Forget the Patch. Stop Initial Compromise.
Vulnerabilities are only one way in. Here are five others.
I feel like I’m stating the obvious here, but stay with me.
The industry has spent years building elaborate systems to help organizations figure out which vulnerabilities to patch first. An entire market category worth billions is dedicated to helping teams manage a backlog that only grew faster than they could work through it.
Those tools exist precisely because everyone already knew patch-first defense wasn’t really working. You don’t build sophisticated triage systems for problems you’re keeping up with. The whole architecture of modern vulnerability management is, if you squint at it, an admission that we were always losing the race.
Mythos made that impossible to ignore. I go into depth in my previous article “Cybersecurity in a Post-Mythos World,” if you want more background. The bottom line is, we are never going to patch fast enough. But here’s what I want to talk about now, because I think a lot of the post-Mythos conversation is missing it.
Vulnerability discovery is not how most organizations get breached.
The way attackers get in has been evolving for years, and AI just turned up the dial on every vector simultaneously. So while the industry is busy processing the “vulnpocalypse,” I want to make sure we’re also looking at the five other doors attackers are walking through.
You Were Never Going to Patch Your Way Out of This
Of course we still need to patch and perform routine product updates, but more as an exercise in hygiene; not security. Proactive LLM-assisted discovery of vulnerabilities in your own code is probably the way forward here [1]. But, organizing your entire security posture around reactive patching of externally disclosed CVEs is a strategy that was already struggling before AI entered the picture, and now it’s functionally over.
IBM’s take on the Mythos moment is, “for the first time in the history of this field, response is now the binding constraint, not discovery.” [2] When the window between a vulnerability being disclosed and someone weaponizing it is down to hours, a patch cycle measured in days or weeks is not going to save you.
Stop treating patching as your primary line of defense. The attackers figured out a long time ago they don’t have to wait for you to miss one.
Five Other Doors
1. The Human Layer
The oldest attack surface there is, and it keeps working because humans are still humans.
Phishing. Vishing. Social engineering. Fake websites. Impersonation. AI didn’t invent any of these. What AI did was remove the friction that made them expensive to run at scale.
Before, convincing spear phishing required skilled operators with real time to invest. Deepfakes were nation-state territory. Building a convincing fake site took effort. That’s all gone now.
AI powers over 80% of social engineering activity today [3]. AI-generated phishing emails hit a 54% click-through rate compared to 12% for human-crafted ones. That’s a 4.5x multiplier at 95% lower cost [4]. Voice cloning from three seconds of audio is a commodity. In 2024, an engineering firm called Arup wired $25.6 million after a video call where everyone on screen except the victim was an AI-generated deepfake [5]. These are old tricks, now with super powers.
The fact remains, AI is not yet the root cause of most breaches [6]. The weaknesses AI exploits were already there. It just made the attacks cheaper and more convincing. The doors were already unlocked.
What to do: Phishing-resistant MFA based on FIDO2 or passkeys — not app-based TOTP, which is vulnerable to adversary-in-the-middle attacks. Strong identity verification at the help desk that goes beyond knowledge-based questions. Out-of-band verification for high-value financial transactions, because voice and video are no longer reliable identity signals. The defense exists and is underdeployed.
2. The Web, Content, and Prompt Injection Layer
This one is genuinely new, and the industry has not fully reckoned with it yet.
Your AI agents browse the web, read documents, process emails, and query databases on your behalf. Every piece of external content they touch is a potential injection vector. And they cannot tell the difference between legitimate content and content containing hidden instructions designed to make them do something they shouldn’t. The Five Eyes joint guidance called prompt injection the most persistent and difficult-to-fix threat in agentic AI stemming from a fundamental design constraint of language models [7]. This is just how these systems work.
MCP (Model Context Protocol) is the connective tissue of the agentic ecosystem. It enables agents to connect to tools, data sources, and external services. Anthropic introduced it in late 2024 as the standard for connecting AI agents to external tools and services. Google, Microsoft, and OpenAI adopted it quickly. Gartner projects 75% of API gateway vendors will have MCP features by end of 2026 [18]. It’s becoming the connective tissue of the agentic ecosystem faster than anyone expected.
A few specific flavors worth knowing:
Tool poisoning is when malicious instructions get embedded in a tool’s description, the text an agent reads to understand what to do. The agent follows those instructions because it trusts the description.
