AI Agent Security Is Doing the Deploy-First Thing Again

Anthropic released MCP in November 2024. By 2025, CVE-2025-49596 landed with a CVSS score of 9.4. CrowdStrike, Cisco, Palo Alto, and Salt Security are all building MCP security products.

If you’ve been in this industry longer than fifteen minutes, you recognize the pattern.

We did this with cloud. Spin up EC2 instances, figure out IAM later — after the S3 buckets started leaking. We did it with mobile. Ship the app, add certificate pinning after the man-in-the-middle attacks. We did it with IoT. Connect the thermostats, patch the botnets when they show up. Same story with containers and APIs.

The argument is always the same: move fast, capture the market, security comes once you know what you’re protecting. The industry keeps making this argument because it keeps working. Breaches are costs, and costs can be managed.

Here’s what’s different with AI agents.

When a misconfigured S3 bucket leaks, data walks out the door. When a vulnerable AI agent gets exploited, it can take actions — send emails, modify files, make API calls, touch systems it has legitimate access to. The blast radius goes beyond data exfiltration — a compromised agent can act autonomously in your name.

The security industry will sell you products for this. They’ll be late, expensive, and they’ll mostly work. We know how the movie ends.

The question is whether the cost of “secure it later” is higher this time, or whether enterprise buyers will just absorb it like they always have.

History suggests the latter. I hope I’m wrong.