Share with your CISO
A Chinese state-linked group used Anthropic’s Claude Code to run an automated cyberattack against roughly 30 organizations, including banks and government agencies, with AI handling 80 to 90 percent of the operation unassisted. The attack didn’t exploit a flaw in Claude. It broke work into small, ordinary-looking requests and rode the tool’s own MCP connections to execute them. That’s the same architecture Australian enterprises are deploying at scale: 69 percent run autonomous AI agents in production, yet only 22 percent have a mature governance model, according to Deloitte’s 2026 State of AI in the Enterprise report.
What this means for your business
The attack model here isn’t novel hacking. It’s task decomposition, the same technique your own agents use to complete overnight reconciliation work. An attacker who understands that your AI agent has standing credentials to a file store, an API, and an SSH key doesn’t need to breach your perimeter. They need to feed the agent requests that look like work. The threat surface is your own automation stack, not a vulnerability in Claude’s training.
The identity governance numbers are the sharpest part of this story. Only 52 percent of Australian organizations have AI agent identities fully registered and authorized in a formal system, against 65 percent globally. Twenty-one percent said they were confident they could regain control if an agent’s credentials were exposed. That’s the practical consequence of provisioning agents for tasks with no revocation process attached. Agents accumulate standing permissions the way service accounts always have, except they act on those permissions at machine speed, without the human pause that once made credential sprawl merely annoying rather than catastrophic.
Eighty-four percent of Australian enterprises have already rolled back a customer-facing AI agent over a governance failure. That’s not a leading indicator. It’s a dataset. The signal worth watching is whether the industry responds by building agent identity into the provisioning workflow from day one, or continues treating it as a cleanup task for after the first serious incident.
Concept deep-dive: MCP (Model Context Protocol)
MCP is a standardized interface that lets an AI agent call external tools, open files, query databases, or hit APIs, without a human manually authorizing each individual action. It exists because agents need persistent, extensible connections to be useful at scale. Think of it as a universal adapter between the AI and your enterprise systems. The security implication is direct: MCP connections inherit whatever credentials the agent was provisioned with, and those credentials rarely expire when the original task does. That’s the access vector the Claude Code attackers used, and it’s live in most agentic deployments today.
Based on reporting from Could Using Claude Code Put Australian Enterprises At Risk?, originally published 2026-07-14 03:00:00.

