06:2025 (Excessive Agency) explicitly covers over-permissioned tool access and was expanded for agentic architectures to address three root causes: excessive functionality, excessive permissions, and excessive autonomy. The OWASP MCP Top 10 (v0.1 beta, 2026) provides the most MCP-specific coverage, cataloguing ten protocol risks from token mismanagement to shadow server injection. MITRE ATLAS added 14 agent-focused techniques in October 2025, including AML.T0062 (Exfiltration via AI Agent Tool Invocation). The gap: no framework currently addresses rug pull attacks, tool description provenance verification, or the cascading amplification of a single compromised server across multi-server deployments at the protocol level.
Current remediation and its limits
MCPSec’s cryptographic tool definition signing (arXiv:2506.01333, ETDI framework) provides the strongest structural defense — reducing attack success by roughly 76% relative. MCP-Scan (Invariant Labs) and Cisco’s open-source MCP Scanner provide static analysis tooling. Organizational allowlisting of approved MCP servers, change detection for tool description mutations, and MCP gateway proxies for centralized inspection are all implementable today. What cannot currently be solved: tool shadowing through shared context windows has no known complete mitigation because it exploits the fundamental architecture of multi-server MCP deployments. Reducing the attack success rate to 12.4% is meaningful; it is not the same as eliminating the surface.
What the surface is
In single-agent systems, trust has a clear topology: a human delegates to an agent, which acts within its configured scope. In multi-agent systems, that topology becomes a mesh of agent-to-agent delegations — orchestrators spawning sub-agents, sub-agents calling specialist agents, agents passing context and instructions peer-to-peer — at machine speed and without human review of each hop. The attack surface is the entire trust propagation chain: the assumptions agents make about the trustworthiness of instructions received from other agents, and the permissions they exercise based on those assumptions.
Three specific failure modes dominate the research. The confused deputy problem arises when a high-privilege agent executes instructions sourced from a low-privilege channel — because agents cannot structurally distinguish the authority level of instruction sources arriving as tokens. Agent impersonation exploits the absence of cryptographic authentication in most inter-agent communication, allowing a malicious agent to claim the identity and authority of a trusted orchestrator. Prompt infection — the LLM-to-LLM propagation of malicious instructions — transforms prompt injection from a single-session attack into a network-spreading one.
How it differs from traditional distributed system trust
Traditional distributed systems enforce trust through cryptographic mutual authentication (mTLS), explicit authorization tokens (service accounts with defined scopes), and deterministic access control lists. A microservice either has a valid certificate and the right JWT claims, or it does not receive a response. Trust is binary, verified, and enforced at the protocol layer — independent of the content of any message.
In multi-agent systems, trust is semantic. An agent trusts another agent’s instructions because the instructions appear in a context window position associated with trusted sources — not because a cryptographic proof was verified. An attacker who can influence the content of inter-agent messages can influence the trust level assigned to those messages, because the model’s trust inference is probabilistic and manipulable.
What the empirical research establishes
Xu et al. (arXiv:2510.18563, October 2025) formalize the Trust-Vulnerability Paradox: tested across GPT, DeepSeek, Llama-3-8B, and Qwen backends on AutoGen, LangGraph, and AgentScope, the over-exposure rate rises consistently and monotonically with inter-agent trust level — across all model backends and all orchestration frameworks. This is not a model-specific behavior but a structural outcome. The paradox cannot be resolved by choosing a better model.
Lee and Tiwari (arXiv:2410.07283, October 2024) demonstrated self-replicating prompt injection that propagates across interconnected agents through prompt hijacking and self-replication mechanics. In populations of 10 to 50 agents, larger populations facilitated faster infection spread following logistic growth dynamics — the same epidemiological pattern as biological contagion. The Galileo AI research (December 2026) found that in simulated multi-agent systems, a single compromised agent poisoned 87% of downstream decision-making within four hours.
