A stat from 2026 that should stop you cold: 88% of organizations reported a confirmed or suspected AI agent security incident in the past year (92.7% in healthcare). And more than half of all agents run with no security oversight and no logging — naked.
The problem isn't that the AI isn't smart enough. It's that almost nobody welded boundaries around it. And boundaries are exactly where rigor lives.
The incident list: speed flooring it, boundaries naked
The last couple of weeks of security signals line up scarily well:
- 88% of orgs reported confirmed/suspected AI agent incidents in the past year; healthcare 92.7%; over half of agents have no security oversight or logging.
- Supply chain is the front door. A plugin-ecosystem supply-chain attack harvested agent credentials from 47 enterprise deployments; attackers used them to reach customer data, financial records, and proprietary code — undetected for six months. A public skills marketplace at one point hosted 824 of 10,700 malicious "skills."
- Config is an attack surface. Check Point disclosed remote code execution in a popular coding agent via poisoned repository config files; MCP (Model Context Protocol) is the connective tissue across nearly every incident this year — poisoned configs, malicious marketplace skills, unauthenticated exposed MCP servers.
- By early 2026, at least ten public incidents across six major AI coding tools were attributed to "agents acting with insufficient boundaries."
The industry's own summary: AI agent security in 2026 is a supply chain problem first, a prompt-injection problem second. And every one of these shares a single root cause — the agent can act, but there's no architectural boundary on what it can touch, change, or call.
Why "naked" is inevitable: bolt-on boundaries always leak
Why do half the agents run with no oversight? Because in the mainstream approach, boundaries are bolt-ons: an allow-list here, a gateway there, logs you read after the fact. The trouble:
- The tools an agent can call, the data it can read/write, the systems it can reach are scattered across config and code — no single, enforced boundary.
- One poisoned config file or one malicious skill walks straight past the boundary you assumed existed.
- When something goes wrong, with no structured audit, it hides for months (those six months are the proof).
Bolt-on boundaries are forever racing the agent's capabilities and attack surface. The real question: can you make the agent unable to cross the line — where the boundary isn't config, it's part of the architecture?
Welding boundaries into the architecture
This is the core idea behind Oinone — let AI own the speed, but enforce boundaries, permissions, and audit in the framework:
- The AI emits metadata — not code, and not opaque "skills." "Add a 3-level approval to the quote object" produces a structured metadata diff of model/view/flow/permission — a few dozen readable, auditable, rollbackable lines. No hidden attack surface buried in config or plugins.
- Permissions and boundaries are framework-enforced, not bolt-on allow-lists. Who can read / edit / approve is a first-class, enforced part of the metadata; the agent can't move it or route around it. A poisoned config file can't get past the framework's permission model.
- Auditable and governable by construction. Where others have "half their agents with no logs," metadata-driven means every change is a structured, traceable, rollbackable diff — audit isn't a bolt-on, it's native. That "undetected for six months" incident would be visible at commit time.
- Self-hosted; data and context never leave your environment. No dependence on public marketplace skills, no feeding enterprise context to an uncontrolled cloud MCP server — the supply-chain attack surface shrinks at the source.
One line: Speed by AI, rigor by Oinone. The 88% number proves capability without boundaries always blows up; Oinone welds boundaries, permissions, and audit into the architecture, so the agent runs fast inside the safe zone instead of running naked.
Three questions for anyone evaluating tools
- Where do your agent's boundaries live? A bolt-on allow-list/gateway (racing the attack surface), or framework-enforced so the agent can't cross the line?
- How fast would you detect a breach? Reading logs after the fact (if they exist), or every change is a structured, auditable, rollbackable diff?
- Who are you feeding enterprise context to? Public marketplace skills / cloud MCP (a supply-chain minefield), or self-hosted, data-stays-put, output constrained to framework metadata?
FAQ
Q: Where do these security numbers come from?
A: Multiple 2026 AI agent security reports — 88% of orgs reported confirmed/suspected agent incidents in the past year (healthcare 92.7%), over half of agents run with no oversight or logging, a supply-chain attack harvested credentials from 47 enterprises undetected for six months, Check Point's poisoned-config RCE in a major coding agent, malicious marketplace skills, and ten+ incidents across six tools attributed to "insufficient boundaries" (2026-06).
Q: Is Oinone competing with Claude Code / Cursor?
A: No — complementary. Those are general coding agents; Oinone is an AI-native low-code framework that makes the AI emit architecture-constrained, boundary-enforced, auditable metadata for enterprise apps. Use a general agent for low-level extensions, Oinone/Aino for a governed business app.
Q: Is it open source?
A: Yes (AGPL-3.0). One docker compose and it's up in ~5 minutes; self-hosted, data never leaves your environment. It runs in the core systems of billion-scale enterprises.
If this framing helped, the project is open source (AGPL-3.0) — a ⭐ supports the maintainers:
(Disclosure: I work with Oinone.)
Top comments (1)
The missing piece is usually not another security checklist, it is a runtime boundary. If an agent can reach every credential and every API from day one, the incident is already designed into the architecture.