The Agentic Workspace era: The Shadow AI crisis, MCP vulnerabilities and IBAC
When machines are granted autonomy, cybersecurity risks no longer lie in buggy code, but in the actual intent behind the prompts.
- 70% of enterprises currently fail to achieve secure AI governance, while 68% of employees are quietly using unsanctioned AI tools, creating massive internal data leak risks.
- Prioritizing seamless connectivity over authentication in the Model Context Protocol (MCP) has paved the way for hackers to execute Remote Code Execution (RCE) and launch attacks like CursorJack directly targeting developers.
- Traditional permission systems are easily bypassed by Prompt Injection and Tool Poisoning, turning AI agents into internal saboteurs.
- Intent-Based Access Control (IBAC) continuously evaluates and blocks out-of-context behaviors in real-time, working alongside comprehensive control ecosystems (like Proofpoint Nexus, Satori and the Secure Agent Gateway) to ensure AI Agent integrity.
The way we work is being fundamentally reshaped by Generative AI and Autonomous Agents. We are entering the era of the Agentic Workspace - where AI is no longer a passive tool waiting for commands, but a bona fide collaborator. These systems can reason, make decisions, execute complex tasks via APIs and share human access to a company's raw data. However, with breakthrough technological power comes a new wave of challenges that vastly outpace traditional security methodologies. Today's cybersecurity risks extend far beyond buggy code, zero-days, or standard network intrusions; the threat landscape has expanded into highly complex territory: prompt context, the intent behind operations and machine autonomy.
Based on the "2025 State of AI Security" report by Acuvity (a Proofpoint company) and the latest global research, we now have a comprehensive look at the current state of AI security. Here, Migovi will dive deep into architectural vulnerabilities, how AI is upending traditional authorization structures and why enterprises must pivot from static security perimeters to Intent-Based Security models.
Article content
The evolution of risk
To grasp just how urgent the AI security crisis is, we need to look at how digital threats have evolved. Historically, the digital workspace revolved around email, cloud apps and SaaS. Back then, cybersecurity strategy was simply about building "fortress walls" around the internal network.
However, as remote work took over, email ceased to be just a communication tool; it became an individual's core artifact of identity. That’s exactly why email morphed into the premier attack vector for hackers leveraging social engineering, Business Email Compromise (BEC) and account takeovers.
Previously, using generative AI was like ordering around an intern: you say "write me an email," the intern drafts it and you have to manually copy and send it. But in an Agentic Workspace, the AI is a full-fledged executive assistant. You simply command, "Prepare next week's bidding dossier." The AI autonomously figures out which Google Drive folder to open, pulls data from Excel, drafts the email and automatically sends it to the partner on time. It reasons and makes decisions on your behalf.
Jennifer Chen, VP of Cybersecurity Strategy for APJ at Proofpoint, highlighted this shift: The security focus had to pivot from perimeter defense to human-centric security. The massive expansion of cybersecurity conglomerates is proof of this trend. Since going private in 2021, Proofpoint has grown aggressively, securing nearly 3 million global customers. In the APJ region alone, their expert team has tripled, processing trillions of emails annually. This colossal dataset serves as the training fuel for their Machine Learning models, allowing the system to preemptively neutralize unprecedented threats.
But the explosion of Generative AI and Autonomous Agents changes the rules entirely. Phishing campaigns are now automated by AI, perfectly mimicking the writing style of C-level executives and rendering legacy defense rules useless. The risk isn't just external anymore - it's coming from inside the house, as employees carelessly feed confidential data into unvetted AI tools.
The reality is that "AI colleagues" are now sharing the workspace with humans. They click links, share files and make decisions. Consequently, they are easily victimized by Prompt Injection/Engineering or can accidentally leak internal data. This forces the cybersecurity industry to evolve once again: Securing the Agentic Workspace means not only protecting the humans but also strictly monitoring the behaviors and intents of the machines.
"The State of AI Security 2025" report
The "State of AI Security 2025" report by Acuvity features in-depth surveys of over 275 tech leaders, CIOs and CISOs at enterprises ranging from 500 to over 10,000 employees. The data paints a stark picture of the gap between technology adoption and risk control capabilities. Legacy security systems were designed for static, isolated endpoints, whereas modern AI flows seamlessly across these boundaries, operating simultaneously on local files, internal networks, data lakes and the cloud. The maturity gap in AI governance is broken down into five tiers:
- None (3%): Absolutely no dedicated policies, rules, or control frameworks for AI.