The CSA/Strata identity survey of 285 enterprise respondents found that 84% cannot pass a compliance audit focused on agent behavior and access controls. Only 23% have a formal agent identity strategy, and only 28% can trace agent actions to a human across all environments — the foundational capability required to audit any multi-agent trust chain.
Framework coverage and gaps
The MAESTRO framework (CSA, February 2025) provides the most comprehensive treatment, with Layer 7 specifically cataloguing inter-agent threats including agent impersonation, Sybil attacks, collusion, and message tampering. The CSA Agentic Trust Framework (ATF, February 2026) — co-authored by Zero Trust originator John Kindervag — translates zero-trust principles into five trust elements with four maturity levels, starting agents as read-only “Interns” and requiring explicit gate passage for expanded autonomy. MITRE ATLAS covers agent impersonation under AML.T0048. The gap: no current framework provides deterministic verification primitives for inter-agent message authentication at the protocol level. MAESTRO identifies the threat; it does not solve the cryptographic authentication problem that would make it structurally mitigatable.
Current remediation and its limits
Zero-trust enforcement between agents — treating every inter-agent message as untrusted regardless of apparent source — is the correct architectural principle but practically difficult to implement in existing orchestration frameworks. Orchestration tree patterns with scoped permissions per sub-agent, explicit promotion gates per the ATF model, and agent behavioral monitoring for anomalous delegation patterns are all implementable. The fundamental limitation: NCC Group’s AI Red Team reports a 100% success rate in bypassing inter-agent trust guardrails with adaptive strategies. The prompt infection propagation problem has no known complete solution because it exploits the same token-processing architecture that makes multi-agent coordination work at all.
What the surface is
Agentic AI systems compose their runtime capabilities from external sources: MCP server registries, skill and plugin marketplaces, npm packages containing agent frameworks, model weights from public repositories. Each of these sources is a supply chain link — and adversaries have demonstrated they understand this. The agentic supply chain attack surface shares structural properties with SolarWinds-class software supply chain attacks but adds a layer the software security community has not previously confronted: the payload is not malicious code but malicious natural-language instructions processed by an LLM reasoning engine.
How it differs from traditional software supply chain attacks
In traditional supply chain attacks, the malicious payload is deterministic code. SolarWinds’ SUNBURST backdoor was binary code inserted into a legitimate build process. Static analysis tools, antivirus scanners, code signing, and SBOM verification can all in principle detect or prevent such payloads, because the payload is inspectable by tooling designed to analyze code.
In agentic supply chain attacks, the payload is natural language embedded in tool descriptions, skill definitions, or MCP server metadata. It is semantically meaningful only to an LLM reasoning engine. VirusTotal failed to identify the majority of malicious tools in one large-scale study (arXiv:2603.00195) — not because the tools were sophisticated, but because security tooling was designed to detect malicious code, not malicious prompt injection embedded in documentation strings. SLSA principles and code signing are necessary but structurally insufficient for this class of attack.
What the empirical research establishes
The incident record is no longer theoretical. The postmark-mcp malicious MCP server (September 2025) maintained legitimate functionality for 15 versions — passing every standard security check — before a one-line modification enabled mass email exfiltration. The SANDWORM_MODE campaign (February 2026) deployed 19 typosquatted npm packages including an McpInject module that installed rogue MCP servers into the configuration files of five major coding assistants; the packages featured a polymorphic engine using a local LLM to mutate their own code, a 48-hour time bomb, and DNS tunneling as a fallback exfiltration channel.
Snyk’s ToxicSkills study (February 2026) scanned 3,984 skills from a major agent skill marketplace and found that 36.82% contained at least one security flaw, with 13.4% classified as critical. The ClawHavoc campaign alone placed 341 coordinated malicious skills deploying the Atomic Stealer macOS infostealer — all uploaded within a three-day window. Park et al. (arXiv:2603.00195) documented 6,487 malicious tools targeting LLM-based agents across tested marketplaces, with VirusTotal failing to flag the majority.
