The Protocol That Makes Enterprise AI Integration Possible Is Also the One That Makes It Dangerous

Most enterprises believe they have around 20 connections linking their AI agents to external tools and data sources. According to Trust3 AI's own enterprise scanning data — which has not published its methodology or allowed third-party audit — the real number is often ten times as high: servers spun up by developers, embedded in productivity tools, running without the security team's knowledge or consent. That visibility gap is the sharp end of a security problem that Trust3 AI, a startup formerly known as Privacera, launched a product to fix on May 20, 2026.

The protocol driving those connections is called the Model Context Protocol, or MCP. Anthropic released MCP in November 2024 as an open standard for connecting AI agents to external tools and data sources. By 2026 it had become the default integration layer for enterprise agent deployments — the connective tissue between AI systems and the databases, CRMs, code repositories, and productivity tools they query. It also has no trust model built in: no tamper-evident audit log, no verified server identity, no content inspection when an agent reaches out to an external service. A malicious server can embed instructions inside tool descriptions that redirect agent behavior or exfiltrate data without the agent knowing anything is wrong. "Security cannot live at the edges anymore," said Don Bosco, co-founder of Trust3 AI, in the launch announcement. "It has to be built into the protocol itself."

The practical consequence is not hypothetical. The Postmark infostealer campaign, documented by security firm Praetorian in February 2026, is the first known in-wild attack to exploit the MCP attack surface — a malicious server was used to steal data from developer environments. Praetorian's research demonstrates that exploiting an MCP server can achieve code execution, data theft, and response manipulation without compromising the agent itself. An academic preprint from researchers at Tsinghua University, Ant Group, Swinburne University, and the University of New South Wales puts a number on the underlying attack's feasibility: file-based injection attacks against MCP-connected agents succeed 83.8 percent of the time, according to the paper posted to arXiv. That research has been public for months. What is new is a product specifically designed to close the gap.

Trust3 AI's product adds content inspection, server identity verification, and audit logging to MCP connections — essentially a TLS layer for the agent-to-server handshake that the protocol itself omits. Whether the product works at scale in production environments is the open question. The launch announcement is not independent proof. No named enterprise customer has gone on record to confirm the product is deployed and functioning. The threat is credible — Praetorian has a track record in offensive security research — but Trust3 AI's specific implementation has not been audited by a third party or validated in a live production environment. Whether enterprises need a purpose-built MCP governance product or can close the gap with existing tooling — cloud access security brokers, endpoint agents, network segmentation — is also an open question. CASB vendors and endpoint security providers have not published specific MCP hardening guides, but the alternative is not empty: mature security stacks already handle trust modeling for other classes of inter-service communication.

Trust3 AI was founded in 2016 by the creators of Apache Ranger and Apache Atlas, the open-source data governance frameworks still used inside hundreds of enterprises. The company rebranded from Privacera to Trust3 AI in March 2026 and has raised $63.5 million in total funding, according to its website. Insight Partners led its most recent round, which included a $50 million Series B raised as Privacera.

There is also a structural risk Anthropic has not addressed. MCP is an Anthropic-created protocol. Anthropic could add a native trust layer to MCP itself — which would make Trust3 AI's add-on product unnecessary for any customer that updates to a new protocol version. Anthropic has not announced plans for MCP trust modeling, and building a robust trust layer into a production protocol used by thousands of deployments is a non-trivial engineering undertaking with backwards-compatibility implications. Whether Anthropic treats a native security layer as an internal roadmap item, a competitive lever against ecosystem partners, or a low priority relative to capability work is the key question hanging over Trust3 AI's market. If Anthropic moves, Trust3 AI's addressable market shrinks to zero for any customer willing to update.

What to watch next is whether the visibility gap forces a procurement response. If enterprises audit their MCP connections and find the real number is higher than expected, MCP governance is likely to become a standard procurement checklist item before new agent deployments are approved. Neeraj S. noted on LinkedIn that MCP security is becoming a live discussion in enterprise procurement conversations — whether Postmark has already moved this into active procurement talks is what the market is watching. Trust3 AI is betting the window stays open long enough for enterprise sales cycles to close.