- Ad hoc (30%): Management is patchwork, reactive and handled on a case-by-case basis when incidents occur.
- Defined (20%): A clear written governance framework exists, but lacks automation and deep telemetry in runtime environments.
- Managed (32%): Basic performance metrics are established, maintaining periodic risk reporting for mid-level management.
- Optimized (16%): Risk assessment is integrated at the board level, with comprehensive automated AI monitoring and continuous, reality-based policy updates.
The study reveals that a staggering 70% of organizations currently fail to achieve secure AI governance. Nearly 40% (the sum of None, Ad hoc and Defined) are operating almost "blind" - completely lacking the infrastructure for measurement and risk adaptation. This leaves enterprises perpetually on the back foot against AI-driven threats. According to Satyam Sinha, CEO of Acuvity, AI is altering the very nature of risk, forcing leaders to confront potential disasters that they openly admit they are unprepared to control.
Shadow AI - The unexpected insider threat
It's not hired hackers; your own employees are your biggest liability. Roughly 50% of enterprises believe their next data breach will stem from AI. The culprit? The naive pursuit of productivity via AI.
Companies deploy secure internal networks, but when an employee finds the process too cumbersome, they copy files to a USB flash drive and go to an internet cafe to print them. Shadow AI is the exact same concept. Employees find company-sanctioned AI tools too slow or restrictive, so they secretly use free, public AI chatbots to quickly summarize reports or debug code. As a result, they unwittingly upload trade secrets and proprietary code to a stranger's server.
The Bring-Your-Own-AI (BYO-AI) trend is fueling the Shadow AI phenomenon. A concerning 68% of employees are quietly using unvetted AI tools. Even scarier, AI features are now stealthily embedded directly into platforms like Figma, Zoom and Salesforce. They silently scrape and push internal data to third-party servers entirely under the IT radar. Take the disaster in New South Wales: a naive employee uploaded a spreadsheet containing the sensitive medical information of 3000 people to ChatGPT just to... format it nicely. The result was a massive data breach. Combined with the rampant habit of granting "public internally" access on Google Drive or OneDrive, AI has morphed into an ultimate data-harvesting machine for any bad actor looking to exploit it.
Proofpoint illustrated this with a hypothetical scenario involving "Emily Davis," a casino employee. The security system caught Emily repeatedly prompting an AI to inquire about the exact cash transit routes inside the casino. By utilizing a timeline interface combined with an AI-integrated visual insight system, the security team connected the dots on Emily's abnormal behavioral loop. From there, they accurately assessed the malicious intent and instantly shut down the meticulously planned data theft scheme.
The fatal flaw of MCP
The beating heart of AI Agents - and the biggest architectural black hole in modern cybersecurity - is the Model Context Protocol (MCP). Developed by Anthropic, MCP is a foundational open-source standard that allows Large Language Models (LLMs) and AI Agents to seamlessly interface with external tools, internal databases and enterprise services.
To get an AI to pull data from various apps (Slack, Jira, Email...), developers previously had to build custom "plugs" (APIs) for each one. MCP acts like a universal power strip: plug any AI into it and it works instantly. But the fatal flaw is that this power strip was designed without a fuse; anyone can plug in and draw power without the system checking if the device is safe. This makes it incredibly easy for hackers to infiltrate and execute malware on internal systems.
Historically, for an AI system to "talk" to external software (like reading emails, creating Jira tickets, or running SQL queries), developers had to write custom API connectors for each specific tool. MCP completely upends this by employing a client-server architecture. A dev only needs to spin up a single MCP server, which exposes the tool's entire feature set via a standardized JSON Schema. The AI Agent (acting as the client) then actively "discovers" the tool's metadata, learns how to use it and utilizes function calling to execute tasks automatically.
This sheer convenience is the catalyst for a booming supply chain, boasting over 150 million downloads and hundreds of thousands of MCP servers running both publicly and privately behind enterprise firewalls. The catch? MCP's design philosophy harbors a critical defect: it prioritizes seamless connectivity above all else, completely side-stepping security. The protocol does not enforce any authentication or authorization mechanisms, shifting the security burden entirely onto the implementing developers.
