Agent-Security

I do not trust agent demos where the same model context can read a public issue, inspect a private repository, and post back to the internet with one broad token. That is not autonomy. That is a breach waiting for a better prompt injection. Prompt injection is usually framed as a model problem: the model read hostile text and followed it. I think that framing is too small. The real problem is authority. We keep putting hostile text, private data, and privileged tools into the same execution loop, then asking the model to behave. ...

Most teams are still wiring MCP the wrong way. They let every client talk directly to every tool server, bolt on auth late, and discover too late that “agent integration” silently became a new control plane with no owner, no inventory, and no reliable audit trail. Azure is now mature enough to do this properly, but the platform story is split across API Management, App Service or Functions authorization, Microsoft Foundry, and Microsoft Entra. The hard part is not learning each product in isolation. The hard part is deciding where identity, mediation, delegation, and logging must live so a tool call is still explainable after the fifth preview feature lands. [S1] [S2] [S3] [S4] [S5] [S6] ...