By 2028, 25% of all enterprise generative AI (GenAI) applications will experience at least five minor security incidents per year, according to insights company Gartner.
As organisations continue to build and integrate agentic AI applications using technologies such as Model Context Protocol (MCP), new attack vectors and immature security practices will significantly elevate risk exposure, Gartner says.
“MCP was built for interoperability, ease of use and flexibility first, so security mistakes can manifest without continuous oversight for agentic AI,” said Aaron Lord, Sr. Director Analyst at Gartner.
“Because of this, the rate of minor security incidents within GenAI applications is set to grow at an increased rate.
“We will eventually see 15% of all enterprise GenAI applications experience at least one major security incident per year by 2029, up from 3% in 2025.”
Gartner says as enthusiasm for frameworks like MCP grows, software engineering leaders must be prepared for the security realities that follow, ranging from data exposure incidents to vulnerabilities lurking in widely used third‑party components.
Protecting against these risks requires establishing rigorous security review processes, prioritising low‑risk use cases, mitigating known threat‑patterns and empowering domain experts to define guardrails that keep agentic AI both powerful and safe.
MCP’s design optimises interoperability and developer speed, not security enforcement by default, which means missteps can surface through ordinary usage, Gartner says.
This can happen especially where agents can access sensitive data, ingest untrusted content or communicate externally in the same flow.
Software engineering leaders should treat any use case that combines those three factors as a “no‑go zone” due to heightened exfiltration risk, the research firm adds.
“Software engineering leaders should collaborate with data, security and infrastructure teams to create a formal security review for MCP use cases to prioritise low‑risk patterns and explicitly exclude high‑risk combinations,” said Lord.
“They should reinforce this with strong authentication and authorisation practices tailored specifically for AI agents, not inherited from human user roles, to keep permissions tightly scoped.
“Applying well‑known threat‑pattern mitigations, such as guarding against content‑injection and tightening oversight of third‑party MCP components, will help close the most common gaps before they can be exploited.”
Gartner adds that successful, proactive mitigations for MCP security require knowledge of antipatterns that can lead to vulnerabilities.
Software engineering leaders will need to mitigate MCP vulnerabilities focused on known threat-patterns, such as content injection attacks, supply chain threats and disclosure of sensitive data or escalation of privileges when AI tries to be helpful but makes a mistake, it says.
“Software engineering leaders will need to establish domain-oriented ownership for MCP servers to drive domain-driven guardrails,” said Lord.
“Growing complexity from agentic AI will eventually lead to complications managing access to data and maintaining compliance.”
To address this at scale, Gartner recommends that software engineering leaders collaborate with domain experts and work backward to ensure secure-by-default interactions for agentic AI.
It will be critical for domain experts to predefine their guardrails before allowing MCP clients to access their data and resources, Gartner says.
It adds that these domains should be the owners of MCP servers and define the guardrails for agentic AI usage.