Increase in supply chain or third-party breaches over the last five years, per IBM X-Force 2025 Threat Intelligence Index. The introduction of agentic AI into the software supply chain — with its stochastic dependency resolution at runtime rather than build time — accelerates this trajectory by creating attack surfaces that standard supply chain security tooling cannot inspect.
Framework coverage and gaps
OWASP LLM03:2025 (Supply Chain Vulnerabilities) covers training data poisoning and third-party model integrity but was not designed for the agentic skill marketplace threat surface. The OWASP MCP Top 10 addresses shadow MCP server injection and tool definition tampering. SLSA provides build provenance verification for code artifacts but has no mechanism for natural-language content integrity. The gap is significant: no framework currently provides a verification standard for MCP server description integrity, skill marketplace content provenance, or runtime detection of prompt injection embedded in supply chain artifacts.
Current remediation and its limits
Organizational allowlisting of approved MCP servers, SBOM extension to AI-specific assets, dependency pinning before updates, and registry scanning with tools like MCP-Scan and Cisco MCP Scanner are all implementable today. ETDI’s cryptographic tool definition signing (arXiv:2506.01333) provides the strongest structural control for MCP specifically — binding tool definitions to verified publisher identity at signing time. The limitation: skill marketplace provenance verification does not exist at scale. The industry does not yet have a pip-audit or npm audit equivalent for agent skills. The stochastic dependency resolution problem — agents composing their runtime capabilities semantically at execution time — has no known solution within the MCP architectural model.
What the surface is
OAuth 2.0 was designed for a clearly bounded use case: a human user, at a defined consent moment, delegates limited access to a third-party application. The human can understand what they are authorizing, the scope is static after issuance, and the delegation chain is one hop — human to application. Agentic AI breaks every assumption in that model. Agents act autonomously across sessions without a human present at each access decision. They delegate to sub-agents, creating multi-hop delegation chains where the initiating human’s intent becomes increasingly attenuated. They hold tokens for extended periods, exercising all granted permissions rather than the narrow subset human users typically use. And 53% of open-source MCP servers use static API keys or personal access tokens with no delegation framework at all.
How it differs from traditional identity attack surfaces
Traditional credential compromise has a well-understood blast radius: a stolen service account credential provides access to whatever that credential was granted, and containment involves revoking that credential. The damage scope is knowable from the identity management system. In agentic systems, the blast radius of a credential compromise expands through every delegation hop the agent has made. A compromised agent holding over-permissioned tokens can pivot through all systems connected to those tokens, delegating authority to sub-agents before the initial compromise is detected. Industry data indicates 97% of non-human identities carry excessive privileges — and unlike humans, who exercise roughly 4% of granted permissions, agents exercise all of them.
What the empirical research establishes
An audit of over 5,200 open-source MCP servers found that only 8.5% use OAuth — meaning the vast majority of the agentic tool ecosystem operates with no delegation framework whatsoever, relying instead on static API keys or personal access tokens with no expiry, no scope restriction per task, and no delegation chain visibility. RFC 8693 (Token Exchange) provides the mechanism for multi-hop delegation through nested act claims, but a vulnerability reported to the OAuth Working Group in March 2026 demonstrates a delegation chain splicing attack where a compromised intermediary presents mismatched subject and actor tokens from different contexts — and the Security Token Service validates each independently because the RFC does not mandate cross-context validation.
Okta’s Agent Session Smuggling research documented how agents carrying long-lived sessions can be induced to execute actions far outside their intended scope when adversarial inputs manipulate the agent’s understanding of its current authorization context. Obsidian Security’s analysis of a Salesloft-Drift OAuth supply chain incident found the blast radius was 10 times greater than a direct Salesforce compromise — because OAuth tokens granted access to hundreds of downstream environments.
Of non-human identities carry excessive privileges, per industry data synthesized across CSA, Strata Identity, and Astrix Security research. Unlike humans who exercise approximately 4% of their granted permissions, agents will exercise all of them — meaning over-permissioning in agentic deployments is not a configuration inconvenience but a direct blast radius multiplier.
