The Question RSAC 2026 Couldn’t Answer. But Couldn’t Stop Asking
The sessions on agentic AI at RSAC 2026 weren’t packed because practitioners had answers. They were packed because practitioners were scared, and smart enough to know it. MCP security was the thread running through nearly every conversation, from identity frameworks to supply chain risk to runtime protection gaps nobody had fully solved.
Ahead of the conference, David Brauchler, Technical Director and Head of AI/ML Security at NCC Group, put the core problem into terms that kept circulating across security channels: in agentic AI, behavior is a function of data, not code. Read that slowly. Every trust assumption the industry has built over decades, the notion that you can audit a binary, review a codebase, verify a signature, falls apart when the thing making decisions is responding to runtime inputs you can never fully enumerate in advance. The attack surface is everything the agent reads.
That framing landed hard because it named something security teams had already been feeling but hadn’t yet articulated. A Dark Reading poll cited by Bessemer Venture Partners found that 48% of cybersecurity professionals now identify agentic AI and autonomous systems as the single most dangerous attack vector they face. The top one.
MCP Security and the Infrastructure Gap Nobody Planned For
What made RSAC 2026 genuinely different from previous years’ AI security conversations was the specificity of the problem. Practitioners weren’t debating whether AI agents posed risk. They were rethinking what trust means for a class of system that can take real-world actions, chain tool calls autonomously, and respond to inputs injected anywhere along the way. Five competing identity frameworks were reportedly shipping at the conference. None of them closed every gap.
The Coalition for Secure AI captured this plainly in its recent MCP security whitepaper: these aren’t theoretical vulnerabilities, they’re production incidents, and they share a common thread. Traditional security frameworks weren’t designed for AI-mediated systems where a language model sits at the center of security-critical decisions.
That gap is what this post examines: why the problem is structural, what the conference surfaced about identity, authorization, and audit trails, and what an Obot MCP Gateway infrastructure layer needs to look like if you want governance that holds under real-world conditions.
Why Traditional Security Breaks for Agents
Classic software has deterministic behavior baked into its code. You audit the binary, review the logic, sign the artifact, and deploy with a reasonable expectation that the thing will do what you verified it does. Agentic systems invert that model entirely. Behavior becomes a function of real-time data inputs, and no static policy can enumerate every input an agent will encounter at runtime. You can’t sign a prompt. You can’t audit a tool call that hasn’t happened yet.
Why MCP Security Requires a Different Mental Model
CoSAI’s MCP security whitepaper states that traditional security frameworks weren’t designed for AI-mediated systems. This is a structural observation, not a product gap. The perimeter model assumes a defined boundary. The identity model assumes a known actor making authenticated requests. The audit model assumes a deterministic log you can replay. Agents violate all three assumptions simultaneously, because the language model at the center of every decision is itself a dynamic interpreter of whatever data it receives.
Security researcher Simon Willison identified this in June 2025: according to research tracking AI agent security risks, the structural issue applies to every MCP deployment currently implemented without governance overlays. A protocol-level exposure, not a configuration mistake you can patch.
The implications compound quickly. An AI governance framework built on static controls, approved lists, signed packages, reviewed prompts, provides meaningful defense in depth only if those controls can be enforced at runtime, dynamically, across every tool invocation and every data input the agent touches. Governance that operates only at deploy time has a very short window of relevance.
The infrastructure layer beneath the agent has to carry security logic that developers and security teams once assumed lived in the code itself. The control plane, the identity layer, the authorization boundary: none of it can be passive. It has to interrogate, constrain, and record agent behavior as it happens, not after the fact.
The Gap Is Real and Measurable: What the Data Says
The numbers aren’t projections. They’re measurements of what’s already broken.
Research tracking AI agent security risks puts three figures together that security leaders need to sit with: 63% of organizations cannot technically enforce purpose limitations on their agents, 33% have no audit trails for agent activity, and 75% have already been hit by supply chain incidents. That last number used to describe a software delivery problem. It now extends to agent skills, MCP server packages, repository configuration files, and AI vendor relationships. The attack surface expanded, and most organizations’ measurement capabilities did not.
The Supply Chain Has Already Reached MCP Security
The OpenClaw/ClawHub incident is the clearest proof point. Antiy CERT confirmed 1,184 malicious skills across ClawHub, the marketplace for the OpenClaw AI agent framework, making it the largest confirmed supply chain attack targeting AI agent infrastructure to date. These weren’t theoretical proof-of-concept packages. They were in a production marketplace where developers pull agent capabilities the same way they pull npm packages, quickly, conveniently, and often without the review process a new vendor relationship would trigger.
Then, on February 25, 2026, Check Point Research disclosed critical vulnerabilities in Claude Code, Anthropic’s command-line AI development tool used by thousands of developers daily. Two separate disclosures, two separate events, and a clear pattern: the components beneath the agent are active targets.
The AI agent security guide for 2026 frames the enterprise challenge precisely: organizations need consistent controls that protect data regardless of where AI agents operate. An AI governance framework that only governs at the agent level, while leaving the skill marketplace, the MCP server layer, and third-party integrations unmonitored, has gaps wide enough for 1,184 malicious packages to move through undetected.
The 33% with no audit trails aren’t just flying blind operationally. In a post-incident review, they have no record of what any agent touched, invoked, or exfiltrated. That’s an absence of accountability at the infrastructure layer where accountability matters most.
