What is an AI Trust Assessment?

An AI Trust Assessment is an independent evaluation of an AI agent, MCP server, or AI platform that produces a structured Trust Score and risk report. The assessment covers security posture, permission scope, data handling practices, abuse resistance, compliance alignment, and governance maturity. Metinc's AI Trust Assessments provide enterprises with independent evidence to approve, monitor, or block AI tools before connecting them to critical business systems.

Why do AI agents require governance?

AI agents operate autonomously and can request access to sensitive systems, data, and APIs on behalf of users and organizations. Without governance, enterprises face risks including unauthorized data access, prompt injection attacks, tool poisoning, supply chain vulnerabilities, and compliance violations. AI agent governance frameworks define who can assess and approve AI tools, what access levels are permitted, how risks are monitored continuously, and how incidents are escalated.

AI Safety refers to the technical and operational practices that prevent AI systems from causing unintended harm to individuals, organizations, or society. In enterprise contexts, AI safety covers prompt injection prevention, jailbreak resistance, output validation, human oversight mechanisms, access controls, and alignment with acceptable use policies. Metinc evaluates AI safety as part of every trust assessment.

What is AI Governance?

AI Governance is the set of policies, processes, roles, and controls an organization uses to manage AI systems responsibly. Enterprise AI governance addresses risk assessment, procurement approval, access management, compliance monitoring, audit logging, and incident response for AI tools and agents. As AI adoption accelerates, robust AI governance frameworks are becoming a regulatory and operational requirement.

What is Agentic AI Risk?

Agentic AI Risk refers to the unique security and governance risks that arise when AI systems operate autonomously — taking sequences of actions, using tools, and accessing systems without step-by-step human approval. Key agentic AI risks include excessive tool permissions, prompt injection via external data sources, uncontrolled multi-agent delegation, data exfiltration, and the execution of unintended or harmful actions at machine speed.

How does Metinc assess AI systems?

Metinc conducts independent, structured assessments of AI agents, MCP servers, and AI platforms. Each assessment evaluates security architecture, permission scope, data handling practices, abuse resistance, compliance alignment, and governance maturity. Assessments produce a quantitative Trust Score (0–100) across multiple risk dimensions, a detailed risk report, and a continuous monitoring plan. Verified systems are listed in the Metinc Trust Directory and receive a Trust Badge that enterprises can reference for procurement decisions.

June 2026 Incident Report

5 Recent AI Agent and MCP Security Incidents Every Enterprise Should Learn From

Q: What is an MCP Server?

An MCP (Model Context Protocol) server is a software component that exposes tools, data sources, and APIs to AI agents and large language models. MCP servers act as structured interfaces that allow AI systems to read files, query databases, call APIs, and interact with enterprise systems. Because MCP servers grant AI agents access to critical business resources, their security, permissions, and data handling practices require independent assessment before enterprise deployment.

A review of notable AI agent, MCP security, and governance incidents reported during June 2026 — and what organizations can learn from them.

Download the PDF report

Incident ReportJune 2026

AgentJacking · MCPHigh

Frontier-model oversightPolicy

Production DB deletionCritical

Exposed MCP serversHigh

MCP vulnerabilitiesHigh

5 incidents · Lessons for enterprise AI

Quick Summary

Five recent incidents show the same pattern: AI capability is outpacing governance. None was caused by malicious AI — each traces back to permissions, visibility, and oversight gaps that trust assessments and governance reviews are designed to close.

Executive summary

AI adoption is accelerating, but so are governance, security, and operational risks. This report highlights five recent incidents that demonstrate why organizations need stronger oversight and trust-assessment frameworks. The goal is not alarm — it is pattern recognition: each incident points to a control that, if in place, would have meaningfully reduced the risk.

Incidents reviewed

Security incidents

Governance incidents

MCP-related

AI agent incidents

Get the full June 2026 report

A share-ready PDF of all five incidents, governance lessons, and the action checklist.

Download the PDF report

Incident #01 — AgentJacking: A New Attack Technique Targets MCP-Connected AI Agents

MCPAI AgentSecurity

What happened. Security researchers described a technique they called “Agentjacking,” in which an attacker plants malicious instructions inside data an AI coding agent later reads through an MCP server — for example, a crafted error event in a monitoring tool. When a developer asks the agent to act on that data, reports indicate the agent could not reliably distinguish the injected content from legitimate input and executed attacker-influenced actions with the developer’s own privileges.

Why it matters. Because every step in the chain is technically authorized, the activity can pass straight through traditional controls like firewalls, EDR, and IAM. The trust boundary is not the network — it is the content the agent reads and acts on.

