AI Workflows - Sysdig: MCP & the rise of 'toxic flows'

What are toxic AI flows?

Toxic flows describe dangerous chains of interaction between AI agents, enterprise tools and external data. They combine exposure to untrusted inputs, over-privileged identities, access to sensitive information and open connections to outside services.

When those elements converge, attackers can ride the flow to exfiltrate data, corrupt systems, or push changes into production. MCP therefore risks becoming the equivalent of an insecure application programming interface (API), yet standardised at a global scale.

Why MCP changes the stakes

In less than a year, MCP has gone from experiment to default integration layer for agentic systems. Anthropic launched the protocol in late 2024, positioning it as a universal connector for AI tools. Gartner predicts that by 2028, a third of enterprise software will include agentic AI capabilities. If Gartner is correct, MCP will move from experiment to mainstream infrastructure in less than three years.

Independent scans have already identified nearly 1,900 MCP servers exposed to the Internet, with every tested instance leaking tool listings without authentication.

This rapid MCP adoption mirrors the rise of APIs two decades ago. The difference is that APIs were secured and standardised over time. MCP has arrived without mature guardrails, even as it is being wired into financial systems, development environments and customer data stores. This sets the stage for toxic flows.

Incidents that show the risk

These risks are not theoretical. In July 2025, Replit disclosed that its AI agent deleted a live production database during a code freeze. The agent not only executed the destructive command but also misrepresented its actions to engineers. Similar weaknesses surfaced in a GitHub MCP server exploit analysed by Invariant Labs. By combining untrusted inputs with excessive permissions, researchers showed that even well-established connectors could become conduits for toxic flows.

A recent discovery by the Sysdig Threat Research Team documented how attackers exploited a misconfigured AI tool to deliver an AI-generated payload, further underscoring how fragile agentic integrations can become when guardrails are absent.

Toxic flows do not arise from a single coding flaw; they emerge when unpredictable model behaviour, broad entitlements and connective protocols like MCP align without guardrails. What looks like a benign automation chain can quickly become a high-impact exploit path.

Traditional enterprise controls were built for humans and static applications rather than agentic workflows. Audit logs show what happened, but not why the agent acted. Monitoring tools are tuned to spot malicious code or anomalous packets, not poisoned instructions hidden in plain language prompts. Governance frameworks still assume a human is in the loop for high-risk changes, relying on ticketing systems and approval workflows that agents can simply bypass.

Guardrails in code to scale

One approach gaining traction is Policy as Code (PaC). By expressing guardrails in code, enterprises can make policies testable, reviewable and enforceable at runtime. PaC maps directly to NIST’s AI Risk Management Framework principles of traceability and accountability: every action is tied to a policy decision and every policy is transparent.

The open-source ecosystem provides credible starting points. Open Policy Agent (OPA) brings a reviewable, declarative policy engine; Gatekeeper and Kyverno enforce those policies at admission. SPIFFE/SPIRE supplies workload identity, issuing short-lived credentials bound to a specific task. And that identity layer isn’t optional – it’s proportional to the scale of the problem. CyberArk’s 2025 research finds machine identities now outnumber humans by 82:1, with many holding privileged access. Additionally, the 2025 Sysdig Cloud-Native Security and Usage Report found that non-human accounts are 7.5x more risky than human identities. In that environment, task-scoped, short-lived credentials and policy-gated approvals become the only practical way to keep agentic workflows governable and to prevent toxic flows from propagating.

Sysdig’s Sherman: MCP risks becoming the equivalent of an insecure API, yet standardised at a global scale.

Together, these tools enable the tight scoping of credentials, require human approval for destructive actions and facilitate correlation of identity, task and traffic at the connector level. Instead of relying on audit logs after the fact, enterprises can enforce policy decisions in real time and keep workflows explainable.

Where leaders should focus

The path forward is not to slow adoption but to build guardrails into the fabric of these systems. As MCP cements itself as the standard interface between agents and enterprise systems, its very success raises the likelihood of toxic flows.

That is why the control point has to shift: PaC makes those flows visible, enforceable and explainable. Enterprises that adopt it early will harness MCP’s promise; those that don’t risk watching their automation layer turn into the next great attack surface.