Rug pull attacks are when a tool behaves legitimately during review, then changes behavior afterward. Most governance processes evaluate tools once at onboarding.
Cross-tool contamination is when one compromised MCP server influences the behavior of other legitimate tools through a shared reasoning context.
None of these are fixable with a patch because none of them are bugs. They’re properties of how agents process trust. The CSA’s MCP Security Crisis report documented a systemic architectural flaw affecting an estimated 200,000 vulnerable instances across a supply chain of 150 million package downloads, a design default in every official MCP SDK [9]. Most downstream developers don’t know it yet.
What to do: You can’t patch it, but you can architect for it. Sandbox your agents. Constrain what they’re architecturally capable of, not just what they’re permitted to do. Implement human review for high-stakes actions before they execute. Treat every external data source your agent touches as untrusted by default.
3. The Identity and Access Layer
AI agents are identities. They authenticate to your cloud environment through service accounts, IAM roles, and API keys, the same as any other non-human identity in your environment. And because an agent that can’t interact with your data and systems isn’t particularly useful, they get access. Often a lot of it.
92% of cloud identities with access to sensitive permissions have not used those permissions in over 90 days [10]. Those identities exist across your environment right now, loaded with access granted at setup and never revisited. AI agents inherit these same overpermissioned patterns because they’re added into environments where over-privilege is already the norm.
AI agents amplify the risk because they’re genuinely good at lateral movement. An agent with broad cloud permissions can enumerate what’s accessible, pivot across connected systems, query data stores, trigger downstream actions, and chain those operations autonomously. The problem is they may not use access paths in the ways you intended, with potentially harmful consequences.
There are documented kill chains from 2025 where the only “exploit” was a valid overprivileged credential combined with an agent that could act on it. No malware required. No sophisticated technique. Just an identity with too much access and a system designed to use it [10].
What to do: Constraining capability at the identity layer, not just the policy layer. Policies can be misconfigured, inherited, or quietly expanded. Architectural constraints on what an identity can structurally do are harder to bypass. Active blocking of permissions that aren’t being used. Just-in-time issuance for anything sensitive instead of standing elevated access. Gartner has named Non-Human Identity security as a foundational control layer for the agentic era [11]. The goal is a smaller blast radius when a credential is inevitably exposed.
4. The Software Supply Chain and Secrets Layer
This one has been around forever. It’s just gotten worse faster.
API keys committed to public repos. Database passwords in config files. AWS credentials that accidentally made it into version control. GitGuardian found 28.65 million new hardcoded secrets in public GitHub commits in 2025, a 34% year-over-year increase and the largest single-year jump they’ve ever recorded [12]. This happens because developers scaffold projects, wire integrations, test API calls, and commit working code before anyone has sorted out where credentials should live, who owns them, or how they rotate.
To make matters worse, AI-assisted commits leak secrets at 3.2% versus a 1.5% baseline, roughly double [12]. And 64% of valid secrets from 2022 are still active and exploitable today [12]. That’s four years of keys sitting in the wild, never rotated.
A leaked credential in 2020 required a human attacker to manually figure out what to do with it. In 2026, that same credential can set off an AI agent that autonomously enumerates access, exfiltrates data, pivots through SaaS integrations, and documents everything for the next phase of the attack, all before anyone notices something is wrong.
What to do: Secrets scanning in CI/CD before commit. Short-lived credentials everywhere that matters. MCP configuration files treated with the same care as production secrets. Git history audited, not just current code. Credential rotation as a standing practice, not an incident response step.
5. The Third-Party Integrations Layer
Most organizations don’t primarily run their own code anymore. They run SaaS. And their AI agents are doing work inside that SaaS, taking actions and moving data across platforms in ways that are genuinely difficult to monitor.
Most third-party AI tools entered organizations the same way SaaS always has, through browser-based apps, OAuth integrations, and user-driven adoption rather than centralized IT approval [13]. The governance infrastructure for SaaS was already stretched. Agents multiplied the connections, automated the actions, and made the data movement harder to track.
Breaches with third-party involvement increased 60% year over year [6]. One in three enterprises experienced a security incident involving AI agents in the past year [14]. 30.8% experienced unauthorized data exfiltration through SaaS-to-AI integrations, and 83.4% say their current tools can’t reliably distinguish between human and non-human behavioral patterns [14].
This is where credentials get used, where prompt injection arrives through documents and emails, where leaked secrets do real damage, and where the blast radius of any initial compromise expands through connected integrations. It connects back to every other layer. And most organizations haven’t extended their security thinking to cover it yet.
