Photo by Bernd 📷 Dittrich on Unsplash
88%. As of June 17, 2026, that is the share of organizations that confirmed or suspected an AI agent security incident in the past twelve months, according to the Gravitee State of AI Agent Security 2026 report. Not a fringe group of experimental pilots—the majority of enterprises running autonomous AI have already had something go wrong. The question has shifted from whether agentic systems get compromised to whether security teams can even see it happening.
Help Net Security first reported the announcement: on June 17, 2026, WitnessAI launched Agentic Control, a platform purpose-built to monitor and govern AI agents, the tools they invoke, and access to Model Context Protocol (MCP) servers—the communication layer that lets agents call external tools, databases, and APIs without direct human mediation for each action.
The Gap That Traditional Security Cannot Cover
The business context matters here. In January 2026, WitnessAI closed a $58 million Series B led by Sound Ventures—the venture firm co-founded by Ashton Kutcher, who framed the enterprise AI problem plainly: "The primary barrier to enterprise AI adoption isn't tech debt; it's tech doubt." The round also drew angel investment from Nicole Perlroth, cybersecurity author and founder of Silver Buckshot Ventures, whose national-security cyber focus signals that Agentic Control is attracting attention beyond the standard enterprise security buyer. Total funding now exceeds $85 million. Since the January close, WitnessAI reports over 500% ARR growth in twelve months and a 5x increase in headcount—growth curves that track a security category that barely had a name two years ago.
The platform already governs usage across 4,000+ AI applications supporting 100+ model types, with production deployments across six major sectors: financial services, utilities, automotive, airlines, retail, and telecommunications. For enterprises in financial services running AI investing tools for portfolio analysis or risk modeling, the agent security problem is especially sharp—agents that can read trade data, query pricing APIs, and draft reports represent precisely the tool-chain that sophisticated attackers now target.
The structural problem is that conventional security tooling was designed to watch humans interact with software. It logs user logins, flags unusual file downloads, and monitors network egress patterns. When an AI agent autonomously calls an MCP server to retrieve sensitive documents and then passes those contents to a downstream tool invocation, that entire transaction is invisible to standard DLP (data loss prevention) and SIEM (security information and event management) systems. As of June 2026, only 21.9% of organizations treat AI agents as independent entities with dedicated access controls, per Gravitee's research—a governance assumption that has not kept pace with the deployment reality.
The threat evidence is already concrete. Security researchers identified 30 critical CVEs in widely-copied MCP reference server implementations in early 2026, primarily path-traversal and argument-injection flaws. The first malicious MCP package, discovered in September 2025, operated undetected for two weeks while exfiltrating email data. The April 21, 2026 Vercel breach made the pivot scenario explicit: attackers moved from a compromised third-party AI tool (Context.ai) into internal systems through exactly the agent-mediated pathway that Agentic Control is designed to block.
The Three-Layer Architecture
WitnessAI CEO Rick Caccia framed the competitive position directly: "Most AI security vendors hand the buyer a choice: govern employees, govern apps, or govern agents. WitnessAI removes that choice." He added: "We are the only AI security vendor that can secure every AI interaction, everywhere, with a unified solution." Agentic Control's design maps three distinct capabilities onto three distinct gaps in agent security.
First, automatic agent discovery with an MCP Catalog that scores every discovered server against OWASP and CVE risk criteria. SiliconANGLE's coverage of the January 2026 funding noted that the platform surfaces agents running inside Claude Desktop, ChatGPT plugins, VS Code extensions, and frameworks like LangChain, LlamaIndex, CrewAI, and AutoGPT—categories that traditional endpoint security tools have no signatures for.
Second, organization-wide approved-tool governance: a policy layer that controls which agents may invoke which capabilities under which conditions, enforced consistently across the enterprise rather than siloed by team or application.
Third, runtime enforcement with prompt injection protection: inline detection of malicious instructions embedded in content the agent processes. SecurityWeek's reporting highlighted a fourth capability that doesn't always lead the product narrative: identity bridging, which connects human identities to the agents acting on their behalf and captures decision context. When an agent exfiltrates data, the audit trail shows not just that a tool call happened, but which human delegated that authority and what task it was supposed to serve.
Chart: Three governance metrics from the Gravitee State of AI Agent Security 2026 report, illustrating how agent deployment has outpaced security controls across the enterprise.
Where This Breaks in Production
The platform's 99.3% true positive rate on employee AI guardrails is a meaningful number. But the harder problem is the denominator. An average organization experiences 223 AI-related data policy violations per month, per WitnessAI's data as of June 2026, and 63% of organizations cannot enforce purpose limitations on agents at all. Many of those violations are invisible events—not surfaced incidents, just unmonitored tool calls that never triggered any alert. Catalog scoring and rule-matching cannot close that gap alone.
Three production failure modes deserve specific attention:
Context window blowups during multi-step tool use. When an agent runs a chained task—read document, summarize, query database, draft email—each step expands the context. Prompt injection attacks exploit this directly: a malicious instruction buried deep in a large document may be followed inconsistently across runs, making detection through static string-matching unreliable. Runtime protection that depends on cataloged attack signatures will miss novel injection patterns by construction. This is the variant of the problem that does not show up in CVE databases until it has already been exploited in the wild.
