CoSAI Secure-by-Design Agentic Systems: 12-Threat MCP Framework + Confused Deputy Defense Pattern
The Coalition for Secure AI released a MCP Security whitepaper mapping 12 core threat categories and nearly 40 distinct threats, with the 'confused deputy problem' — where an MCP server executes actions using its own elevated privileges rather than the requesting user's — identified as the highest-impact architectural flaw in current implementations. The countermeasure is capability-scoped identity chains where each agent action is executed under the requesting identity's permission set rather than the server's, enforced via OAuth 2.1 delegation tokens. Principles for Secure-by-Design Agentic Systems require human governance, resilience, transparency, and auditability as design constraints, not post-deployment additions.
↳ Follow the thread