Governance lesson. MCP-connected agents need explicit trust boundaries around untrusted content, plus runtime monitoring of the actions they take. Treat anything an agent ingests as potentially adversarial input, not trusted instruction.

AI AgentAsked to act on data

MCP ServerRetrieves external content

External ContentHidden malicious instructions

Compromised ActionRuns with developer privileges

Every step is technically authorized — so the chain bypasses firewalls, EDR, and IAM.

Key takeaway: Trust boundaries and runtime monitoring matter.

Incident #02 — Frontier-Model Safety Concerns Draw Government Attention

GovernancePolicy

What happened. Frontier-model safety moved squarely into the policy arena. A leading AI lab published a detailed framework calling for mandatory third-party testing of advanced models across cybersecurity, biosecurity, and loss-of-control risks, while U.S. authorities issued export-control directions that restricted access to certain frontier models on national-security grounds.

Why it matters. It is a clear signal that the most capable models are now treated as systems with national-security implications — and that external oversight, not just internal review, is becoming part of the landscape organizations build on.

Governance lesson. AI capabilities often evolve faster than the governance frameworks meant to contain them. Enterprises should track model provenance, assume the regulatory baseline will rise, and design controls that do not depend on any single model remaining available.

AI Capability

Frontier capability advancing rapidly, month over month.

Governance Controls

Oversight frameworks lagging behind capability.

The gap between capability and governance is where most risk accumulates.

Key takeaway: AI capabilities often evolve faster than governance frameworks.

Incident #03 — An AI Coding Agent Reportedly Deletes a Production Database

AI AgentOperational Risk

What happened. Multiple public accounts in 2025 and 2026 described AI coding agents deleting production data using valid credentials and approved APIs. In one widely reported case, an agent removed a company’s production database — and backups within the same blast radius — in seconds after acting on a misread of its environment. The credentials were legitimate; the actions were permitted.

Why it matters. The failure was not a malicious model. It was access control: the agent could reach production and its backups at all, with no approval gate between intent and irreversible action.

Governance lesson. Human-approval workflows and least-privilege permissions remain critical. Separate staging from production, keep backups outside the agent’s reach, and require explicit approval for destructive operations.

SStaging

Read & write
Disposable data
Safe to fail

Production

Approval required
Backups isolated
Destructive ops gated

Key takeaway: Human approval workflows and permission controls remain critical.

Incident #04 — Researchers Find Large Numbers of Publicly Exposed MCP Servers

MCPSecurityExposure

What happened. Internet-wide scans through 2026 catalogued tens of thousands of publicly reachable MCP servers, with a large share running with no authentication at all and many relying on static, long-lived API keys rather than modern OAuth flows. The exposed surface grew month over month as adoption accelerated.

Why it matters. An unauthenticated MCP server is an open door to whatever it connects to. The data shows organizations are deploying MCP faster than they are securing and governing it.

Governance lesson. Maintain an inventory of MCP servers, require authentication and scoped permissions by default, and never expose a server to the public internet without a clear, reviewed reason.

MCP Exposure Snapshot

Publicly reachable MCP serversTens of thousands

Running with no authentication~40%

Relying on static API keys~53%

Using modern OAuth~9%

Directional figures synthesized from 2026 internet-scan research; exact counts grew month over month.

Key takeaway: Organizations are adopting MCP faster than they are governing it.

Incident #05 — Multiple MCP Vulnerabilities Highlight Emerging Ecosystem Risks

MCPSecurityVulnerability

What happened. Researchers disclosed dozens of MCP-related vulnerabilities across the ecosystem, spanning authentication bypasses, broken authorization, remote code execution, and information disclosure. Several carried critical severity scores. Reviewers noted the root causes were rarely exotic — missing input validation, absent authentication, and blind trust in tool descriptions.

Why it matters. MCP is a young, fast-growing ecosystem, and much of the risk traces back to fundamentals rather than novel exploits. That makes it both serious and addressable through disciplined security practice.

Governance lesson. MCP servers require ongoing security review — dependency scanning, authentication and authorization checks, and validation of tool inputs — not a one-time approval at adoption.

Authentication

Missing or bypassable auth on exposed endpoints.

Authorization

Broken scope enforcement and privilege boundaries.

Remote Code Execution

Command and code injection through unvalidated input.

Information Disclosure

Leakage of secrets, tokens, and internal data.

Key takeaway: MCP ecosystems require ongoing security review.

Common themes across all incidents

Read together, the five incidents are not five different problems. The same issues appear again and again: excessive permissions, poor governance, a lack of visibility, missing audit controls, weak authentication, and limited human oversight. Trace each to its root, and they converge on one thing.