What RSAC 2026 Shipped, and What It Left Unsolved
Five identity frameworks shipped at RSAC 2026. Duo, Okta, 1Password, and others each arrived with approaches to register AI agents as distinct identity objects and route tool calls through MCP gateways rather than treating agent activity as an extension of a human user’s session. After years of practitioners asking where the agent fits in their identity model, vendors finally delivered answers in the form of shipping infrastructure.
That progress is real. Registering agents as first-class identity objects closes a gap that has existed since the first production deployments. Best MCP Gateways and AI Agent Security Tools describes how MCP gateways now centralize authentication, audit trails, and policy enforcement across connected systems, representing genuine maturation from the improvised configurations that characterized 2024 and early 2025 deployments.
The Blind Spot the Frameworks Left Open
None of them solved an agent rewriting the policies governing its own behavior.
MCP gateways inspect tool calls in transit. They can catch anomalous invocation patterns, flag out-of-scope requests, and log the full sequence of what an agent asked for and what it received. In a post-incident review, that is the difference between having a timeline and having nothing.
But direct policy file modifications on the endpoint sit outside what any of these frameworks currently monitor as a shipping capability. If a compromised agent, or a prompt injection payload riding in through a tool response, modifies the configuration that defines what the agent is permitted to do, the gateway sees compliant-looking traffic from that point forward. The authorization layer has been rewritten beneath it. The audit trail records behavior after the compromise, not the compromise itself.
This is the structural gap that the Bessemer Venture Partners analysis points toward when it describes runtime protection as the hardest and least mature of the three security stages. Visibility and configuration controls are tractable engineering problems. Runtime protection against an agent modifying its own governance state requires a different class of integrity monitoring, one the conference acknowledged but did not deliver.
RSAC 2026 generated real momentum and shipped real infrastructure. An AI governance framework built only on what shipped there is still incomplete. Security leaders need to plan around both realities.
The Infrastructure Layer Is the Answer. Here’s What It Must Do
What MCP Security Actually Requires
Every gap documented in this article points toward the same conclusion: governance logic cannot live in the agent. It has to live beneath it.
Bessemer Venture Partners’ three-stage framework gives this shape. Stage one is Visibility: a complete inventory of every running agent, the model it’s calling, and the tool permissions it holds. Stage two is Configuration: least-privilege access controls enforced at the MCP layer, data masking before sensitive content reaches the model, and hard behavioral rails constraining what agents are permitted to invoke. Stage three, and by BVP’s own assessment the hardest, is Runtime Protection: detecting anomalous behavior at machine speed and maintaining audit logs that create genuine forensic evidence, not just timestamps of successful completions.
CoSAI’s defense-in-depth model reinforces the same architecture. Layered controls, each layer assuming the one above it will occasionally fail.
The Control Plane Has to Be Centralized
Integrate.io’s analysis of MCP gateway solutions describes how centralized gateways now provide authentication, audit trails, and policy enforcement across connected systems. That centralization is the critical design principle. Distributed enforcement, where each agent team implements its own access controls and logging conventions, produces exactly the inconsistency that attackers exploit and compliance officers cannot certify.
The Obot MCP Gateway is purpose-built as that centralized control plane, addressing each stage of the BVP framework directly: inventory and visibility across all agents and their tool permissions, least-privilege access enforcement at the MCP layer, and comprehensive audit logs that survive post-incident review. Identity provider integration with Okta, Google, and Microsoft Entra grounds agent identity in the same authoritative directory your human identity program already trusts.
An AI governance framework built on centralized infrastructure gives development teams frictionless access to approved, cataloged tools while giving security teams the inspection point they require.
From Shadow AI to Sanctioned Infrastructure: A Practical Path Forward
Organizations with production agents running today cannot wait for the next conference to deliver a unified answer. The governance infrastructure they need exists now.
Start With Centralization
Distributed enforcement is where governance goes to die. If individual teams manage their own MCP servers, set their own access controls, and maintain their own logging conventions, you will never achieve the consistency that AI agent security guidance identifies as the core requirement: controls that protect data regardless of where agents operate. Centralize MCP server management first. Everything else depends on having a single inspection point.
Integrate Identity You Already Trust
Agent identity grounded in a parallel directory is a liability. Okta, Google Workspace, and Microsoft Entra already hold your authoritative user records and group memberships. Extending those to govern agent-level access, through the same identity provider your human access program already runs, closes the gap between what your identity team can audit and what your agents are doing.
Make Audit Logging Non-Negotiable
The 33% of organizations with no audit trails for agent activity are one incident away from a post-mortem with no timeline and no forensic basis for remediation. Treat logging as a precondition for any agent reaching production.
Prefer Open-Source, Self-Hosted Infrastructure
Vendor lock-in in the MCP security layer is a compounding liability. Organizations evaluating MCP infrastructure increasingly prioritize open-source and self-hosted solutions because they need deployment flexibility across cloud, on-premise, and hybrid environments without dependency on a single vendor’s roadmap. Open foundations give you auditability of the control plane itself, not just the agents it governs.
None of these steps require waiting for the industry to converge on a single standard. They require deciding that governance is an accelerator and building accordingly.
The roadmap is clear. The infrastructure is available. Review the Obot MCP Gateway and download it to take your first step from shadow AI to sanctioned, production-ready infrastructure.
