Agentjacking, Runtime Security and the AI ROI Debate: From Sentry Exposure to the AI Chip Boom

In 2026 the AI security conversation shifted from theoretical risk to a tangible class of threats that blend legitimate data with malicious intent. Tenet Security’s disclosure on agentjacking shows how a single crafted Sentry error event, delivered through a public DSN, can cause an intelligence-driven stack to execute attacker instructions with the developer’s own privileges. What makes this alarming isn’t a credential theft or a perimeter breach; it’s that every step in the chain—Sentry, MCP servers, and the client agents—can be treated as legitimate, authorized activity. Claude Code, Cursor, and Codex environments reportedly ran the attacker’s shell commands as if they were ordinary diagnostic outputs. The lesson is clear: the exposure isn’t isolated to one tool, but to the architecture that makes DSN-based error reporting public-facing and, in practice, trust-enabled. The Cloud Security Alliance promptly classified agentjacking as a systemic MCP vulnerability class, underscoring the need for runtime-aware protections that go beyond revoking credentials or tightening perimeters.

Even more ominous is the scale of exposure Tenet identified: nearly 2,400 organizations with publicly accessible Sentry credentials could be leveraged to inject malicious events at scale. Tenet stressed that this research remains proof-of-concept rather than confirmed exploitation across all targets, but the pattern is hard to ignore. If your AI coding agents rely on Sentry, Datadog, PagerDuty, Jira, or any MCP-connected data source, and those agents can execute commands, then your stack shares the same blind spot. This isn’t about a single vulnerability; it’s about a design choice: error and telemetry data, when treated as trusted inputs, can become a conduit for unauthorized behavior that operates without triggering traditional alarms. The takeaway is practical and urgent: audit publicly exposed credentials and reexamine what data your agents actually trust to return, and what they are allowed to do with it.

The discourse around agentjacking dovetails with a broader governance challenge: five independent surveys in early 2026 reported a worrying disconnect between policy and practice. Only about a third of organizations apply the same security controls to AI agents as they do to humans, while over half of employees admitted to using unapproved AI tools. Executives reported AI-related incidents at a non-trivial rate, and PCI-like concerns around data, access, and scope creep began to surface in analyst reports. The results paint a governance posture that is lagging behind the rapid adoption of AI agents. The message from these studies is consistent: if you cannot inventory agents, you cannot govern them; if you cannot govern agents, you cannot contain them. The call to action is blunt—an organization-wide census of agents and their connections is a procurement gate for any Q3 vendor evaluation, and shadow AI must be brought into the light with formal reviews and controls.

Runtime security, a term gaining momentum in 2026, is no longer optional. As Elia Zaitsev, CTO of CrowdStrike, warned, securing AI agents at runtime is the new frontier: these agents have identities, they access resources, and they take action based on what they perceive. The industry has historically focused on patching vulnerabilities and locking down permissions, but the runtime layer is where the last mile of protection sits. CrowdStrike’s introduction of Continuous Identity for AI Agents signals a shift from static policies to dynamic, real-time authorization of every agent action. In practice, that means an agent’s action is only valid if it’s verifiably associated with a trusted identity and an approved scope, and it must be auditable in near real time. The emphasis on runtime enforcement is not an abstract ideal; it’s a procurement criterion now, shaping how organizations evaluate vendors and how they design their security architectures.

Beyond governance and runtime, the industry is grappling with how to value AI investments. A sharp counterpoint to the ROI conversation comes from Martin Reynolds, who argues that token counting—simply tallying spend—fails to reveal which AI-enabled efforts actually move the needle. A true cost model should expose which work drives impact, not just how money is allocated. This reframing matters because the security investments needed to defend AI ecosystems—runtime controls, agent inventories, access reviews, and policy alignments—must be justified not only in terms of risk reduction but also in terms of organizational effectiveness and measurable outcomes. In other words, the ROI debate should include the cost of governance and runtime protections as enablers of productive AI work, not as friction to be avoided. The real ROI comes from knowing what your agents are doing, where they’re doing it, and ensuring those actions align with business objectives without exposing sensitive data or cloud credentials.

To place these threads in a wider context, recent momentum in AI hardware and policy demonstrates how deeply intertwined the technology stack has become with national and economic strategy. South Korea’s substantial AI chip push—backed by major players like Samsung and SK Hynix—reflects the understanding that AI capability hinges on robust hardware foundations. Chipmakers’ stock activity in the first half of 2026 underscored the market’s belief that AI infrastructure, not just software, will drive future growth. The industry’s broader conversation—around how AI models are deployed, who owns the data, and how governance keeps pace with capability—echoes in prominent analyses from Bruce Schneier and Erin Brockovich. Schneier warns that AI’s power to assist or enable wrongdoing demands defense-oriented research and policy, while Brockovich’s reflections on AI datacenters highlight the societal and environmental dimensions of our acceleration toward large-scale AI systems. Taken together, these signals remind us that AI’s promise comes with a spectrum of risks that require coordinated technical, governance, and societal responses.

As organizations navigate this landscape, a practical synthesis emerges: treat every agent as a potential insider, run the five-question gap test before any Q3 vendor evaluation, and insist on agent-specific runtime detection as a procurement prerequisite. The five questions map to gaps in agent inventory, controls parity, scope, governance perception, and breach detection certainty. The data from the Okta/Apprize360 and related surveys is not just trivia; it’s a blueprint for what to test before you buy. If you can’t distinguish agent-initiated actions from human-initiated ones in production telemetry, you’re already at risk of silent breaches. The moral is simple: the first line of defense is a complete, trusted inventory of agents and their MCP connections; everything else flows from that clarity. When you can see what an agent did, you can determine whether the action was legitimate or malicious, and you can respond in minutes rather than days. In the end, the security architecture that matters most is the one that sees agents not as abstract tools, but as privileged insiders with a real-time, auditable footprint.

1. Vulnerability and exposure context: Tenet Security and CSA findings on agentjacking (Sentry, Datadog, PagerDuty, Jira) – source materials summarized from venturebeat.com.
2. Governance and risk surveys: Okta/Apprize360, Gravitee, HiddenLayer, CSA and related reports (2026).
3. Runtime security and policy: CrowdStrike Continuous Identity for AI Agents announcements and executive discussions.
4. ROI and cost modeling: Martin Reynolds on token counting vs. real impact in AI investments.
5. AI hardware and societal context: Korea’s AI chip push; chipmaker market trends; Bruce Schneier and Erin Brockovich commentaries on AI and datacenters.

Sources:

1. The attack that hijacked Claude Code came through Sentry, Datadog, PagerDuty and Jira have the same exposure
2. Opinion: Why Token Counting Obscures ROI on AI Investments
3. South Korea Unveils $576B AI Chip Push With Samsung and SK Hynix
4. Shares in chipmakers underpinning AI boom rocket in first half of 2026
5. Once, cyber-attacks required great skill. AI is changing that | Bruce Schneier
6. ‘We’re up against forces that have all the money in the world’: Erin Brockovich on her battle against AI datacentres