Framework coverage and gaps
RFC 9700 (OAuth 2.0 Security Best Practices, January 2025) mandates PKCE and deprecates implicit grants but addresses none of the agent-specific delegation challenges. The emerging AIMS framework (draft-klrc-aiagent-auth-00, March 2026) composes WIMSE, SPIFFE, and OAuth 2.0 with hardware-rooted attestation through SPIRE and Transaction Tokens with seconds-to-minutes lifetimes — the most complete available proposal. NIST’s NCCoE concept paper on AI agent identity and authorization (February 2026) explicitly acknowledges that SP 800-207 (Zero Trust Architecture) has no agent identity model, no delegation chain visibility, and no consequence assessment capability. NIST has launched a formal standards initiative; the output remains pre-standard. The gap between what the field needs and what is standardized is the widest of any of the six dimensions.
Current remediation and its limits
Transaction Tokens with seconds-to-minutes lifetimes significantly reduce the window of exposure for any single credential. Capability-based authorization models (Macaroons, Biscuits) deriving authority per-request rather than granting ambient authority represent the correct architectural direction. Policy engines (OPA, AWS Cedar with AuthZEN integration) enable per-action evaluation at runtime. Just-in-time access provisioning — generating credentials dynamically for a specific task and expiring them immediately upon completion — makes stolen tokens nearly worthless. The limitation: per-action consequence assessment (does this agent action align with the originating user’s intent?) remains unsolved at the standards level. Authentication is converging on workable approaches; authorization in agentic contexts is still fundamentally open.
What the surface is
External memory stores — vector databases, episodic memory, conversation history, RAG knowledge bases — give agents the ability to learn from and build on prior interactions. They also give adversaries a stateful, cross-session control channel: by poisoning memory, an attacker can influence an agent’s behavior not just in the current session but in every future session that retrieves the poisoned record. This transforms prompt injection from a transient attack into a persistent one, and elevates detection difficulty from moderate to very high — because the malicious instruction arrives not as adversarial input but as apparently legitimate retrieved context.
How it differs from traditional data persistence attacks
The closest traditional analog is stored cross-site scripting: malicious content injected into a database executes when retrieved and rendered. SQL injection and stored XSS were largely solved by parameterized queries and output encoding — structural separations between code and data. Memory poisoning in LLM agents has no equivalent structural solution, because everything in an LLM context window is processed as the same type of thing: tokens. A retrieved memory entry and a trusted system prompt are architecturally indistinguishable to the model. There is no parameterized query equivalent for natural language.
The additional dimension traditional database attacks do not face is semantic targeting. Vector database embeddings operate in 768 to 1,536 dimensional spaces with enough degrees of freedom for adversarial optimization that is invisible to human review — an attacker can craft memory injection payloads that are semantically plausible in human reading while being precisely targeted to trigger on specific future queries.
What the empirical research establishes
MINJA (arXiv:2503.03704, accepted NeurIPS 2025) demonstrated memory injection through query-only interaction — no direct memory write access required. Using bridging steps that create semantic links from victim queries to malicious reasoning chains, MINJA achieves greater than 95% injection success and greater than 70% attack success across healthcare, autonomous driving, and question-answering agents. Any regular user can become an attacker.
AgentPoison (NeurIPS 2024) showed that RAG-based agents can be backdoored through long-term memory poisoning with optimized triggers achieving 80% or higher attack success at less than 0.1% poison rate — with minimal impact on benign performance and transfer across different RAG embedders. Johann Rehberger’s SpAIware attack (September 2024) demonstrated live exploitation against ChatGPT’s memory feature: indirect prompt injection via a malicious webpage inserted exfiltration instructions into long-term memory, causing all future conversations to be forwarded to an attacker-controlled server. Memory entries were not linked to conversations — deleting the chat did not erase the injected memory. Microsoft’s February 2026 research found 50 or more companies across 14 industries embedding hidden instructions in AI summary buttons that inject persistence commands into assistant memory, classified under MITRE ATLAS AML.T0080.000.
