Application security , AI/ML , AI benefits/risks After the identity fix: MCP’s confused deputy problem May 6, 2026 Share By Nik Kale (Adobe Stock) COMMENTARY: Picture this. A user asks an AI agent to summarize a PDF. The document contains hidden instructions. Within the same session, the agent updates a customer's email address to one the attacker controls and triggers a password reset. Every tool call passes validation. Every credential is scoped and short-lived. The delegation chain is intact. Nobody asked for any of it. My previous piece with SC Media stated that MCP has an identity issue. This one states that even with a resolved identity issue, agents can still act as confused deputies because the tools validate credentials, not the intent of the person. The pattern is not theoretical. Microsoft assigned CVE-2026-21520 to an indirect prompt injection in Copilot Studio, disclosed in mid-April 2026. VentureBeat reported that Capsule Security, which coordinated the disclosure, called assigning a CVE to a prompt injection in an agentic platform highly unusual. The patch closed a specific data-exfiltration path. The underlying problem is 38 years old, and the patch does not touch it. Norm Hardy described this in 1988 . A legitimate program gets tricked into misuse of its own authority. His example was a compiler with billing directory write access. A user redirected the compiler's output to overwrite billing files. The compiler complied because it had the permissions. It was not broken. It was simply confused about whose authority it was exercising. The confused deputy is no longer a compiler. It's an LLM that has access to your production database, your email service, and your payment gateway. OWASP's December 2025 Top 10 for Agentic Applications categorized this class of attack as ASI01: Agent Goal Hijack. The attack your identity layer can't catch Figure 1. The confused deputy at the MCP tool boundary. Identity verification answers "who is making this request?" - not "did anyone ask for this?" Three frameworks released this year solve the identity problem well. The CoSAI MCP Security white paper describes almost 40 threats in 12 categories. The IETF Internet-Draft on Cross-Domain AuthZ Information Sharing for Agents defines a threat model for agents operating across trust boundaries. The CoSAI Agentic Identity and Access Management Framework published on April 17 describes the use of signed agent manifests, continuous authorization, and on-behalf-of tokens that maintain auditability of the delegation chain. Each of these controls answers the same question: who is making this request? None of them answer: did anyone ask for this request? Control layer What it verifies Where it lives Authentication Who the agent is Identity provider Authorization What the agent can access Token scope Delegation Whose authority is exercised OBO token chain Continuous context What has changed since login Policy engine Intent Whether the user asked for this action Tool boundary (gap) Binding tool calls to user intent A pattern to fill that gap is converging across industry and academia. This year, Lin et al. introduced the VIGIL framework , which shows a verify-before-commit protocol cuts attack success rates by more than 22% relative to state-of-the-art dynamic defenses. Oasis Security ships similar intent inference in its Agentic Access Management product. The pattern worth adopting in practice is a signed intent digest. When a user makes a request, the orchestration layer (not the LLM) generates a hash of the original request combined with the declared operation and binds it to the session. It looks like this: {intent_hash, operation, session_id, signature}. This digest travels with every tool call. The tool checks the following three conditions: the digest is there, the signature is valid, and the declared operation is the same as the action that the tool is about to perform. If the LLM was tricked into calling a tool that was not in line with the original intent, the digest will be mismatched. The tool will block the call regardless of how pristine the credentials are. Draft first, commit second Do not perform a single tool call for high-impact operations. Write operations must be done in two steps. The agent can create an email-change draft, but executing it requires a separate confirmation tool that checks session state, validates the draft was recently created, and optionally requires human approval. A prompt injection can trigger the draft. The commit step detects the mismatch. This works because the checkpoint is structural. The commit tool checks the session state, not the model's reasoning. The model can be confused, manipulated, or wrong. The session state cannot be. What to do this quarter Every MCP deployment should take these three steps this quarter. Audit your tool boundary. List every write operation your agents can execute. For each one, answer: does the tool verify that the user actually requested this action, or only that the agent is authorized to call it? Anything that falls into the second category is a confused deputy incident waiting to happen. Implement signed intent digests on your write operations, starting with the highest risk. Email changes, payment initiation, access grants, credential resets. Start where the blast radius is largest. Split high-impact actions into draft-then-commit. Pair structural checkpoints with the scoped credentials and enforcement-at-every-hop from the CoSAI Agentic IAM framework. Identity controls and intent controls compose. Neither is sufficient by itself. Hardy described this 38 years ago. The solution hasn't changed: the entity exercising authority needs to prove it's acting on behalf of the right principal for the right reason. When that entity is a non-deterministic language model processing untrusted content, identity alone isn't proof enough. Nik Kale Nik Kale is a Principal Engineer specializing in AI-driven platforms serving over 200,000 users. He is a member of the Coalition for Secure AI (CoSAI) and contributes to IETF working groups on AI agent identity and authorization. His perspectives on AI agent security have been featured in CSO Online and CIO.com . Related Data Security Internal threats now pose the biggest risk to companies SC Staff May 5, 2026 New data from Orange Cyberdefense reveals that internal threats have escalated to 57%, surpassing external threats for the first time. Phishing Telegram mini apps used in large-scale crypto scams and malware distribution SC Staff May 4, 2026 The FEMITBOT platform facilitates various scams, including fake cryptocurrency, financial services, AI tools, and streaming sites. AI/ML Cisco releases open-source ‘DNA test for AI models’ Laura French May 1, 2026 The Model Provenance Kit allows organizations to trace model origin and similarity. Related Events Cybercast CISO Stories: AI Security (Blackhat Preview) – Arctic Wolf Thu Jul 9 Cybercast Protecting Application User Data for Better Privacy, Governance, and Compliance On-Demand Event Cybercast The Next Evolution of Application Security: AI- Accelerated DevSecOps On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Banner Browser Cache Cramming Common Gateway Interface (CGI) Client Cookie DLL Injection Dynamic Link Library You can skip this ad in 5 seconds