Look back at the security disclosures from just the last two weeks, and a pattern shows up that's easy to miss when you read about each one separately.
An AI agent ran a ransomware attack from start to finish, using credentials it found lying around in plain text. A mass credential-harvesting campaign against firewall devices fed directly into a dozen ransomware deployments. A single public GitHub issue tricked an AI coding assistant into leaking private repository data. A picture file, nothing more than a PNG, carried hidden instructions that talked a coding agent into exfiltrating a company's secrets. A supply-chain compromise turned one trusted developer's ordinary GitHub access into a pipeline for stealing cryptocurrency wallet keys. And the industry's own protocol for connecting AI agents to tools is about to ship its biggest update ever — tightening how agents prove who they are, while leaving completely untouched the question of what they're allowed to hand over once they're in.
Six different stories. Six different vendors, researchers, and news cycles. And one identical root cause: a real, usable credential existed somewhere it didn't need to, and something eventually found it.
The pattern nobody's naming
Application security tools, API gateways, and AI agent detection platforms have all matured at a genuinely impressive pace this year. OWASP now has a dedicated Top 10 for agentic applications. Detection vendors have built taxonomies of hundreds of named attack techniques. Governance frameworks are being drafted at the pace of a full-time legislative session. All of this work is good, necessary, and overdue.
None of it asks one question: did the credential involved need to be a real, usable secret in the first place?
Every layer of the current security stack is built to notice what happens after that credential already exists somewhere reachable. Application security tools scan for it. API gateways watch how it's used. Agent detection platforms flag when it's abused. Governance policies document who's supposed to have it. All of that is downstream of the one decision nobody revisited: putting a real credential into an execution context at all.
When that credential is real, everything downstream is a race between the defender's tooling and the attacker's patience. When there is no real credential sitting in that context to begin with, the race doesn't need to happen.
What this actually looks like in practice
An agent given standing, real access will eventually be found by someone who wasn't supposed to have it — whether that someone is a ransomware operator, a research team demonstrating a proof of concept, or a single compromised developer account with an otherwise ordinary history.
A safety or review layer built to catch one kind of input reliably misses another. A code reviewer that checks text won't catch instructions hidden in an image. A workflow that trusts issue text as data will treat it as an instruction the moment an attacker asks nicely enough. The specific blind spot changes from incident to incident; the shape of the problem — a boundary built for one channel, bypassed through another — does not.
Tightening how a caller proves their identity is not the same as deciding what they're allowed to be handed. The Model Context Protocol, the industry's de facto standard for connecting AI agents to tools, is about to prove this at scale: its biggest-ever revision meaningfully strengthens authentication, and the researchers who studied it in advance are direct that the resulting security posture now depends entirely on implementation choices made after that point — not on the protocol itself. That's the same gap, one layer further down the stack.
Where this leaves security teams
None of the tools built to sit on top of this problem are wrong to exist. Detection, governance, and access management all matter, and none of them are going away, nor should they. But they are all, structurally, playing defense on a field where the other side gets to choose when to show up.
The design-layer question is simpler, and it's the one this month's incidents keep answering the same way whether anyone asks it or not: does a real, usable credential need to exist in the place an application, an API integration, or an AI agent — or anything reachable through it — can find it?
We think the answer is no, and we've written more about why on the DevFortress blog: devfortress.net
Resources
Platform: devfortress.net
Open-core: https://github.com/duncan982/devfortress-core
SDK: npm install devfortress-sdk
Textbook: DevFortress Master Edition — https://devfortress.gumroad.com/l/master-edition
Newsletter: https://devfortress.substack.com
DevFortress · Patent Pending — KIPI KE/P/2026/005970–005973
Top comments (0)