The governance of AI agents faces a fundamental asymmetry: while MCP servers provide structured logs, the “Skills” that drive agent reasoning remain forensic black holes. As high-risk capabilities”, such as arbitrary code execution and state changes”, become prevalent in nearly 60% of enterprise deployments, traditional models like the “Rule of Two” are failing to prevent autonomous destruction. To counter this, Noma Security proposes the No Excessive CAP framework, focusing on the three controllable levers of defense: Capabilities, Autonomy, and Permissions.
First seen on securityboulevard.com
Jump to article: securityboulevard.com/2026/05/the-half-of-agent-security-youre-not-governing/
