Agents and MCP tools are where AI stops being helpful assistants and starts modifying real systems. This is also where we’re already seeing command injection, SSRF, data exfiltration, and full developer workstation compromise via “helpful” IDE assistants and internal agent frameworks.

This session turns those incidents into concrete design rules for safe agent/tool ecosystems across IDEs, MCP servers, and internal automations. This session will start with a realistic story of a developer who enables an AI assistant in a trusted IDE and ends up with a compromised laptop and stolen secrets, then deconstruct how the attack actually flowed through agents, tools, and MCP, and finish with practical identity, permission, egress, and policy patterns you can apply to your own environment.

You will learn:

• How to recognize attack paths in AI agent tooling
• How to apply least-privilege patterns to AI tools
• How to define approval policies for agents and extensions