TelhawkTELHAWK
Resources · AI agents and MCP

AI Agent and MCP Security Audits: What Teams Should Validate

AI agents and MCP servers introduce a new attack surface: tools, permissions, data access, and workflow execution. Telhawk helps review AI-agent workflows and MCP servers with proof-backed risk evidence.

Risk surface

What an AI agent and MCP security audit should cover

An AI agent is a system, not a model. The security questions are about what the agent can touch, on whose behalf, and under what controls — not just about the prompt.

Tool access

Which tools the agent can invoke, under what conditions, and whether each tool's blast radius matches the agent's intended scope.

Data access

What customer, tenant, or internal data the agent (and its tools) can read or write — and whether those reads respect existing application boundaries.

Permission boundaries

Whether the agent operates with a single privileged identity or correctly impersonates the calling user, and how that decision shows up in downstream APIs.

Agent actions

What state-changing actions the agent can take autonomously, and whether sensitive actions require human confirmation or stronger authorization.

Prompt and tool misuse

How the agent behaves under prompt injection in retrieved content, tool output, or user input — and what the worst-case path actually reaches.

Sensitive workflow execution

Whether long-running or multi-step workflows preserve authorization checks at every step, not just at the entry point.

API calls

Whether the underlying APIs the agent calls enforce the same authorization the human-facing UI does, including object-level and field-level controls.

Customer data exposure

Whether RAG indexes, tool responses, or logs leak data across tenants, customers, or trust boundaries.

Privileged actions

Whether the agent can reach admin-style operations — account changes, exports, escalations — and what proves that authorization holds.

Missing authorization checks

The most common AI-agent vulnerability: a tool or endpoint authenticates the caller but never confirms the caller is allowed to touch the requested record.

Lack of validation after changes

Agent behavior can drift as prompts, models, tools, or data sources change. Without re-validation, prior assurances no longer hold.

How Telhawk approaches AI-agent and MCP review

Map the agent's real reach
Tools, MCP servers, connectors, data sources, and downstream APIs — documented as an actual graph rather than a marketing diagram.
Test the underlying APIs
Most AI-agent risk lands in the APIs the agent calls. Telhawk reviews authorization, tenant isolation, and sensitive-action controls at that layer.
Produce proof-backed evidence
Findings name the affected path, the missing control, and the practical impact, with validation status after correction where applicable.

Related Telhawk pages

API Security Audit

Authorization, tenant isolation, and the full OWASP API Top 10 — the layer most AI-agent risk actually lands on.

Code Security Audit

Secure code review for the application and tool code behind the agent.

AI Agent Security Audit (service)

Scoped engagement for reviewing MCP servers, tool-calling authorization, and prompt-injection blast radius.

AI Security Findings Validation (pillar)

The full validation picture across code, APIs, agents, and AI-generated software.

Audit your AI agents and MCP servers

Talk to Telhawk about reviewing tool access, data boundaries, and underlying API authorization with proof-backed evidence.

Talk to an expert