December 2025 brought us the OWASP Top 10 For Agentic Applications 2026—a well-intentioned roadmap for securing AI agents as they escape the lab and infiltrate finance, healthcare, and every critical system in between. The security community nodded approvingly. Industry leaders circulated the PDF. Everyone agreed: we finally have guidance.

They’re all missing the point.

OWASP handed us a carefully worded warning about a house fire while the foundation crumbles beneath our feet. Buried in the measured language of ASI03: Identity and Privilege Abuse lies an admission so damning it should stop every agent deployment cold: “This risk arises from the architectural mismatch between user-centric identity systems and agentic design.”

Mismatch? Try catastrophic incompatibility.

The Foundation Built on Quicksand

Strip away the diplomatic phrasing and here’s what OWASP actually documented: we’re building autonomous systems that make consequential decisions on a protocol that treats security as a suggestion, not a requirement.

That protocol is MCP: the Model Context Protocol. It’s the open-source standard connecting today’s agentic AI systems to external tools, data sources, and workflows. It’s also the architectural equivalent of building a maximum-security prison with optional locks.

MCP makes authorization optional. Read that again. The protocol underlying your financial agents, your healthcare decision-makers, your autonomous business processes—it lets servers expose critical APIs without verifying who or what calls them.

The documentation “strongly recommends” defining distinct agent identities for auditability. Strongly recommends. As if traceable identity for autonomous actors with escalating privileges were a nice-to-have feature rather than the bare minimum for deployment.

The Attribution Black Hole

OWASP correctly identifies what they politely call an “attribution gap”—the void where accountability goes to die. Without distinct, governed identity, your logs show “something did something.” Good luck explaining that to regulators after a breach. Good luck reconstructing the attack chain when your agent’s hijacked credentials drain accounts or exfiltrate patient records.

This isn’t theoretical. When an agent operates without clear identity, every action it takes becomes forensically ambiguous. Was it the agent following its programming? A compromised token? An attacker exploiting the delegation chain? You’ll never know because the architecture makes knowing impossible.

Zero Trust security demands that every entity—human or machine—proves its identity for every request. It requires short-lived, traceable credentials and continuous verification. MCP’s optional authorization doesn’t just fail this model. It mocks it.

The Token Passthrough Time Bomb

MCP relies on OAuth 2.1 conventions to establish trust between clients and servers. Secure implementations validate tokens by checking the audience claim to prevent “Token Passthrough” attacks. But here’s the punchline: these checks mean nothing when the entire authorization flow is optional.

Imagine a protocol where servers can skip verification entirely, where agents can operate with borrowed human credentials, where the identity chain becomes so convoluted that privilege escalation isn’t a vulnerability—it’s a feature. You don’t have to imagine it. You’re running it in production.

Why Patching Won’t Save Us

The OWASP Top 10 for Agentic Applications covers real risks: goal hijacking, tool misuse, privilege abuse. It’s valuable guidance for securing systems within the current paradigm. That’s the problem. It accepts the paradigm.

You cannot patch fundamental architectural insecurity. You cannot bolt Zero Trust onto a protocol designed around trust-by-default. You cannot add mandatory security to a system where security is optional without breaking every deployment that relied on that optionality.

We don’t need better implementation guides for MCP. We need to stop using MCP.

The Path Forward: Burn It Down and Build It Right

The industry needs a new standard—one where security isn’t an afterthought or a “strong recommendation” but a co-primary goal with functionality. This foundation must mandate:

• Non-negotiable, cryptographically verifiable identities for every agent and resource server. No anonymous actors. No borrowed credentials. No attribution gaps.
• Mandatory authorization and policy enforcement for every transaction. Not optional. Not recommended. Required.
• Strict separation between agent identity and user identity. Agents are not users. They require their own authentication model designed for autonomous, non-deterministic actors.
• Built-in auditability that makes privilege escalation visible and traceable, not forensically invisible.

We’re deploying autonomous systems into critical infrastructure on a protocol that makes security optional. That’s not an implementation problem. That’s not a configuration oversight. That’s an architectural failure that legitimizes insecurity by design.

The Uncomfortable Truth

OWASP’s careful language about “mismatches” and “gaps” obscures a hard reality: we’re trying to secure advanced autonomous systems using mechanisms designed for predictable web applications. It’s like installing a child’s toy lock on a self-driving car and wondering why it keeps getting stolen.

The current state isn’t sustainable. Every agent deployed on MCP expands the attack surface. Every system that treats authorization as optional creates another vector for privilege escalation. Every production deployment that accepts the “attribution gap” as inevitable chooses convenience over accountability.

We know better. We have the expertise to build secure protocols for autonomous actors. We understand Zero Trust, cryptographic identity, and mandatory access control.

What we lack is the will to admit that MCP fundamentally fails the security requirements of the systems we’re building on it.

The time for diplomatic warnings has passed. Stop deploying agents on optional security. Stop patching architectural failures. Stop accepting that non-deterministic autonomous systems can operate safely without deterministic identity and authorization.

Throw out MCP. Build it right. Demand security as a requirement, not a recommendation.

The architectural quicksand won’t get firmer the longer we stand on it.