In September 2025, Anthropic detected suspicious activity in its Claude Code tool, which turned out to be a state-sponsored espionage campaign.
By the time the company published its findings that November, the numbers were stark: a Chinese state-sponsored group had used Claude Code, orchestrated via the Model Context Protocol (MCP), to attempt to infiltrate roughly 30 organizations spanning large tech companies, financial institutions, chemical manufacturers, and government agencies.
AI executed an estimated 80% to 90% of the tactical work. Human operators stepped in only at four to six decision points per campaign. At peak, the operation generated thousands of requests, often multiple per second — a tempo no human team could sustain.
Anthropic called it the first documented large-scale cyberattack carried out with minimal human intervention. It should also be read as a preview of the governance problem every enterprise adopting AI agents is about to inherit.
The same pattern, pointed in two directions
The uncomfortable part isn’t that attackers used AI. It’s that they used the exact same integration pattern enterprises are racing to adopt for legitimate work. MCP exists to let AI models reach outside their own context: read a file, query a database, call an API.
That’s precisely what makes it useful for a finance team automating reconciliation, and precisely what made it useful for attackers wiring Claude Code into reconnaissance and exploitation tools.
Enterprise adoption of agentic AI is accelerating at a pace that outstrips most organizations’ ability to govern it. CrowdStrike’s 2026 Global Threat Report recorded an 89% year-over-year increase in operations by AI-enabled adversaries, alongside an average eCrime breakout time — the gap between initial access and lateral movement — of just 29 minutes, with the fastest observed breakout at 27 seconds.
Attackers aren’t simply using AI; they’re moving at a speed defenders built their processes around not having to match.
The risk isn’t confined to hostile actors, either. The DTEX/Ponemon 2026 Cost of Insider Risks report found that shadow AI is now a leading driver of negligent insider incidents, contributing to an average annual insider risk cost of $19.5 million per organization, up from $17.4 million in 2024.
Ninety-two percent of organizations surveyed said generative AI had fundamentally changed how employees access and share information, often faster than policy could adjust.
Why vetting the model isn’t enough
Most enterprises still evaluate AI integrations the way they evaluate a new SaaS app: a security questionnaire, a contract review, an approval, then months or years of largely unmonitored use. That model assumes risk is static once approved.
Agentic AI breaks that assumption because an agent’s behavior isn’t fixed at approval time — it’s determined by whatever instructions and data it encounters in production.
Research published in February 2026 by a Northeastern University-led team, Agents of Chaos, documented this as a structural problem rather than a fixable bug. Studying AI agents in a live, non-sandboxed environment, the researchers found that current agent architectures have no reliable way to distinguish instructions from data, a deficit they term “no stakeholder model.”
Because everything an agent sees arrives as tokens in the same context window, prompt injection isn’t an edge case to patch. It’s a structural feature of how these systems process information, and it was the most commonly exploited weakness across the study’s case examples.
That structural gap is exactly what the Anthropic campaign exploited at scale. The attackers didn’t need to break Claude’s safety training; they needed only to fragment malicious tasks into steps innocuous enough that context, not content, hid the intent. Vetting the model doesn’t close that gap. Neither does vetting the vendor once, at signature.
Must-read security coverage
- UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
- Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
- How GitHub Is Securing the Software Supply Chain
- 8 Best Enterprise Password Managers
What has to change
The fix isn’t a smarter model or a stricter usage policy. It’s putting a governed server between every AI agent and the data it touches, one that authenticates the request, evaluates it against the same access policy a human employee would face, encrypts it in transit, and logs it in sufficient detail that an auditor can later reconstruct exactly what happened.
Call it a governed MCP gateway, a secure MCP server, or a policy-enforcement layer; the label matters less than the requirement it satisfies: no operation reaches production data without passing through a control point that doesn’t simply trust the agent’s own judgment about what it should be allowed to do.
That’s a materially different architecture than what most enterprises run today, where an AI client connects to a data source directly, often reusing the same broad credentials a person would use to log into email or a network drive, and where “governance” exists mainly as a policy document rather than something enforced at the moment of the request.
Regulatory frameworks like GDPR, HIPAA, and CMMC 2.0 were built around the assumption that a named, accountable party approved each access to regulated data. An autonomous agent that decides, mid-session, to open a file or call an API nobody explicitly reviewed breaks that assumption and leaves exactly the kind of gap regulators are starting to ask about directly.
Closing it requires identity verification tied to a real user or service account, policy enforcement evaluated per action rather than per session, and an audit trail detailed enough to reconstruct exactly what an agent did and why, after the fact — which is precisely what a governed server sitting at the data layer is built to do and a model-level safeguard cannot.
It also means enterprises can no longer treat AI vendor vetting as a one-time procurement exercise they run alone.
The Black Kite 2026 Third-Party Breach Report found 136 verified third-party breach events in 2025 affecting 719 named companies, with a median public disclosure lag of 73 days after detection. Individual security teams cannot re-litigate the trustworthiness of every AI connector fast enough to keep pace with adoption running on a 29-minute attack clock.
That is why marketplace-level vetting, the kind Anthropic now applies to connectors listed in its own marketplace, matters more than it sounds like it should: it shifts trust verification from a bespoke, per-vendor negotiation into a standing, continuously reviewed gate, which is the only model that scales at the rate enterprises are adopting Claude and similar tools.
Data-layer governance platforms that have already cleared that vetting bar — Kiteworks among them — are setting the reference point against which the rest of the category will be measured — precisely because point-to-point, unvetted AI-data integrations are the exact failure pattern described in the Anthropic disclosure.
What should IT and security teams do?
Start with the basics:
- Find every active AI agent. Include approved tools, employee experiments, coding assistants, browser agents, workflow automations, and personal AI accounts connected to company systems.
- Identify who owns each one. Every production agent should have a business owner, a technical owner, and a security contact.
- Review the riskiest use cases first. Prioritize agents that can modify code, send external messages, move files, change permissions, or access regulated data.
- Check for shadow AI. Formal inventories often miss tools employees connect to without going through procurement or security review.
- Create a shutdown process. Teams should know how to disable connectors, revoke credentials, preserve logs, and determine what data an agent accessed.
- Test the response plan. Do not wait for an incident to discover that nobody knows how to stop an agent or investigate its actions.
The goal is not to slow AI adoption. It is to replace invisible experimentation with clear ownership, risk-based oversight, and a response plan that can move as quickly as the agent does.
The uncomfortable takeaway
The next AI-orchestrated campaign won’t announce itself as an attack. It will look, at every step, like an agent doing exactly the job it was configured to do, which is precisely the point.
Also read: China’s Claude Code warning shows how AI coding assistants can become a governance problem when source code, regional rules, and vendor trust collide.