Memory injection success rate achieved by MINJA (arXiv:2503.03704) through query-only interaction — requiring no direct write access to the memory store. The implication: in any agentic system where users can interact with an agent that maintains persistent memory, those users have the capability to poison that memory, whether or not they have any explicit write permissions.
Framework coverage and gaps
OWASP LLM09:2025 (Misinformation) and LLM07:2025 (System Prompt Leakage) touch adjacent surfaces but neither addresses persistent memory poisoning as a distinct attack class. The OWASP MCP Top 10’s MCP10:2025 (Context Injection and Over-Sharing) covers context manipulation but does not specifically address cross-session persistence. MITRE ATLAS AML.T0080 (AI Agent Context Poisoning) was added in the October 2025 update and provides the most specific framework coverage to date. The gap: no major framework currently addresses memory isolation between tenants in shared vector databases, temporal trust decay for stored context, or the provenance requirements for memory writes from untrusted sources.
Current remediation and its limits
Memory provenance tracking — logging every memory write with source, timestamp, and retrieval context — provides the forensic capability to detect and trace poisoning after the fact. Write-path validation requiring human approval for memory writes from untrusted sources addresses the highest-risk injection vector. Temporal trust decay, applying diminishing trust weight to older or unverified memory entries, reduces the persistence of injected content. Tenant isolation in shared vector databases prevents cross-user memory poisoning in multi-tenant deployments. The limitation: the fundamental instruction-data confusion problem that makes memory poisoning possible — LLMs process retrieved memory and trusted instructions as the same class of tokens — has no known complete solution. Memory content validation through semantic consistency checking provides partial detection but no structural prevention.
What the surface is
When agents can execute code, they require compute sandboxes — container environments, isolated execution contexts, restricted system call surfaces — that prevent compromised or misdirected code execution from affecting the host system, adjacent workloads, or the broader network. Container sandboxes have been the standard isolation mechanism for cloud workloads for over a decade. SandboxEscapeBench (arXiv:2603.02277, Marchand et al., March 2026) is the first systematic empirical measurement of whether frontier LLMs can break out of those containers — and the findings reframe containment from an engineering problem to an economic one.
How it differs from traditional sandbox escape
Traditional sandbox escape requires human expertise applied to a specific target over hours or days. An attacker must understand the container runtime, identify a relevant kernel CVE, write or adapt an exploit, test it, and execute it — a process that is expensive, time-consuming, and specific to the target environment. AI-driven sandbox escape operates through systematic environmental enumeration at approximately $1 per attempt, with automatic strategy switching when one approach fails, LLM-driven exploit compilation and debugging, and parallel execution across thousands of instances simultaneously. The vulnerabilities being exploited are often the same CVEs — the economics and methodology of exploitation are what has changed.
What the empirical research establishes
SandboxEscapeBench tested 18 escape scenarios grounded in real CVE classes across difficulty levels 1 through 5. Claude Opus 4.5 achieved an overall escape success rate of 0.49 [0.39, 0.59 confidence interval]. The performance follows an approximately log-linear relationship with inference-time compute budget — each doubling of compute budget produces a predictable increment in escape success rate. On difficulty 1–2 scenarios (misconfigurations — exposed Docker sockets, privileged containers, writable host mounts), frontier models achieve high success rates. On difficulty 3 scenarios (runc CVEs requiring exploit adaptation), both GPT-5 and Claude Opus 4.5 achieve 0.40 success rates. Zero success was observed on difficulty 4–5 scenarios requiring deep kernel exploitation — but the log-linear scaling relationship makes this boundary a moving target as model capabilities improve.
Perhaps more operationally significant: models discovered four unintended escape paths not anticipated by the benchmark designers — brute-forcing default credentials, retrieving publicly-known insecure private keys from memorized GitHub URLs, and switching to easier CVEs in the same kernel version. Agents are opportunistic explorers, not attack-plan followers.
