Last week the NSA's Artificial Intelligence Security Center did something it has never done before: publish a formal cybersecurity advisory aimed at a specific AI protocol. On May 20, 2026, the agency released a Cybersecurity Information Sheet titled "Model Context Protocol (MCP): Security Design Considerations for AI-Driven Automation." It is 17 pages. It is public. And if your team is running agents that touch internal systems, it is about you.
MCP is now the connective tissue of most production agentic work. It serves as a common language for models to connect with external tools, files, and business systems — the kind of job that covers everything from pulling a file out of Google Drive to querying a company database or triggering an action in an internal app. That ubiquity is exactly why the NSA noticed.
The protocol that makes agents useful is also the protocol that makes them dangerous.
The advisory's headline finding is direct. MCP's rapid adoption has outpaced its security model, and the NSA compares the situation to early web protocols — flexible and underspecified, with security left as an afterthought for implementers. That comparison should land hard. The early web's underspecified security model gave us two decades of SQL injection and cross-site scripting. We are not obligated to repeat the pattern with agents.
The specific failure modes the NSA calls out are not theoretical. Deployment is outpacing governance, and the advisory specifically flags risks where serialized tool responses can carry malicious payloads, and where AI agents operating across multiple MCP servers lack adequate privilege isolation to contain a compromised component. In plain terms: one bad tool server can propagate access sideways across your entire agent stack.
MCP does not define how a session maps to a verifiable identity. Authentication is optional, role-based access control is not part of the protocol, and many implementations ship without any controls at all. That last sentence is the uncomfortable one. A lot of teams stood up MCP connections in 2024 and early 2025 during the rush to ship something agentic. Those implementations almost certainly do not meet what the advisory now frames as baseline.
The attack surface the advisory describes is not exotic. Tool parameter injection can lead to arbitrary command execution. Tool invocation path confusion allows naming collisions that load attacker-controlled tools. Blanket read/write on private repositories. Hidden instructions propagating silently through multi-agent chains. These are not edge cases conjured in a lab. Attackers chain prompt injection with serialization faults for full remote code execution — CVE-2025-49596 illustrated exactly that risk when an inspector module enabled shell access.
One technical shift is worth understanding: the protocol reverses a familiar interaction pattern. Instead of clients requesting data from servers, MCP often expects servers to query and sometimes execute actions for connected clients. This inversion creates new and largely not well-traced attack paths. Your existing perimeter controls were designed for the old direction. Most of them do not see MCP traffic unless you have specifically wired them to.
The NSA advisory lands the same week that MCP itself is moving. The headline change in the release candidate locked on May 21 is that MCP is now stateless at the protocol layer.
The session model is being removed so that any MCP request can land on any server instance, and the sticky routing and shared session stores that horizontal deployments previously required are no longer needed at the protocol layer. Statelessness helps with scaling. It also changes the threat model in ways that enterprise security teams will need to think through carefully — a session you cannot track is also a session you cannot audit.
So what does this actually mean for a team running agents in Slack or Teams today?
The advisory's practical recommendations collapse into a few things your team can act on now. Align tools and models with data classification zones. Publicly available tools can be grouped to handle public datasets, while tools that interact with sensitive or regulated information should be explicitly controlled and segregated. That sounds obvious until you look at how most agent configurations were actually set up during a sprint — with broad permissions because narrow ones were slower to debug.
Robust observability is essential. All tool and model invocations should be logged, including the exact parameters and identities involved. If you cannot answer "what did the agent call, with what arguments, on behalf of whom, at what time" — that is a gap the advisory would treat as a requirement, not a nice-to-have.
Least-privilege tokens for every action and tool. Dynamic discovery should require signed provenance checks. The instinct in agentic development has been to give the agent access to everything so it can figure out what it needs. The NSA's position is that this instinct is the vulnerability.
An AI teammate like Beagle, operating inside Slack or Teams, runs inside the same trust model these guidelines describe. The question worth asking is not "is our agent smart enough" — it is "do we know exactly what our agent can touch, and can we prove it after the fact."
The advisory's framing of deployment outpacing governance is a direct signal to CISOs that MCP stacks built in 2024 and early 2025 likely lack the authentication and privilege isolation controls now considered baseline. Most teams have not done a security review of their agent configuration since they first set it up. The NSA has now given every CISO a reason to ask.
The NSA publishing guidance on an 18-month-old AI protocol is not a bureaucratic footnote. It is a maturity signal. MCP has moved from developer experiment to something that intelligence agencies consider significant enough to formally address. That matters for how teams think about what they are building on top of it — and what they owe the people whose data those agents can reach.