I’ve just updated my book, “Human Before the Loop,” to address a massive shift in the AI landscape: the Model Context Protocol (MCP) revolution, which I doscivered while reading an artcile about an interview with Mr. Sebastian Wallkötter https://www.kdnuggets.com/the-mcp-revolution-and-the-search-for-stable-ai-use-cases
The new version of my book: Agentic AI Transformation Book
EN
DE
NL
While MCP is solving the “M×N” integration problem—acting like a universal USB-C port for AI agents to connect to any data source—it is also creating an “unstable equilibrium” for organizations that aren’t prepared.
What changed?
We are moving away from isolated chatbots toward swarms of specialized agents that can actually do things: query databases, manage Slack, or book travel. But as these agents become more autonomous, the threats are becoming more sophisticated.
3 New Threats Every Leader Must Govern:
-
The Prompt Injection “Trojan Horse”: When an agent pulls data from an external MCP server (like a public website or a shared drive), that data can contain hidden instructions. A simple “read file” command can be hijacked to exfiltrate your company’s internal API keys.
-
The “Confused Deputy” Problem: If an agent has broad permissions, an attacker can trick it into using its authority to access resources it shouldn’t, essentially using your own agent against you.
-
Governance Fatigue: As we deploy dozens of specialized agents, the “human in the loop” becomes a bottleneck. We risk “click-wrap” consent where humans blindly approve agent actions just to keep the workflow moving, effectively removing the human safety layer.
The Bottom Line:
Transformation isn’t just about moving faster; it’s about changing how we operate. In an MCP-driven world, governance is not a feature—it is the foundation. We must ensure that our agents aren’t just capable, but verifiable and isolated enough to fail safely.
As I say in the book: The Era of the Agentic Organization has begun. The question is no longer if you will deploy agents, but whether you have the human-centered framework to govern them before they outperform your ability to control them.
Read the updated chapter in “Human Before the Loop” here:
Chapter 8: The Watcher
Security Governance in the Agentic Era
Trustworthy is not the same as safe. And safe is not a destination, it is a practice.
Why This Chapter Exists
You can build a perfect governance architecture. Named Owners. ACP rules. A2H escalation paths. Human Before the Loop at every critical junction. And you can still lose.
Not because your governance was wrong. But because someone entered through a door you did not know existed.
MCP has fundamentally changed the attack surface of every organization that deploys agentic AI. Not gradually. Fundamentally. Every connection you activate is a potential entry point. Every tool you grant to an agent is a lever that someone else might try to pull.
And the threats moving through those entry points are no longer human, slow, and predictable. They are AI-generated. They scale. They mutate. They do not sleep.
An executive who understands Human Before the Loop but ignores security has not built a governed agentic organization. They have built an open loop, with excellent paperwork.
This chapter is not for your IT security team. They have their own tools, their own frameworks, and their own battle to fight. This chapter is for you, the leader who made the governance decisions in the chapters before this one. Because the security decisions that matter at the executive level are not technical. They are architectural.
The Threat Has Changed
Classic security thinking was built for a world where threats were human. A human attacker has limited time. They can write one phishing email, probe one vulnerability, try one approach at a time. Security teams learned to defend against human-scale attacks, detect patterns, block known vectors, patch known vulnerabilities.
AI-generated threats operate on a different scale entirely.
A human attacker writes one phishing email. An AI system writes one million, each personalized, each contextually accurate, each crafted from your company’s LinkedIn data, your public communications, and your known organizational structure. The email your CFO receives looks exactly like it came from your CEO. Because it was trained on exactly how your CEO writes.
A human attacker discovers vulnerability and manually crafts an exploit, a process that takes days. An AI system generates working exploits within minutes of vulnerability being published. The window between discovery and attack has collapsed.
A human attack follows recognizable patterns that security tools can learn to detect. An AI-generated attack mutates automatically. It tests thousands of variations, identifies what works, abandons what doesn’t, and adapts in real time. There is no fixed signature to catch.
In the specific context of MCP and agentic systems, this creates a new class of threat: AI-assisted prompt injection. Attackers use AI to systematically probe your MCP configurations, identify weaknesses in your agent instructions, and craft inputs designed to override your intended governance rules. The attack is not brute force. It is intelligent, adaptive, and targeted at the specific way your systems are configured.
