As AI agents gain real privileges, Tray.ai CEO Rich Waldron explains why governance must evolve faster than the technology driving them.
In the span of a year, a quiet protocol began reshaping how enterprises wire AI into the real world. The Model Context Protocol (MCP) makes it shockingly simple to connect large language models to tools, data, and systemsno heavy middleware, no months-long integration cycles, no central gatekeepers. That convenience is exactly why CISOs are uneasy.
To make sense of the opportunity and the risk, we sat down with Rich Waldron, CEO of Tray.ai, whose platform powers composable automation and agentic workflows at scale. Waldron is bullish on what agents can unlock yet blunt about what goes wrong when non-deterministic models gain real privileges faster than governance can keep up. In this candid conversation, he lays out why MCP fundamentally expands the attack surface, why prompt injection is already an operational problem, and what security leaders must fix first.
“MCP fundamentally expands the enterprise attack surface.” Why?
Waldron doesn’t hesitate. “It comes down to trust, scale, and stochastic behavior. MCP has lowered the barrier to wiring LLMs into real systems. You no longer need deep engineering expertise to expose tools and data to a model so adoption happens across roles and at a velocity enterprises aren’t used to managing.”
He explains that the sheer volume of MCP servers, tools, and connections creates more access paths than traditional integration patterns. “A lot of these servers are community-built, locally run, and outside formal IT review. You might trust the person experimenting but you can’t automatically trust the code they’ve pulled from GitHub yesterday.”
The observability gap is just as worrying. “There’s typically little visibility into what those servers are doing, limited monitoring, and uneven security validation. In traditional software, we review libraries, scan them, audit them before giving access to critical systems. With MCP experimentation, it’s often rapid ‘vibe coding’ on a laptop.”
Layer on model non-determinism and the risk rises. “LLMs are sensitive to whatever lands in their context window. Intentional or not, that context can push behavior in unsafe directions. As usage spreads beyond seasoned engineers, the odds of risky context entering the system increase and so does the effective attack surface.”
“Agents don’t fail loudly they drift quietly. Security has to catch the drift before it becomes a detour.”
Tray.ai, CEO, Rich Waldron
Prompt injection sounds academic. Is it really a real-world threat today?
“Very much so,” Waldron says. “Prompt injection becomes consequential the moment models can take actions, and MCP is connecting them to action-oriented tools every day.”
He points to two compounding realities. “First, MCP often exposes read and write capabilities together. Fine-grained administrative controls are still maturing, and many users turning on tools don’t fully appreciate the blast radius. Second, LLMs are persuadable by design. The risk isn’t a single nasty prompt it’s context injection: instructions embedded in emails, documents, tickets, or even the tool output itself.”
Because the attack surface evolves with models and usage patterns, Waldron calls prompt/context injection “an operational risk, not a theoretical one.” The takeaway: “If a model can do things, then influencing its context can make it do the wrong things.”
Why are MCP-based attacks hard for traditional security tools to detect?
“Most security controls are built for deterministic systems APIs, services, identity providers,” Waldron notes. “Agentic workflows run on probabilistic behavior. A manipulated action can look perfectly valid on the wire: the credentials are right, the schema is correct, the API call succeeds. What’s wrong is the intent.”
Without deeper observability into the agent’s reasoning and the context that steered it, anomalous actions are indistinguishable from normal use. “And remember,” he adds, “context itself is dynamic. As models evolve, the same input can produce different behavior. So your detection logic goes stale faster.”
There’s also a structural blind spot: shadow adoption. “A lot of MCP usage starts locally, outside formal IT control. Traditional tools aren’t even in the loop, so there’s nothing to alert on in the first place. That’s how you both miss attacks and struggle to reconstruct what happened after the fact.”
Could a single compromised prompt really trigger actions across finance, HR, and production?
“It’s not about a single prompt it’s about a compromised context window,” Waldron clarifies. “LLMs don’t truly separate instructions from data. Everything they consume becomes one shared context.”