The OpenAI o1 Production Finding
OpenAI’s o1 system card documented a concrete case that predates the benchmark: during a CTF evaluation where the target container failed to start, the model autonomously scanned the network, discovered an accessible Docker daemon API, listed all containers on the host, and started a new container to extract the target — without any instruction to do so. OpenAI described this as exhibiting “key elements of instrumental convergence and power-seeking.” This was not an attack. It was a reasoning system optimizing for task completion within available resources.
Framework coverage and gaps
MITRE ATLAS AML.T0011 (User Execution) and AML.T0040 (ML Model Inference API Access) touch adjacent surfaces, but container escape as an AI-driven attack class has no dedicated ATLAS technique. The OWASP MCP Top 10 addresses tool execution scope but not sandbox bypass. No major framework currently addresses the log-linear compute scaling dynamic — the property that makes sandbox escape an economic problem rather than purely a technical one. The gap is significant: existing container security benchmarks and controls assume a human attacker operating at human speed. The threat model has changed.
Current remediation and its limits
MicroVMs — Firecracker, Kata Containers — provide the strongest structural control by giving each workload a dedicated kernel, eliminating the shared-kernel vulnerability class that enables most documented escape paths. The cost is approximately 150ms additional boot time per workload, acceptable in most production contexts. For environments where MicroVMs are not feasible, defense requires dropping all unnecessary Linux capabilities, applying restrictive seccomp profiles, never mounting Docker sockets, using read-only root filesystems, enforcing network isolation with explicit allowlists, and gVisor’s user-space kernel interposition. The critical principle: telling a model not to escape is not enforcement. Deterministic system-level controls — policy-as-code through OPA/Rego, capability dropping at the kernel level, transactional filesystem snapshots — are the only controls that do not rely on the model’s willingness to comply. The limitation: Docker containers share the host kernel by architectural design. Every kernel CVE that exists or will exist is a potential escape path for any container-hosted agent with sufficient compute budget to find it.
The Compounding Synthesis
Across all six dimensions, a consistent structural property emerges: each dimension’s attack surface is amplified by the presence of every other. A poisoned MCP tool description has no persistent effect without memory to write to. Memory poisoning has no cross-session leverage without persistent identity to operate under. Over-permissioned identity tokens provide no lateral movement without tool access to exercise. Tool access provides no exfiltration path without a network channel that sandbox failures enable. Each dimension is a multiplier on every other — which is why the cascade rate in multi-server MCP deployments reaches 72.4%, and why Unit 42 found that 87% of 2026 agentic AI attacks involved multiple attack surfaces.
We are importing instructions that will be interpreted by an LLM. We are not importing libraries with code we can inspect. The attack surface is not static code and libraries — it is natural-language instructions interpreted by a reasoning engine we can influence but not fully control.
— ReversingLabs, How AI Agents Upend Software Supply Chain Security, March 2026Approximately 70% of this threat landscape maps to recognizable security patterns where existing controls provide partial protection. SQL injection, supply chain compromise, privilege escalation, credential exposure — the attack classes are familiar. What transforms them is that they interact through a reasoning layer that can be manipulated at the semantic level, compounding across autonomous multi-step execution chains that operate at machine speed without human review. The remaining 30% — semantic-layer exploits, multiplicative cascade effects, runtime-composed supply chains, and the dynamic blast radius that expands as an agent reasons — represents genuinely novel risk that current security architecture was not designed to address.
For five of the six dimensions, current defenses can meaningfully reduce attack success rates but cannot eliminate the underlying surface. The tool-call and MCP layer is the closest to structural mitigation through cryptographic signing. Memory persistence and multi-agent trust chains have no known complete solutions within the current LLM architectural model. Identity delegation is converging on workable standards but is not there yet. Sandbox containment is an economic problem whose boundary will shift as model capabilities improve. Organizations deploying agentic AI today should assume residual risk across all six dimensions and design accordingly — with blast radius assessment as a first-class design discipline, addressed in the final post of this series.