Sebastian Wallkötter, an AI researcher who has studied MCP security extensively, draws the parallel precisely: prompt injection in agentic systems is the SQL injection of this era. In the early days of the web, developers concatenated user input directly into database queries, and attackers exploited that gap to insert malicious commands. The same structural vulnerability exists in MCP implementations today, and the industry has not yet developed a standardized solution.
The honest assessment is this: organizations deploying agentic AI without a deliberate security governance layer are more exposed than organizations that do not deploy agentic AI at all. The capability that makes MCP powerful, its ability to connect AI agents to enterprise systems and act on behalf of users, is the same capability that makes it a target.
Three Layers of Security Governance
No system is completely secure. Anyone who tells you otherwise is selling something. The goal is not invulnerability, it is awareness. A system that knows when it is becoming unsafe is better than one that never notices.
What follows is a governance architecture with three layers, each addressing a different class of threat. Together, they provide not a guarantee, but a structured defense with clear escalation paths back to the humans who must make the decisions that matter.
Layer One: The Whitelist | What Is Permitted
The most powerful security principle in an agentic environment is also the simplest: what is not explicitly permitted is blocked.
This is the role of ACP, the Agentic Control Protocol, in the security context. ACP is not merely a governance tool. It is your proactive security layer. Before any agent takes any action through any MCP connection, the question must be answered: is this action explicitly authorized?
This approach is called a whitelist model. It is fundamentally different from the blacklist model that most traditional security thinking employs. A blacklist asks: do I recognize this as a threat? A whitelist asks: do I recognize this as permitted?
The difference matters enormously when facing AI-generated attacks that are designed to be unrecognizable. A blacklist fails against a novel attack, by definition, it has never seen it before. A whitelist succeeds, because the novel attack is not on the approved list.
The executive questions that define Layer One are not technical:
Which actions are fundamentally permitted for each agent in each context? Which actions are never permitted, regardless of instruction? Who defined these boundaries, and when were they last reviewed? What happens when an agent attempts an action that is not on the whitelist?
These are governance decisions. The technical implementation follows from them. The human must make them before the loop begins.
Layer Two: The Watcher, Known Threats, Automated Response
Every known vulnerability in the technology world receives a unique identifier: a CVE number, Common Vulnerability and Exposure. This global registry of documented weaknesses is updated continuously by security researchers, vendors, and government agencies including BSI, CERT, and ENISA.
A human security team cannot realistically monitor this registry in real time, cross-reference every new entry against the organization’s deployed MCP configurations, and assess relevance within hours of publication. There are too many entries, updated too frequently.
This is exactly the task an agent is built for.
The Watcher is a dedicated security agent with a narrow, focused mandate: monitor threat intelligence feeds, compare new vulnerabilities against deployed configurations, and generate a concise daily report with a clear escalation status. Not fifty pages. Three points. What is new. What affects us. What requires a human decision.
The Watcher does not make security decisions. It does not patch vulnerabilities, reconfigure systems, or block access autonomously. Its role is information processing at machine speed, delivered to human decision-makers in a format that enables fast, informed action.
This is Human Before the Loop in the security dimension. The agent handles the speed. The human handles the judgment.
Layer Three: Anomaly Detection | What Has No Name Yet
CVE tracking covers known vulnerabilities, threats that have been discovered, documented, and catalogued. But the most dangerous attacks are the ones that have no catalogue entry yet.
A zero-day vulnerability is, by definition, invisible to any database. It has never been seen before. No patch exists. No CVE number has been assigned. The attack exploits a gap that the defender does not know is open.
Layer Three addresses this gap through behavioral monitoring. Rather than asking what threats do I recognize, it asks what behavior is outside the pattern I expect?
An agent that suddenly begins accessing data it has never touched before. A sequence of MCP calls that differs structurally from established patterns. A volume of requests that exceeds normal operational parameters. These deviations may not match any known attack signature, but they are signals that something has changed.