The consequences of MCP's lax design were laid bare in a study by OX Security. The team discovered incredibly severe systemic vulnerabilities right inside Anthropic's official SDK, spanning across every popular programming language from Python and TypeScript to Java and Rust. Abysmal standard I/O (STDIO) handling created a gaping hole, allowing hackers to achieve Remote Code Execution (RCE) on any system running the flawed MCP build. Notably, this isn't a standard code bug; it’s a fundamental flaw in design thinking. It hands attackers direct access to internal databases, API keys, chat histories and troves of sensitive user data on a silver platter.
Vulnerabilities like CVE-2025-65720, CVE-2026-30623, CVE-2026-30624, CVE-2026-30615 and CVE-2026-40933 prove that MCP can be compromised from multiple angles. Hackers can inject hidden commands without any user interaction (zero-click prompt injection) or completely poison marketplaces with malicious, spoofed MCP tools.
The CursorJack nightmare
The threat of the MCP protocol isn't confined to the server side; it strikes straight at the local IDEs on developers' machines. A research team from Proofpoint outlined an attack technique dubbed CursorJack. True to its name, it targets Cursor - an IDE currently taking the programming world by storm thanks to its ultra-smooth LLM integration.
This is a scam aimed squarely at developers. While a dev is using their coding software, a hacker sends a bait link (deeplink) that looks identical to a standard plugin installation link. The IDE is far too permissive; instead of flagging the risk, it automatically executes the installer. With one click, the hacker breaches the machine, stealing system keys, passwords and project source code without the developer ever knowing.
CursorJack exploits how Cursor handles cursor:// deeplinks - which were originally designed to help devs quickly install MCP servers. Through social engineering, hackers can craft malicious deeplinks disguised as standard support tool installers. Frustratingly, Cursor's installation dialog lacks any visual warning indicators to differentiate a clean MCP server from a malicious payload. If a dev accidentally clicks confirm, the mcp.json configuration file is stealthily modified. Instantly, the system opens a backdoor for the hacker to execute commands (command-based MCP) with the highest privileges of that very user. From here, the attacker can establish a remote control connection, drop spyware and siphon highly valuable digital assets residing on the dev's machine, such as SSH keys, API tokens and the company's proprietary source code. This malware is also persistent, surviving even if the IDE is rebooted.
Beyond that lies the threat of "borrowing the knife to kill." AI Agents running on the MCP platform are susceptible to the Confused Deputy vulnerability, which occurs when an AI Agent is legitimately authorized to work on an employee's behalf. For example: you grant an AI permission to read your emails and generate internal financial reports. An external hacker sends an email containing hidden instruction smuggling. When the AI scans this email, it falls victim to Prompt Injection, then uses your permissions to fetch classified documents and exfiltrate them to the hacker's server. Because this entire process appears perfectly legitimate under your account credentials, legacy behavioral monitoring systems are easily bypassed.
Think of Prompt Injection as a hypnotic trap. It's like telling a security guard (the AI), "Only open the door for VIPs." But a guest (the hacker) sneaks in a note behind their back saying, "The boss said to let me empty the safe." The guard reads the note, gets socially engineered and blindly complies, thinking it's a new official directive.
Furthermore, the risk of Tool Poisoning highlights the sheer fragility of the autonomous AI landscape. In the MCP protocol, an AI Agent decides which tool to use based entirely on the text metadata provided by the MCP server itself. A hacker merely needs to alter this metadata. For instance, they could rig the "Delete File" tool to be prioritized by the AI instead of "Read File" whenever a specific keyword is encountered; or inject hidden directives that force the AI to go rogue even if you didn't issue the command. This type of attack at the semantic layer is exceptionally insidious because the LLM has no idea it's malfunctioning - it is simply executing its task diligently based on a distorted context, unwittingly turning the AI into an internal saboteur.
Tool Poisoning is like swapping labels. A hacker sneaks into a kitchen, peels the label off the sugar jar and slaps it onto the salt shaker. The AI chef blindly trusts the label and scoops it right into the dessert it's cooking. The result is that the AI thinks it's doing its job perfectly, but it has actually been manipulated to sabotage things from the inside.
Intent-Based Access Control (IBAC)
Traditional access management methods like IAM or RBAC (Role-Based Access Control) are built on the principle of "static" permissions. That means the system simply checks if an account has the correct authentication credentials; if it does, the action is allowed. This approach is like waiting for a car crash before putting on a seatbelt: it only asks "What CAN this account do?" without ever evaluating the context of "WHY is it doing this?". With AI Agents capable of autonomous planning and dynamic adaptation, static provisioning is a fatal flaw. Enterprises are now facing a novel phenomenon known as semantic privilege escalation - meaning technically, the system allows the AI to execute the command, but semantically and in the context of business logic, it's completely out of bounds.