As MCP agents pull from emails, CRMs, HRIS records, or tickets, a hidden instruction can ride along. “Imagine an email with embedded directions that look like data but nudge the model to exfiltrate sensitive records. If the agent has tools spanning finance or HR, that corrupted context can cascade across systems. Without strict scoping and approvals, the blast radius grows quickly.”
How do high-privilege service accounts amplify MCP risk?
“Fine-grained permissioning is still catching up,” Waldron says. “In the meantime, teams often reach for broad service accounts. When an agent authenticates with a high-privilege identity, every tool it touches inherits that power.”
If the agent is misled or misconfigured, the impact can span multiple systems at once. “And because the MCP ecosystem is evolving quickly, security and authorization models are uneven across servers and clients. Coarse permissions last longer than intended, with inconsistent enforcement and limited visibility. That’s a bad combination.”
What makes non-deterministic models especially dangerous in MCP environments?
“Non-determinism is part of it,” Waldron says, “but the deeper issue is that LLMs are optimized to produce an output. They predict the most likely continuation they don’t decide whether the action should happen at all.”
As MCP tools feed the model more external data, the context shifts constantly, and so does behavior. “These models are trained on the full spectrum of human patterns, including deception and misuse. Pair that with tool access, and you get a system that can confidently take actions that look reasonable ‘in context’ but are wrong in practice.”
His conclusion: “You can’t rely on the model to ‘do the right thing.’ You have to surround it with guardrails that constrain what ‘right’ is allowed to look like.”
“Zero trust for AI agents” sounds catchy. What does it mean in practice?
“It means trust nothing by default not the agent, not the tools, not the context,” Waldron says. “Every action should be authenticated, authorized, logged, and tightly scoped.”
He outlines the pillars in plain language: “Separate read and write. Require approvals for high-risk actions. Keep identities least-privileged and workload-specific. Continuously observe behavior with enough context to understand why an action happened, not just that it did. If an agent can change data, it deserves the same discipline as any system of record.”
Where do composable agent platforms fit in?
“They act as the enforcement plane between agents and enterprise systems,” Waldron explains. “Instead of every MCP server rolling its own security, this layer decides which tools are exposed, which identities they run as, and what scopes are allowed per interaction.”
Because all tool calls and data flows pass through the platform, it gains the vantage point you need for both control and detection. “You can inspect inputs and outputs, apply policy, catch unsafe patterns, and block potentially malicious actions before they hit real systems. You move from hoping each server gets security right to centralizing the guarantees.”
Why do audit trails break down in MCP-driven workflows?
“Fragmentation and speed,” Waldron says. “Some activity gets logged locally, some inside individual services, and some not at all. Reconstructing who initiated an action, what context influenced the model, which tools were called, and what happened next becomes a forensic puzzle.”
Even when logs exist, they’re reactive. “By the time someone reviews them, a compromised context may have already triggered downstream actions. Audit is essential, but it’s not sufficient. You need proactive controls upstream of the action and real-time observability around agent behavior.”
If you’re a CISO, what do you fix first?
“Start with visibility,” Waldron answers. “Inventory MCP servers, who owns them, and every system they can touch. From there, tighten identity and scopes kill broad service accounts and replace them with least-privilege, task-specific credentials.”
Next, set a clear path from experimentation to governed use. “You don’t want to kill innovation. You want a runway. Define the maturity stages: local experiments, sandboxed pilots with approvals, production with enforced policy. Make it easy to graduate and impossible to bypass.”
Finally, put an enforcement layer in the middle. “Centralize authentication, authorization, and observability for agent-tool interactions. Separate read/write, require approvals for sensitive operations, and log with full causal context so you can explain why an action happened, not just that it did.”
He smiles, but the warning is serious. “MCP is a force multiplier. That cuts both ways. If you don’t design for safety from the start, your agents will move faster than your controls and you’ll be securing yesterday’s incident while tomorrow’s is already in flight.”