What to do: Start with inventory. The Five Eyes recommend enumerating all agentic deployments before anything else [7]. Build an allow-list of approved integrations to include MCP servers, OAuth connections, and SaaS tools, and treat non-listed connections as blocked by default. Use behavioral monitoring to understand what normal looks like for an agent and spot when something is off. The challenge here is applying enforcement. What this layer requires is the ability to intercept agent actions before they complete.
The Point
Stop initial compromise. We’re not going to win this battle by patching faster or scoring CVEs better. We need to stop the attacker from walking through the front door in the first place, as much as reasonably possible.
Patching vulnerabilities is, how do I say, like using mouthwash after brushing your teeth. It’s helpful. It’s good hygiene. It just isn’t the primary line of defense anymore. Admittedly, “defense” in this brave new world is feeling like a lot of spend with little worth. Still, layers. Defense in depth. You know the drill.
The next obvious move is to assume breach. Because, the fact is, vulns will be discovered and exploited. Credentials will be compromised. The question becomes what happens next. How do you reduce blast radius, limit what an attacker or a compromised agent can do once they’re in, and minimize the damage before anyone notices? That’s where I’m headed.
References
[1] Anthropic Red Team, “Mythos Preview: Technical Disclosure,” Anthropic, Apr. 2026. https://red.anthropic.com/2026/mythos-preview/
[2] IBM, “The Mythos Moment When Discovery Outpaces Defense,” IBM Think Insights, Apr. 2026. https://www.ibm.com/think/insights/the-mythos-moment-when-discovery-outpaces-defense
[3] Abnormal Security, cited in StationX, “Social Engineering Statistics 2026,” StationX, May 2026. https://app.stationx.net/articles/social-engineering-statistics
[4] Brightside AI, cited in Vectra AI, “AI Scams in 2026: How They Work and How to Detect Them,” Vectra AI, Mar. 2026. https://www.vectra.ai/topics/ai-scams
[5] Vectra AI, “Social Engineering Attacks: Types, Examples, and Defense,” Vectra AI, 2026. https://www.vectra.ai/topics/social-engineering
[6] Verizon, “2026 Data Breach Investigations Report,” Verizon, 2026. https://www.verizon.com/business/resources/reports/dbir/
[7] CISA, NSA, ASD ACSC, Canadian Centre for Cyber Security, NCSC-NZ, NCSC-UK, “Careful Adoption of Agentic AI Services,” Joint Guidance, Apr. 30, 2026. https://media.defense.gov/2026/Apr/30/2003922823/-1/-1/0/CAREFUL%20ADOPTION%20OF%20AGENTIC%20AI%20SERVICES_FINAL.PDF
[8] CSO Online, “MCP is Fueling Agentic AI -- and Introducing New Security Risks,” CSO Online, Sept. 11, 2025. https://www.csoonline.com/article/4015222/mcp-uses-and-risks.html
[9] Cloud Security Alliance, “MCP Security Crisis: Systemic Design Flaws in AI Agent Infrastructure,” CSA Labs, May 4, 2026. https://labs.cloudsecurityalliance.org/research/csa-research-note-mcp-security-crisis-20260504-csa-styled/
[10] Sonrai Security, “Cloud Access Risk Report: Overprivileged and Zombie Identities Data,” Sonrai Security, 2026. https://sonraisecurity.com/cloud-access-data-report/
[11] Gartner, Inc., “Gartner Identifies the Top Cybersecurity Trends for 2026,” Press Release, Feb. 5, 2026. https://www.gartner.com/en/newsroom/press-releases/2026-02-05-gartner-identifies-the-top-cybersecurity-trends-for-2026
[12] GitGuardian, “State of Secrets Sprawl 2026,” GitGuardian, Mar. 17, 2026. https://www.gitguardian.com/state-of-secrets-sprawl-report-2026
[13] Cloud Security Alliance, “Why SaaS and AI Security Will Look Very Different in 2026,” CSA Blog, Jan. 29, 2026. https://cloudsecurityalliance.org/blog/2026/01/29/why-saas-and-ai-security-will-look-very-different-in-2026
[14] K. Huang, “The Agentic Ecosystem Security Gap: What 500 CISOs Just Told Us About the Breach You Haven’t Had Yet,” Agentic AI (Substack), Apr. 14, 2026.