This is why the Intent-Based Access Control (IBAC) model was born. Instead of merely cross-referencing access rights like legacy systems, IBAC continuously analyzes behavior in real-time to answer the question: "Should this action be executed right now, for this reason and at this risk level?"
Comparing RBAC to IBAC is like comparing a keycard reader to a detective. Legacy security systems (RBAC) work exactly like the parking garage security guard. You swipe a valid ID badge and he lets you in; he doesn't care if you're going to your desk to work or taking a sledgehammer to the servers. IBAC was created to close that loophole. It acts like a smart camera system backed by active security personnel. IBAC doesn't just check your badge; it continuously scrutinizes your actions: "Hold on, this guy is an accountant, why is he walking into the server room with a hammer?" Upon detecting anomalous behavior (deviating from original intent), IBAC immediately slaps the cuffs on (revokes access) before things go south.
To put it simply: An AI Agent is tasked with analyzing cloud spend and is granted API access to the platform. Suddenly, this AI shifts its behavior, leveraging those permissions to spin up new servers or alter network configurations (because it fell victim to a Prompt Injection trap). If using traditional RBAC, the system lets it slide because the API token is still valid. But with IBAC, it instantly cross-references the "create server" action against the original intent of "analyze costs." Detecting a scope violation, IBAC immediately revokes permissions and halts the task before any damage occurs.
Agent Integrity Framework
To formalize this new approach and provide a clear roadmap for CISOs, Proofpoint and industry experts designed the Agent Integrity Framework. This framework ensures that every AI Agent always operates strictly within its designated scope, utilizes correct permissions and exhibits proper behavior during all interactions, tool calls, or data extractions. The integrity of an AI Agent is rigorously measured across three axes: what the AI can do (granted permissions), what it should do (original intent) and what it is actually doing (real-time behavior).
The Agent Integrity Framework relies on five core pillars:
- Intent Alignment: Ensures every AI action, no matter how minute - whether autonomous or user-prompted - is tightly coupled with the original intent and complies with corporate policy. It absolutely blocks semantic overreach.
- Identity and Attribution: Strictly ties the AI's actions to the identity of the individual or system that authorized it. This completely eradicates anonymity and plausible deniability in automated task chains.
- Behavioral Consistency: Establishes normal operational baselines for each type of AI Agent. It then continuously monitors for anomalies or behavioral drift over time. Full Agent Audit Trails: Provides a hard, immutable logging system. This allows administrators to pull the entire transaction history of the AI - from the raw prompt and its reasoning process to the specific tool calls - serving as irrefutable evidence during incident investigations.
- Operational Transparency: Integrates visual dashboards so leadership can grasp the real-time risk landscape and the impact of the AI ecosystem at a glance.
To put these five pillars into practice, Proofpoint laid out a five-phase maturity model, guiding enterprises from a state of chaos to complete technological mastery. The roadmap kicks off with Phase 1: Discovery - focusing on scanning and cataloging all AI apps, MCP servers and shadow AI Agents operating under the radar. This progresses through governance and detection phases, culminating in Phase 5: Runtime Enforcement. At this zenith, the system automatically scans and intervenes at machine speed on every single query. Every action must clear an intent-verification hurdle before execution. This maturity model serves as a blueprint, helping CISOs overcome operational overload and step-by-step "tame" AI into a reliable, tightly controlled digital workforce.
Founded in 2002 by former Netscape CTO Eric Hahn, Proofpoint initially launched with a focus on enterprise spam filtering and email security. Today, Proofpoint is one of the world's premier cybersecurity conglomerates, renowned for its human-centric security philosophy. Nine years post-IPO, in 2021, Proofpoint was taken private by Thoma Bravo (in a $12.3 billion deal) and currently secures data for nearly 3 million global customers, ranging from massive enterprises to government agencies.
Real-time data intervention demo
IBAC sounds great in theory, but how does it fare in practice? Richard Holmes ran a live demo using a common scenario: A developer accidentally copies a block of source code containing an internal password and pastes it into an AI tool for debugging. Here are three distinct outcomes:
- Scenario 1 - Sanctioned but restricted tool (Google Gemini): The moment the code is pasted, the system detects classified data and instantly blocks the transmission. Simultaneously, it triggers an on-screen alert, reminding the dev of corporate security policies.