When Layer Three detects a behavioral anomaly, it does not attempt to resolve it. It triggers A2H, Agent to Human escalation, immediately. The Named Owner receives a notification. A human evaluates whether the deviation represents a threat, a legitimate new use case, or a false positive.
Layer Three does not eliminate zero-day risk. No system can. What it does is reduce the window between an attack beginning and a human becoming aware of it. In a world where AI-generated attacks can escalate within minutes, that window is everything.
The Traffic Light | A Governance Interface
Three layers of security monitoring produce information continuously. The executive challenge is not generating that information, it is making it actionable without creating noise that leads to alert fatigue.
The Watcher uses a traffic light system to communicate urgency. Not as a metaphor. As a governance interface with defined response protocols.
🔴 Red: Immediate Action Required
An active threat directly affecting a deployed MCP configuration has been identified. A2H is triggered automatically. The Named Owner is notified immediately. This is not a scheduled review item, it is an interruption, by design. Humans must respond.
🟡 Yellow: Action Required Within 48 Hours
A new threat has been identified that is potentially relevant to the organization’s configuration, but no active exploitation has been detected. The Named Owner reviews at the next scheduled checkpoint. A decision must be made within 48 hours: adjust the ACP rules, monitor them more closely, or dismiss as non-applicable.
🟢 Green: For Awareness
A new development in the threat landscape has been noted. It does not currently affect deployed systems. It is logged, tracked, and incorporated into the next Tabletop exercise scenario. No immediate action is required.
The elegance of this system is in what the agent decides and what it does not decide. The agent determines urgency. It does not determine the response. That judgment, what to do when a red alert fires, belongs to the Named Owner, informed by the governance framework that was designed before the loop began.
This is not a limitation of the system. This is the system working correctly.
The Limits of Tabletop Exercises
A Tabletop Exercise is a structured simulation in which key stakeholders walk through a fictional crisis scenario together, a data breach, a system compromise, an agent acting outside its defined boundaries. No systems are actually touched. The value is in the conversation: who does what, who decides what, and where the gaps in the response plan become visible. Think of it as a fire drill for your governance architecture.
Tabletop exercises remain valuable. They test governance structures, reveal gaps in escalation paths, and build organizational muscle memory for crisis response. If you have them, keep running them. But be honest about what they were designed for: human-speed threats. A tabletop scenario unfolds over hours or days. Participants consider options, discuss responses, evaluate consequences. The cadence assumes time to think.
AI-generated threats do not grant that time. A novel attack can emerge, mutate, and escalate within the span of a coffee break. A threat landscape that was current in January may be partially obsolete by March. Tabletop exercises conducted against last quarter’s threat scenarios may be preparing your team for a fight that has already moved on.
The shift required is from reactive security, defending against known threats, to resilient security, designing systems that recognize when something outside the known is happening, and escalate immediately.
The three-layer architecture described in this chapter is not a replacement for your security team’s work. It is the governance layer that connects their technical expertise to the executive decision-making structure you have built through HBL, ACP, and the Named Owner framework. When the Watcher fires a red alert, someone needs to be ready to act. That readiness is the product of governance preparation, the hardest job that has already been done.
Go Deeper, The author has written extensively on designing and evolving Tabletop Exercises for the agentic era. A practical starting point: “The Limits of Traditional Tabletops” at robvanlinda.digital
What This Means for You
You do not need to become a security expert to lead a secure agentic organization. You need to ask the right questions before the loop begins, and ensure the right people are in position to respond when the loop signals for help.
The whitelist defines the boundaries of what is permitted. The Watcher monitors what is known. Anomaly detection catches what has no name yet. The traffic light connects the loop to the humans who govern it.
None of this makes your organization invulnerable. Security is not a destination. It is a practice, continuous, iterative, and honest about its own limits.
What it does is ensure that when something goes wrong, and something always eventually does, you will know. You will know before the damage is catastrophic. You will have a Named Owner who receives the alert, a governance framework that defines the response, and a human in the loop who makes the call.
No system is secure. But a system that knows when it is becoming unsafe is better than one that never notices.
The loop is governed. The boundaries are defined. The Watcher is awake.
#AgenticAI #MCP #AIGovernance #DigitalTransformation #HumanBeforeTheLoop #AIStrategy
