Photo by selcuk sarikoz on Unsplash
One in twelve. That is the proportion of developers who have a high or critical security vulnerability lurking inside their Model Context Protocol (MCP) servers — the integration layer that lets AI coding agents reach into filesystems, CI pipelines, and external APIs without human sign-off on every step. Snyk surfaced that figure on June 23, 2026, from an analysis of 9,700 real developer environments, publishing it alongside the launch of Evo Agentic Development Security (ADS), a platform built to govern what no existing security tool was designed to watch.
SiliconANGLE carried the exclusive telemetry details; Yahoo Finance covered partnership announcements and Snyk's role as the exclusive security-track sponsor at the AI Engineer World's Fair. The picture that emerges across both sources is not just a product launch — it is an audit of an industry caught running faster than its guardrails.
The Evidence: A Security Blind Spot Built Into Every Dev Machine
The numbers Snyk published deserve to be read slowly. As of June 23, 2026, 43% of developers in the telemetry sample run two or more AI coding environments simultaneously — GitHub Copilot alongside Claude Code, Windsurf next to Codex, or some other combination. More than 50% have MCP servers installed; in one environment, Snyk's scan found more than 80 active MCP servers on a single machine.
Each of those servers is a privileged conduit. MCP is the protocol — popularized by Anthropic and now adopted across the AI tooling ecosystem — that lets agents invoke tools: search the web, write to a database, call an internal API, push to a repository. It is also, as researchers discovered in the first four months of 2026, a rich attack surface. Between January and April 2026, security researchers disclosed over 40 CVEs against MCP implementations. In April 2026, OX Security disclosed systemic remote code execution vulnerabilities affecting all major MCP SDKs — Python, TypeScript, Java, and Rust — across more than 7,000 public servers representing over 150 million downloads.
Against that backdrop, the 1-in-12 figure is alarming rather than surprising. What is surprising is that it was previously unmeasured. As Snyk CTO Manoj Nair stated: "Ask a security leader for a complete inventory of the AI agents, MCP servers and skills running across their developer machines and in most organizations that inventory doesn't exist."
That is not a tooling failure. It is an architectural assumption failure. Traditional application security was built to scan artifacts — code after it was written, containers after they were built, dependencies after they were declared. It was never designed to govern the systems generating the code, vet the tools those systems call, or enforce runtime policies on autonomous agents making decisions faster than any human approval cycle can follow.
What Snyk's 9,700-Environment Scan Actually Turned Up
Beyond the headline figures, the telemetry data reveals a structural pattern worth examining carefully.
Chart: Snyk telemetry across 9,700 developer environments as of June 23, 2026, showing the proportion of developers in each AI agent security exposure category.
Nearly one in four developers have agent skills installed, averaging 18 per developer. That density matters because more than 1 in 10 of those skills reference external dependencies or externally hosted instructions — meaning an agent's behavior can be influenced by content fetched at runtime, not just by what was audited at install time. This is the prompt injection vector that security researchers have flagged repeatedly: an adversarially crafted document, web page, or API response can redirect an agent's next action without touching the underlying model or the developer's source code at all. As security research findings have established, zero agentic AI systems are currently secure against prompt injection attacks — any AI operating in an adversarial environment is vulnerable.
The code those agents produce compounds the exposure. A December 2025 study found that AI-generated code introduces 2.74 times more security vulnerabilities than human-written code. As of 2026, AI coding agents generate an estimated 30 to 40 percent of enterprise code. Agentic AI adoption currently outpaces governance by a ratio of 8 to 1, with enterprises deploying nearly three times more untracked software components per AI model than they were before agents became the default integration pattern. The math is not comfortable.
What It Means for Production AI Workflows
The Forrester Agentic Development Security framework, introduced in 2026, defines ADS as a new AppSec operating model that must function at machine speed rather than human speed. That framing clarifies why existing tools fall short — not from negligence, but from a mismatch in assumptions. A static analysis scanner runs after code is committed. An SBOM (software bill of materials — a structured inventory of software components and their dependencies) tool catalogs declared dependencies. Neither intercepts an agent mid-execution as it selects which tool to call next.
Evo ADS addresses this through three distinct governance layers. First, supply chain security targeting MCP servers and skills — applying the same dependency vetting logic Snyk built its reputation on, now extended to the agentic tool layer rather than npm packages. Second, real-time behavior governance that can enforce policies while agents are running, not after. Third, AI-generated code security applied specifically to the output of coding agents. Snyk had announced general availability of Evo AI-SPM in March 2026, featuring Discovery, Risk Intelligence, and Policy agents for automated governance; Evo ADS is its developer-facing counterpart shipped just three months later.
The urgency is partly explained by adoption velocity. Microsoft reported 4.7 million paid Copilot subscribers as of 2026, up 75% year-over-year. Forrester's 2026 Security Survey found that 49% of security decision-makers named agentic AI as a top concern, specifically citing the risk of agents impersonating each other and escalating privileges — a consequence of what Forrester describes as a nonhuman identity (NHI) problem that enterprise IAM ecosystems have not yet resolved. Gartner, in its top-six cybersecurity trends for 2026, identified IAM adaptation for AI agents as critical, recommending proportional governance scaled to each agent's autonomy level rather than treating agentic AI as either fully trusted or fully locked down — noting that the binary approach is the root cause of governance failure.
