DEV Community

Imran Siddique
Imran Siddique

Posted on • Originally published at Medium on

[Part 4] 20 Hard Questions About AI Agent Governance That Nobody Is Asking

#decisionbom #agentgovernancetoolk #agentos #agt

Part 4: The Next SolarWinds Will Be an MCP Server

The agent supply chain is currently in a “pre-SolarWinds” era. While we are seeing an explosion in agentic capabilities, the security infrastructure is lagging behind.

The early telemetry from 2026 is a wake-up call:

  • 492 exposed Model Context Protocol (MCP) servers have been discovered in recent scans.
  • 1,184+ malicious skill packages are already circulating in open repositories.
  • Remote code execution (RCE) via tool metadata is no longer a theoretical risk; it’s a verified vulnerability.

We are currently doing “trust-on-first-use” for many agentic tools. That is the equivalent of running npm packages without checking signatures. It isn’t a matter of if a major supply chain attack happens through an agent tool, but when.

1. Governing the Supply Chain

In building the Agent Governance Toolkit (AGT), I’ve focused on a tiered defense strategy to secure this “negative space”:

  • Shift-Left Governance: We must validate tool definitions and MCP server configurations during the CI/CD process, catching violations before they ever reach production.
  • The MCP Governance Proxy: A deterministic enforcement layer that intercepts every tools/call. If the call doesn’t match a pre-approved signature or violates a safety constraint, the execution is blocked instantly.
  • Zero-Trust for Tools: Treat every third-party MCP server as untrusted by default. Governance must sit as a kernel-level layer between the reasoning model and the tool execution environment.

2. We Need a “Decision BOM”

Software has SBOMs (Software Bill of Materials) to track dependencies. Autonomous systems need a Decision BOM, a verifiable, immutable record that traces a decision back to its root signals.

A Decision BOM allows you to audit the entire chain of thought:

  • The Model: Which version and reasoning trace was used?
  • The Retrieved Context: What specific data (RAG) grounded the decision?
  • The Tool Outputs: Which external data points influenced the next step?
  • The Policies: Which specific rules were active at the millisecond of execution?

This is the foundation of root cause analysis. When an agent fails, you shouldn’t be guessing why; you should be auditing the Decision BOM.

3. Debugging Architectures, Not Just Prompts

Today, when an agent makes a mistake, the reflex is to “fix the prompt.” But in a complex supply chain, the failure is often architectural, a poisoned context, a compromised tool, or a logic collision between agents.

By implementing a Decision BOM, we move from reactive prompt engineering to proactive Forensic Engineering. This is the next frontier for AGT: making the “why” behind every agent action transparent, deterministic, and tamper-proof.

What’s Next?

In Part 5, we look at the map: Sovereignty and Jurisdiction. Where does “reasoning” actually happen, and whose laws apply when an agent processes data across digital borders?

Originally published at https://www.linkedin.com.

Top comments (0)