CSO Online warns CTEM programs are ignoring MCP, leaving AI agents exposed

AI security is getting a new weak point, and it is not the model itself. It is the connector layer that lets agents reach files, apps, databases, and internal tools. CSO Online’s warning on May 8 is basically that a lot of Continuous Threat Exposure Management programs still watch the old estate — endpoints, identities, cloud assets — while ignoring Model Context Protocol, or MCP, which is where agents actually start doing things. (csoonline.com) ### What is MCP, in plain English? MCP is an open protocol that gives models and agents a standard way to discover tools, pull context, and trigger actions in outside systems. Think of it as the adapter layer between an LLM and the rest of your company. That is useful because it makes integrations easier. But it also means one protocol can become the path to arbitrary data access and code execution if nobody is watching it closely. (modelcontextprotocol.io) ### Why does CTEM miss it? CTEM programs were built to continuously find and prioritize exposure across known assets. The catch is that MCP often shows up as glue code, local servers, lightweight connectors, or developer-side experiments. Those pieces may never get registered as formal assets, even though they can expose sensitive systems to an agent with (modelcontextprotocol.io)the model is hidden, but because the connective tissue is. (csoonline.com) ### Why is the connector more dangerous than it sounds? A chatbot that only answers questions is one thing. An agent that can read a CRM, open a ticket, query a database, call a shell tool, or send a message is another. Once MCP is in the middle, the security problem shifts from “can the user reach this app?” to “(csoonline.com)vior and chaining, not one isolated login. (modelcontextprotocol.io) ### What changed this week? The new push is not just abstract concern. CSO Online argued on May 8 that CTEM teams need to explicitly inventory MCP servers and connections, treat them as first-class assets, and monitor agent interactions the way they would monitor privileged automation. That comes after months of rising attention on MCP-specific weaknesses, (modelcontextprotocol.io)mote code execution. (csoonline.com) ### So what are teams supposed to do? The practical controls are pretty concrete. Log every MCP call. Correlate requests with an identity, tool, and target system. Restrict agents to approved tools instead of broad discovery. Add human review for high-impact actions like writing data, changing configs, or sending (csoonline.com) is the observability model now taking shape around MCP. (csoonline.com) ### Why are allowlists and approval gates such a big deal? Because agent failures are usually not one dramatic exploit. They are a chain of small permissions used exactly as configured, just in the wrong context. A tool allowlist limits what the agent can even attempt. A human approval gate breaks the chain before(csoonline.com) intern with root access. (csoonline.com) ### Is this just one publisher’s hot take? Not really. Microsoft’s current agent-governance guidance says agents must be observable, governed, and secure across the organization, and explicitly names MCP as a protocol to adopt and control. OWASP’s emerging agent observability work is also extending into MCP instru(csoonline.com)or in real time. (learn.microsoft.com) ### Bottom line? If your security program still treats AI risk as a model problem, you are looking in the wrong place. The real action is in the connectors — who an agent can talk to, what tools it can invoke, and whether anyone can replay the full chain afterward. MCP is becoming standard plumbing. That makes MCP visibility a baseline control, not an advanced one. (csoonline.com)