The Half of Agent Security You’re Not Governing

Noma Security's 'Lethal by Design' report exposes a critical asymmetry in AI agent security: while MCP servers produce auditable logs, the 'Skills' that drive agent reasoning leave no forensic trail. Analysis of enterprise deployments found 76% of MCP servers carry high-risk capabilities, and 60% of both MCPs and Skills can cause irreversible state changes. Real-world incidents — including an Amazon Q filesystem wipe via GitHub PR injection and Replit's AI agent destroying a production database — demonstrate that Meta's 'Rule of Two' framework fails to prevent autonomous destruction. Noma proposes the No Excessive CAP framework, focusing on three controllable levers: Capabilities (whitelist only required tools), Autonomy (gate high-blast-radius actions behind human approval), and Permissions (minimum-privilege, expiring credentials). These three dimensions interact multiplicatively, making their combined misconfiguration the highest-risk configuration in enterprise AI deployments.