Early adopters reinforce the enterprise appetite. Relay Network LLC, which runs GitHub Copilot, Codex, Windsurf, and Claude Code simultaneously, is among the organizations piloting Evo ADS. Accenture's cybersecurity practice has publicly endorsed the product. Enterprises with heterogeneous agent stacks — the norm, not the exception — are the natural first movers, since they are already living with the inventory gap Nair described and have the most to gain from a unified governance layer.
This pattern of security infrastructure lagging an emerging attack surface is well-documented, as examined in a related analysis on AI vulnerability scanning at cyber.newslens.me. What differs with AI agents is the speed of that lag — measured in months, not years.
Photo by Bernd 📷 Dittrich on Unsplash
Where Agentic Security Breaks in Production
Three failure modes are worth naming plainly, because no vendor demo will volunteer them.
Context window poisoning at the skill layer. When a developer installs 18 agent skills — the average in Snyk's telemetry — each skill description contributes tokens to the agent's context. Adversarially crafted skill descriptions can redirect agent behavior before any code runs. Snyk's supply chain layer vets skills at install time, but cannot fully govern skills that fetch their instructions dynamically at runtime from external sources. This is an architectural constraint, not a product gap. It is also the attack surface that 1-in-10 skills in Snyk's data are directly exposed to.
Policy enforcement latency versus agent execution speed. Real-time behavior governance sounds straightforward but runs into a hard latency problem: agents executing at machine speed will complete multiple sub-actions in the time a policy check round-trips to a central enforcement point. Production agentic pipelines will almost certainly need to pre-compute allowlists for common tool-call sequences rather than evaluating every call inline. What that looks like in practice is closer to a firewall ruleset than a traditional security review — and it requires the same careful maintenance that firewall rules require.
The identity problem won't wait for a governance platform. Forrester's observation about nonhuman identities is not peripheral to this story — it is central. An agent that can inherit a developer's OAuth token without scoped constraints, or that can impersonate another agent in a multi-agent pipeline, turns every security boundary into a suggestion. Evo ADS governs behavior within a session, but the IAM layer that determines what credentials an agent can acquire in the first place sits outside what any single security vendor controls unilaterally. Until IAM platforms ship first-class NHI support, this gap persists regardless of which governance tool is deployed on top of it.
How to Act on This
Snyk's telemetry demonstrated that most organizations lack a complete picture of which AI agents, MCP servers, and skills are running across developer machines. Before committing budget to any governance platform, document every AI coding environment in use, every MCP server installed, and every external service those servers can reach. This is baseline attack surface mapping — and it is a prerequisite for any governance tool to function, not a step to skip in favor of faster deployment.
Each AI coding agent running in your environment likely inherits some portion of a developer's credentials — OAuth tokens, API keys, repository access. Audit what those credentials can do and constrain them. An agent scoped to read from a specific repository and push to a feature branch carries a fundamentally different risk profile than one holding a full organizational token. This is implementable today without any dedicated ADS platform, and it reduces the blast radius of the NHI problem that Forrester and Gartner both identified as unsolved.
Given the 2.74x vulnerability multiplier documented in the December 2025 research, code review processes for AI-generated output need a higher bar — not because the agent is malicious, but because its training data reflects decades of human-written insecure patterns. Add static analysis gates specifically flagged for AI-committed code, track defect rates by code origin, and build feedback loops that surface which agent configurations produce cleaner output. Security posture for AI-generated code should be measured and iterated the same way model performance is.
Bottom Line
Snyk's Evo ADS, with general availability scheduled for June 29, 2026, is the most fully-specified attempt to date to build governance infrastructure for autonomous AI development workflows at the supply chain, runtime, and code output layers simultaneously. The telemetry it published is independently valuable regardless of product adoption — it is the first systematic measurement of MCP exposure across a large real-world developer sample, and it puts concrete numbers on a risk that most enterprises had only estimated informally.
Information security spending reached $244.2 billion in 2026, up 13.3% year-over-year, according to the research data. Yet enterprises spend an estimated 17 times more on AI tools than on securing those tools. The global AI coding assistant market was estimated at between $8.5 billion and $9.46 billion in 2026, growing at a compound annual rate of 23.7% to 26.23%. In my analysis, the 17x spending imbalance is the most actionable data point in this entire story — not as an indictment of any specific vendor or organization, but as a structural signal that security investment has not been proportionally allocated as AI development tools moved from assistants to autonomous agents. Evo ADS is a credible architectural response to a real and measurable gap. It is not, by itself, the gap closed.
Disclaimer: This article provides editorial commentary on publicly reported events and is intended for informational purposes only. It does not constitute security, legal, or financial advice, nor does it represent an endorsement of any product or service. Research based on publicly available sources current as of June 23, 2026.