A developer can ship an MCP server in an afternoon. Getting that same server running in regulated production, with credentials provisioned, access controls enforced, and security sign-off obtained, takes weeks. This post walks through the six challenges teams hit when scaling enterprise MCP deployments from prototype to production, the fix for each, a posture assessment ...
#access control
20 posts
2 Jun
28 May
Often, enterprises end up treating all their APIs roughly the same. They’re authenticated, maybe rate-limited, and hopefully behind a gateway, but ultimately, they’re lumped together as part of a collection of APIs. While that flatness makes sense from a product management perspective, it poses a problem for risk management. A payment processing API and a ...
26 May
AI agents are pieces of software that autonomously perform actions to achieve a goal or objective. They operate in loops where they analyze input, such as prompts, context, tools, and memory. They then plan, take actions, and feed the output back into the loop to decide how to proceed. In this way, agents can dynamically ...
20 May
The application and API security industries are rethinking access control for AI agents. However, the underlying foundations remain the same ones the industry has relied on for years. What’s changing is how and when those foundations are applied. Depending on the use case, a given approach may work best at runtime, with proper contextual signals, ...
18 May
Agentic AI certainly dominated the theme of apidays New York, an event that brought together some of the API industry’s top thinkers and implementers for two days in mid-May 2026. It’s clear that APIs are still as important as ever, but they are now being repositioned as an execution layer for this new paradigm. In ...
12 May
In many existing systems, enterprise data uses only basic security protections. For example, the backend of a web application might call an API and use an API key to secure the request. The solution may seem secure enough, since the web application only calls a subset of API endpoints and the user seems constrained by ...
6 May
Between August 9 and August 17, 2025, malicious actors were able to export data from over 700 organizations. To make matters worse, the breach, referred to as UNC6395, was caused by insecure tokens leaked by a third-party app called Salesloft. As a representative from Google put it in a statement, “After the data was exfiltrated, ...
23 Apr
Since the advent of the internet, software developers have used online assistants, like search engines, to improve their time to market. In the AI era, you can think of AI agents as a new type of user agent that goes beyond the capabilities of search engines to perform concrete tasks and provide further efficiency improvements. ...
14 Apr
New data underscores what many of us have known all along: APIs are now the most common doorway for attackers. But while the reigning API security risks may not look all that new, the new technology around agentic AI, like Model Context Protocol (MCP), seems to be disproportionately exacerbating classic API- and application-level security gaps. ...
25 Mar
When it comes to APIs, security has always been a serious concern. Developers who design and build APIs strive to mitigate vulnerabilities before attackers find them. Consumers want to be reassured that the APIs their applications integrate with won’t compromise data or application integrity. However, the rise of AI has led to new and evolving ...
25 Feb
When it comes to APIs, access control is an incredibly important part of ensuring that your APIs are as secure and properly controlled as possible. In this context, one of the most effective methods that has arisen is role-based access control (RBAC), a security practice that segments access to digital systems based on roles. In ...
17 Feb
In recent months, we’ve been writing extensively about some of the exciting possibilities offered by artificial intelligence and the agentic consumption of APIs, from new routes to monetization via AI through to more efficient workflows. But there are downsides to consider here, too. Large language models (LLMs) have a habit of disregarding the API contract, ...
29 Jan
Agentic AI is an incredibly powerful frontier technology, and it’s actively changing the tech landscape day by day. One of the most significant changes is that APIs are no longer solely called by deterministic code developed and reviewed by humans. Instead, APIs are being actively and frequently called, explored, linked, and even adapted by autonomous ...
8 Jan
In the software field, one of the most commonly referred to and leveraged resources is the Top Ten list from OWASP. This is for good reason — OWASP stands as a platform- and vendor-agnostic voice that can highlight application security risks in a potentially more meaningful way than the litany of whitepapers and reports issued ...
23 Dec 2025
Authorization Exchange, or AuthZEN for short, is a new specification from the OpenID Foundation that aims to bring clarity and standardization to authorization. If OAuth 2.0 and OpenID Connect brought us standardized protocols for authentication and identity, AuthZEN aims to do something similar for fine-grained authorization. It defines a shared, interoperable way for applications to ...
22 Dec 2025
Agentic AI has been one of the hottest buzzwords of 2025, with developers and business owners racing to unlock the vast potential of AI. Agentic AI is a vital link in this technological chain, as it allows AI systems to make decisions and implement actions with little to no human input necessary. If you have ...
27 Nov 2025
Authorization is having a bit of a moment in the tech world right now. Organizations like Apple are investing more heavily in policy-driven access control, signalling a shift towards policy as code. As this approach is solidified, it’s becoming clear that the next big revolution in the authorization space will be focused on a specific ...
26 Nov 2025
A cybersecurity system is only as secure as its weakest link. Consumers and developers likely had no reason to doubt the security of a fintech API used by most of the largest banks in the world, official financial institutions, and the majority of the most widely used financial software and services on the market. Unfortunately, ...
1 Oct 2025
Most teams do at least some sort of injection attack testing. This testing, however, is typically focused on a small subset of particular vulnerabilities. SQL injection is a popular target, as is command injection. Some teams may even do log injection if they’ve been burned before. But when it comes to APIs — and especially ...
23 Mar 2022
source: https://www.freeimages.com/download/private-property-no-trespassing-1205389 I dentity and A ccess M anagement system deals with “who” should get “what” level of access to an object (entity) or a function. The subsystem that defines “who” is called Authentication (Identity), while the subsystem that defines “what” level of access is called Authorization (Access). Building an IAM system can get very complex quickly. No wonder “Broken…