Three Layers, Three Attack Surfaces, One Agent

Most security teams are securing one layer. The agent already touches three. For two years, the conversation about agent security has been about the model, what it generates, what it refuses, what it leaks. That conversation is incomplete. The interesting attacks in 2026 aren't about what the model says. They're about what the model is wired to reach and run. The agent stack has quietly settled into three layers, and each one is now its own attack surface. MCP is the connector layer. It is how agents reach tools, APIs, and data. The CSA and OX Security findings this week are the clearest demonstration yet that the connector layer is an authority problem: a malformed MCP configuration can launch a local process before the protocol even completes a handshake. Anthropic's position, per CSA, is that the STDIO execution behavior is expected and that sanitization is the implementer's job. That is a defensible architectural choice. It is also a statement that the connector layer's threat model lives outside the protocol. Skills are the workflow layer. They are the procedural knowledge an agent loads at runtime, how to file a ticket, how to triage an alert, how to summarize a meeting. Anthropic's own framing is that Skills and MCP are complements, not replacements. The security implication is that the workflow layer is where untrusted content becomes an instruction. Help Net Security and Google's own security team confirmed this week that cross-domain prompt injection (XPIA) has moved from research finding to observed-in-production attack. The workflow layer is a content-provenance problem. CLI is the execution layer. It is where the agent actually does the thing, runs the command, edits the file, opens the pull request. The execution layer is an allowlist and audit problem. We have decades of practice here. The hard part is remembering that the entity now running commands is not a human, and the assumptions our allowlists were built on may not hold. OWASP's Agentic AI Top 10, published last December, gave us the first shared vocabulary for this stack, ASI01 through ASI10, covering goal hijack, tool misuse, identity and privilege abuse, agentic supply chain, and unexpected code execution. The standards caught up. The architectures didn't. But here is the pattern worth naming. Last week's Comment and Control disclosure, coding agents hijacked through pull-request comments, resulted in no CVE against the underlying design. This week's MCP STDIO cluster produced 10+ implementation CVEs for downstream sanitization bugs, but no CVE against the protocol design itself; Anthropic characterized that behavior as expected. The implementation flaws got tracking numbers. The architectural flaw didn't. AI is closing old vulnerabilities faster than anything we've seen (Mythos finding bugs that sat unpatched for twenty-seven years), but it is creating entirely new design-level exposures that no scanner, patch advisory, or compliance framework captures. The security toolchain we've spent two decades building is blind to architectural risk. If you're building agent security, the question isn't which layer to secure first. It's how to govern the stack, and how to track the threats the CVE system was never designed to see. Map what your agents can reach, read, and run. That's your new perimeter. If nobody owns that map, nobody's defending it.