Tool-call loops and scope creep. Agents in production don't always stop when they should. A poorly scoped MCP server can allow recursive tool invocations—reading data, rewriting it, triggering downstream workflows—that the original human intent never authorized. Identity bridging helps by tethering agent actions to human decision context, but only if the governance layer has a model of what authorized scope looks like per task type. Most enterprises haven't built that model yet, which means the identity bridge has nothing solid to anchor to.
MCP catalog coverage lag. WitnessAI's discovery mechanism scores servers against OWASP and CVE databases—but new MCP packages appear continuously, and malicious packages may operate for weeks before CVE assignment. The September 2025 email exfiltration package ran undetected for two weeks. Catalog scoring is a lagging indicator, and organizations treating it as a primary control are accepting the same exposure window that let that package run for fourteen days unchallenged.
This dynamic echoes a pattern that AI Shield Daily documented in the ShinyHunters education sector breach: attackers now specifically target environments where AI tools are implicitly trusted, because implicit trust creates the gap between what security policies declare and what agents actually execute.
What Security Teams Should Do Now
The foundation isn't a platform purchase—it's knowing what you have. Pull logs from developer workstations, IDE plugins (VS Code extensions are common blind spots), and cloud environments to identify every active MCP server. Even a manual audit using open-source MCP tooling will surface the discovery gap and establish a baseline for any governance deployment. You cannot score servers against OWASP criteria you haven't found yet.
As of June 2026, only 21.9% of organizations give AI agents dedicated access controls. Every agent—whether built on LangChain, CrewAI, a proprietary financial planning automation stack, or a commercial AI investing tool used in regulated workflows—needs a service identity, scoped permissions, and an audit trail tied to the authorizing human. That foundation must exist before any governance platform can enforce policy against it.
Runtime injection protection is only as good as the attack corpus it's tuned against. Security teams should be feeding agent systems adversarial documents—content specifically crafted to redirect agent behavior toward unauthorized tool calls—before relying on vendor-provided detection. This is eval-driven development applied to security: build a test set that reflects real attacker intent, not just CVEs cataloged from six months prior.
Frequently Asked Questions
What is agentic AI security and how does it differ from standard AI safety?
Standard AI safety focuses on preventing harmful model outputs—biased text, dangerous instructions, policy violations in conversational sessions. Agentic AI security addresses autonomous systems that act by invoking tools, calling APIs, reading files, and executing workflows without human approval at each step. The threat model shifts from "what did the model say" to "what did the agent do, on whose authority, and with what access." These are security engineering problems, not content moderation problems, and they require a fundamentally different class of tooling.
What is Model Context Protocol (MCP) and why does it create enterprise security risks?
MCP, introduced by Anthropic in November 2024 and officially adopted by OpenAI in March 2025, is an open standard that lets AI agents communicate with external tools and data sources through a standardized broker. The agent requests an action and the MCP server executes it against the underlying system—the agent itself never touches the resource directly. Security researchers identified 30 critical CVEs in widely-copied MCP reference implementations in early 2026, primarily path-traversal and argument-injection flaws. The first malicious MCP package operated undetected for two weeks while exfiltrating email data. MCP traffic is also largely invisible to conventional security monitoring, which compounds the risk considerably.
How do AI agents pose unique security risks compared to traditional software?
Traditional software follows deterministic code paths that security teams can analyze statically. AI agents make autonomous decisions about which tools to invoke, which data to access, and how to chain actions—and those decisions can be manipulated by adversarial content the agent encounters mid-task, a technique called prompt injection. As of June 2026, autonomous agents account for 1 in 8 reported AI breaches, according to the Gravitee State of AI Agent Security 2026 report. The attack surface expands with every new MCP tool connection an agent is granted, with no static analysis able to predict all possible tool-call sequences.
Should enterprises delay AI agent deployments until the agentic security market matures further?
Probably not—but sequencing matters significantly. The agentic AI security market is projected to grow from $1.65 billion in 2026 to $13.52 billion by 2032, reflecting a 42.0% compound annual growth rate, which indicates tooling is maturing at pace with the threat. As of June 2026, 45% of organizations run agents in production, up from just 12% in 2023—deferral is no longer a realistic option for most large enterprises. The pragmatic path is to start with bounded, low-risk agent tasks, implement agent identity controls and MCP inventories early, and layer in runtime enforcement as platforms build production track records across real enterprise deployments.
Bottom line: WitnessAI's Agentic Control addresses a genuine and underserved security problem with a three-layer architecture—discovery, governance, runtime enforcement—anchored by identity bridging that connects agent actions to human authorization chains. The 500%+ ARR growth in twelve months and six-sector production deployment data are credible signals of product-market fit in a category that barely had dedicated tooling eighteen months ago. In my analysis, the identity bridging capability is the most strategically durable piece of this architecture: it is the component that makes compliance arguments legible to regulators and audit teams, not just security engineers, and it is the layer that separates genuine agent security from agent monitoring. The open question is how the platform handles multi-agent orchestration at scale—chains of specialized agents delegating to each other across MCP boundaries in different organizational contexts—which is where the next generation of attacks will almost certainly focus. Enterprises already running agents in production, particularly those using AI investing tools, customer service automation, or complex financial planning workflows across regulated sectors, should treat agent identity infrastructure and MCP server inventories as immediate priorities, independent of which security platform they ultimately choose.
Disclaimer: This article is editorial commentary for informational and educational purposes only and does not constitute financial, legal, or security advice. Research based on publicly available sources current as of June 17, 2026.