Tenet Security’s June disclosure has a single, unnerving through-line: one crafted Sentry error event, sent via a public credential, hijacked Claude Code in controlled testing. The agent ran the attacker’s code with the developer’s full privileges, and not one alert fired. Tenet tested 100-plus targets, achieved an 85% success rate, and called out that EDR, WAF, IAM, and the firewall all missed it completely.

Here is the part that turns a “cool research demo” into an executive problem. Tenet identified 2,388 organizations with publicly exposed Sentry credentials that could be used to inject malicious events at scale. Tenet also shows a concrete scope test: a captured Claude Code environment included a live AWS secret access key and private repository URLs. The research is proof-of-concept, not confirmed exploitation across all 2,388 organizations, but the blast radius is the point. If your AI coding agents connect to Sentry (or other MCP-connected data sources your developers trust), and those agents can execute shell commands, your stack likely has the same blind spot.

So what makes this different from the usual “someone leaked a token” story? The core mechanism is agentjacking’s authorized-by-design chain. An attacker sends a valid Sentry API call using a public DSN, the MCP server returns the injected event as authentic output, and the agent executes the instruction using the developer’s privileges. No signature fired, because every step is technically “allowed.” The victim sees only what looks like benign diagnostics while the agent silently exposes cloud credentials and source-control tokens.

This is why the Cloud Security Alliance classified agentjacking as a systemic MCP vulnerability class within days of the disclosure. No perimeter was breached. No credentials were stolen. No policy was violated. Every step was authorized. That phrasing matters for boardrooms, because it reframes “security failure” from a single broken control into a category problem: SOC teams have not historically needed to distinguish between a developer running an npm install and an agent running a command in response to a malicious error event. That distinction did not exist until AI coding agents became production tools.

The Sentry piece also lands in a market where enforcement is lagging adoption. Five independent surveys from the first half of 2026 found that enterprises trust their AI agents far more than their enforcement justifies. Only 34% of organizations apply the same security controls to AI agents as they do humans, according to an Okta/Apprize360 survey of 292 executives and 492 knowledge workers. In the same survey, 52% of employees use unapproved AI tools, and 58% of executives reported an AI-related incident or close call in the prior year. HiddenLayer’s 2026 AI Threat Landscape Report surveyed 250 IT and security leaders: 33% reported agents had already exceeded intended scope, and 31% could not confirm whether they had experienced an AI breach. One in eight AI breaches was linked to agentic systems.

If that sounds like a measurement problem, it is. The Tenet findings basically weaponize the measurement gap. Tenet identified 2,388 organizations with publicly exposed Sentry credentials, and explicitly notes that organizations should audit publicly exposed DSNs immediately if agents are connected to Sentry. Sentry’s architecture intentionally makes DSN credentials public for frontend error reporting, so the mitigation is not revoking the DSN. It is restricting what agents can do with the data those DSNs return. In other words: the fix is about runtime behavior and least privilege for agent actions, not just perimeter hygiene.

That maps directly onto what CrowdStrike is now selling as a “safety net” approach for runtime. Elia Zaitsev, CTO of CrowdStrike, told VentureBeat that “no one has been talking about securing agents at runtime” and framed the question as: if controls fail, how do you prevent silent failure? CrowdStrike’s fleet data quantifies the operational reality: more than 1,800 agentic applications on enterprise endpoints, approximately 160 million instances under monitoring. On June 15, CrowdStrike shipped Continuous Identity for AI Agents at Identiverse, replacing static policies with continuous enforcement that authorizes every agent action in real time. Zaitsev also pushed back on sandbox-only thinking, saying if an agent starts in a sandbox with no ability to touch anything, it is “worthless,” and that quickly you end up in a capability race that undermines the point of the sandbox.

Underneath all of this is a budget and governance gap. Kayne McGladrey, an IEEE Senior Member, described the structural challenge: “The CISO doesn’t have the budget. The CISO doesn’t have the staff.” When agent governance spans six departmental budgets, no single executive can confirm whether agents get the same access reviews as humans. The Okta survey supports the disconnect: only 43% of workers say agent policies are clear, compared to 65% of executives, and nearly two-thirds apply weaker controls to agents than to humans. Assaf Keren, chief security officer at Qualtrics and former CISO at PayPal, warned that the real risk starts when baseline architecture is not well established, and that putting AI on top of something not architected well accelerates fractures. Runtime behavior analytics is described as “an unsolved problem right now.”

For executives, the strategic stake is simple. This is not about whether a single tool missed a threat. It is about whether your organization can prevent “authorized” malicious runtime instructions from turning into credential and data exposure through AI coding agents. If you share the pattern Tenet uncovered, your timeline is not “someday.” It is now: inventory agent and MCP connections, audit publicly exposed DSNs, and treat agent execution as a privileged runtime identity that needs continuous, action-level authorization. Otherwise, you are not just accepting risk. You are accepting silent risk.