Three Layers, Three Attack Surfaces, One Agent

Most security teams are securing one layer. The agent already touches three. For two years, the conversation about agent security has been about the model — what it generates, what it refuses, what it leaks. That conversation is incomplete. The interesting attacks in 2026 aren't about what the model says. They're about what the model is wired to reach and run. The agent stack has quietly settled into three layers, and each one is now its own attack surface. OWASP's Agentic AI Top 10, published last December, gave us the first shared vocabulary for this stack — ASI01 through ASI10, covering goal hijack, tool misuse, identity and privilege abuse, agentic supply chain, and unexpected code execution. The standards caught up. The architectures didn't. But here is the pattern worth naming. Last week's Comment and Control disclosure — coding agents hijacked through pull-request comments — resulted in no CVE against the underlying design. This week's MCP STDIO cluster produced 10+ implementation CVEs for downstream sanitization bugs — but no CVE against the protocol design itself; Anthropic characterized that behavior as expected. The implementation flaws got tracking numbers. The architectural flaw didn't. AI is closing old vulnerabilities faster than anything we've seen (Mythos finding bugs that sat unpatched for twenty-seven years), but it is creating entirely new design-level exposures that no scanner, patch advisory, or compliance framework captures. The security toolchain we've spent two decades building is blind to architectural risk. If you're building agent security, the question isn't which layer to secure first. It's how to govern the stack — and how to track the threats the CVE system was never designed to see. Map what your agents can reach, read, and run. That's your new perimeter. If nobody owns that map, nobody's defending it.