- Scenario 2 - Unsanctioned tool (DeepSeek): The dev switches to DeepSeek (an unapproved tool). Before the content is even pasted, the system intervenes, demanding the dev input a justification: "Why are you using this tool?" This reason is logged and routed straight to the SOC for future insider threat investigations.
- Scenario 3 - Intervention with a paid tool (ChatGPT): The dev pastes the code containing the plain-text password into ChatGPT (a corporate-licensed tool). Instead of a frustrating hard block, the system silently scans and automatically redacts only the password, then forwards the sanitized code to OpenAI's servers. The result: the dev still gets top-tier AI debugging and the company doesn't sweat a password leak.
In short, a robust IBAC system must understand what type of data is being processed and the destination platform, subsequently applying flexible remediation (ranging from hard blocks to automated redaction). This keeps developers productive while remaining highly secure.
The Proofpoint ecosystem: Satori, Nexus and Secure Agent Gateway
Proofpoint recently acquired Acuvity (a pioneering AI security startup founded by a former Palo Alto Networks executive). This move allowed Proofpoint to unify its architecture, bringing the protection of humans, data and machines under a single cohesive ecosystem.
- Proofpoint Nexus (The Brain): Processes billions of signals daily using Machine Learning and computer vision. It continuously assesses risk and uncovers anomalous intent from even the quietest data streams.
- Proofpoint Zen (The Endpoint Guard): Interacts directly on the employee's machine. It analyzes network traffic, issues real-time alerts and blocks hazardous operations whether you are using a cloud app or a local desktop client.
- Proofpoint Satori (The AI Special Ops): Technology purpose-built for AI Agent security. Satori automates data leak analysis and the detection of highly sophisticated phishing scams, serving as a massive force multiplier for the SOC team.
Meanwhile, the Secure Agent Gateway is the escape hatch for the MCP architectural nightmare. Recognizing that outright banning devs from using MCP is a pipe dream, Proofpoint erected a central checkpoint. Every single stream of MCP data must flow through this gateway and face rigorous OAuth 2.0 authentication. The system scans content in real-time to outright block Prompt Injection and Tool Poisoning, while automatically obfuscating Personally Identifiable Information (PII) before it hits external LLMs.
Furthermore, this gateway actively scans and hunts down rogue MCP servers (Shadow MCP) operating stealthily within the corporate network. To ensure developers can innovate safely without friction, Proofpoint provides an internal repository containing over 800 heavily vetted, clean open-source MCP servers, ready to be containerized and deployed in under 15 minutes.
Finally, every single action generates a pristine audit trail. This data stream is exported via the OpenTelemetry standard directly to familiar SIEM platforms like Microsoft Sentinel, Defender, or CrowdStrike. Because of this, SOC teams can utilize their existing toolkit to gain total visibility over the network without ripping and replacing expensive infrastructure.
Conclusion
The "2025 State of AI Security" report reveals a harsh truth: The explosive rise of Generative AI and the Agentic Workspace is upending the entire enterprise defense paradigm. When AI Agents can autonomously make decisions and interface directly with infrastructure via the MCP protocol, legacy security measures like firewalls and identity access management are officially obsolete. An ecosystem where machines continuously communicate with one another demands a much smarter shield: one that grasps context and cross-references actual behavior against original intent.
The time has come for organizations to pivot from theory to execution. Adopting the Agent Integrity Framework and an Intent-Based Access Control (IBAC) strategy must become the foundational baseline. This roadmap has already been proven viable by Proofpoint via heavy-hitting tools like the Secure Agent Gateway and Satori. Enterprises can finally allow their employees to leverage AI freely without sacrificing data security.
In the fierce arms race of the digital era, the victor won't be the one who buys the flashiest LLM. True power belongs to the organization capable of governing, monitoring and maintaining the integrity of autonomous AI in the most transparent way possible. Re-architecting security to protect the humans, protect the data and now, protect the intent of the AI - that is the strategic imperative to mastering the future of work.
If you are using AI-integrated IDEs like Cursor, exercise extreme caution regarding deeplinks formatted as cursor://. A CursorJack attack can completely siphon your SSH keys, API tokens and source code with just one click on a spoofed installer. Furthermore, absolutely break the habit of copy/pasting raw source code into AI tools (like ChatGPT or DeepSeek) for debugging. Carelessly pasting plain-text passwords without redaction can easily turn you into the "villain" responsible for leaking sensitive corporate data to external servers.
