The Half of Agent Security You're Not Governing
Security Boulevard, Monday, May 4th, 2026
AI agent security frameworks focus on observable MCP servers while ignoring the opaque reasoning layer where most damage occurs.
Organizations deploying AI agents typically govern only the observable half of their attack surface - MCP servers with structured logs and auditable functions - while remaining blind to the reasoning layer where language models interpret instructions without leaving forensic trails.
Noma Security's research reveals that 76% of MCP servers and 62% of popular Skills carry high-risk capabilities, with the existing "Agents Rule of Two" framework already proven ineffective by real-world incidents like the 2025 Amazon Q and Replit agent compromises.
Rather than attempting to monitor unpredictable agent reasoning, organizations should focus on controlling three multiplicative amplifiers they actually can govern: limiting capabilities to only required tools, gating high-risk actions behind human approval, and enforcing minimum-privilege credentials that expire.