Excessive Permissions

Poor Governance

Lack of Visibility

Missing Audit Controls

Weak Authentication

Limited Human Oversight

Insufficient
Trust & Governance

Different incidents, one shared root: gaps in trust, permissions, and oversight — not malicious AI.

What organizations should do now

The encouraging news is that the controls are well understood. None of these requires exotic technology — they require deciding, on the record, what your AI agents and MCP servers may do, and verifying it. Start here.

Inventory AI agents

Know every agent operating against your systems.

Review MCP integrations

Map each MCP server and what it connects to.

Review permissions

Tighten scopes to least privilege; revoke unused access.

Enable audit logging

Record every action so it can be reviewed later.

Establish governance controls

Require review and approval before connection.

Perform trust assessments

Evaluate servers and agents against a clear framework.

Conduct risk reviews

Reassess on a cadence, not just at adoption.

The emerging need for AI trust assessments

It is worth restating the through-line: most of these incidents were not caused by malicious AI. They were caused by insufficient governance, excessive permissions, poor controls, and weak visibility. That distinction matters, because it tells you where to invest. You do not primarily need to defend against a hostile model — you need to understand and constrain what the systems you have already deployed are allowed to do.

This is what creates the growing need for structured trust assessments: a repeatable way to evaluate an agent or MCP server’s permissions, security, governance, and transparency before it connects, and to reassess it as it changes. The same review that would have flagged an over-permissioned database connection or an unauthenticated MCP server is the review that scales as your AI footprint grows.

Looking ahead

This is the first in a planned series. Metinc intends to publish a monthly AI Trust & Governance Incident Report so teams can track how the landscape is moving without combing through scattered disclosures themselves.

MonthlyReport

AI Agent incidentsMCP Security incidentsGovernance failuresEmerging risksIndustry lessons learned

Each month, Metinc plans to track the incidents and patterns shaping AI trust and governance.

Metinc is exploring methodologies that help organizations better understand trust, governance, transparency, and operational risk across AI agents and MCP ecosystems — so adopting new capabilities does not mean losing visibility or control.

Learn about our approach to trust

Frequently asked questions

What AI incidents occurred in June 2026?

This report reviews five: AgentJacking, an attack technique targeting MCP-connected AI coding agents; frontier-model safety concerns drawing government attention and export-control action; an AI coding agent reportedly deleting a production database using valid credentials; researchers finding large numbers of publicly exposed MCP servers; and the disclosure of multiple MCP vulnerabilities spanning authentication, authorization, remote code execution, and information disclosure.

What is AgentJacking?

AgentJacking is an attack technique in which malicious instructions are hidden inside data that an AI agent later reads through an MCP server — such as a crafted error event in a monitoring tool. When a user asks the agent to act on that data, the agent may not distinguish the injected content from legitimate input and can execute attacker-influenced actions with the user's own privileges. Because every step is technically authorized, it can bypass traditional controls like firewalls, EDR, and IAM.

Are MCP Servers secure?

MCP servers can be secure, but security depends on how each one is built and operated. 2026 research found many publicly exposed servers running with no authentication and relying on static API keys, plus dozens of disclosed vulnerabilities. Most root causes were fundamentals — missing input validation, absent authentication, and blind trust in tool descriptions — which means the risks are serious but addressable through disciplined security practice.

What governance risks do AI agents create?

AI agents can act on real systems using valid credentials, so the main governance risks are excessive permissions, weak authentication, limited human oversight, missing audit logs, and a lack of visibility into what each agent can do. Most reported incidents stem from these gaps rather than from malicious AI behavior.

Why are AI trust assessments important?

Many incidents are caused by insufficient governance, excessive permissions, weak controls, and poor visibility — not by malicious AI. A structured trust assessment evaluates an agent or MCP server's permissions, security, governance, and transparency before it connects, turning ad-hoc judgment into a repeatable, comparable decision.

How can organizations reduce AI governance risk?

Inventory your AI agents, map and review MCP integrations, tighten permissions to least privilege, enable audit logging, require review and approval before connecting, perform trust assessments against a clear framework, and conduct risk reviews on a regular cadence rather than only at adoption.

What lessons can enterprises learn from recent AI incidents?

The recurring lesson is that capability is outpacing governance. Treat data an agent reads as potentially adversarial, separate staging from production, keep backups outside an agent's reach, require human approval for destructive actions, authenticate and scope every MCP server, and review the ecosystem continuously rather than once.

AI Trust & Governance Intelligence

Stay Ahead of AI Trust & Governance Risks

Subscribe to receive monthly AI Trust, Governance, MCP Security, and Incident Intelligence reports — practical lessons from real incidents, no fear-based hype.

Subscribe for Monthly Reports Download June 2026 report

Related Resources

Fundamentals