The AI security landscape is changing rapidly. While early security efforts focused primarily on large language models (LLMs), today's AI deployments increasingly rely on agents, tools, and Model Context Protocol (MCP) servers that connect AI systems directly to enterprise applications, data sources, and business workflows.

These new architectures unlock tremendous value, but they also introduce entirely new categories of risk.

That is why PointGuard AI is proud to be collaborating with the Cloud Security Alliance (CSA) on RiskRubric v2, an expanded framework for evaluating risk across AI models, MCP servers, and AI agents. The initiative represents an important step toward creating a common, evidence-based standard for assessing the security, reliability, transparency, and operational safety of modern AI systems.

The Growing Security Challenge of MCP Servers

MCP servers have quickly become a critical component of agentic AI architectures. They provide the tools, resources, and integrations that allow AI systems to interact with external applications and data sources.

However, this capability comes with significant security implications.

Unlike AI models that primarily process prompts and generate responses, MCP servers sit between AI systems and enterprise resources. They can provide access to sensitive data, business applications, infrastructure, and automated workflows. A vulnerable MCP server can introduce supply chain risks, expose sensitive information, enable unauthorized actions, or create pathways into critical systems.

Recognizing this challenge, RiskRubric v2 expands beyond model security to include MCP-specific risks such as tool-call abuse, command injection through tool arguments, supply chain vulnerabilities, transitive trust issues, and data exposure through tool responses.

The framework also expands to address AI agents, whose autonomous behavior introduces additional concerns including goal hijacking, privilege escalation, memory poisoning, capability abuse, and excessive agency.

PointGuard AI's Contribution

To help address these emerging risks, PointGuard AI has undertaken one of the industry's largest ongoing MCP security assessment efforts.

As a service to our customers and the broader security community, we have been directly testing and evaluating more than 20,000 publicly available MCP servers. Many of these servers are readily available through open-source repositories and developer communities, making adoption easy for organizations seeking to accelerate AI deployments.

Unfortunately, security and transparency often lag behind availability.

Our research has identified numerous MCP servers with security weaknesses, poor governance practices, inadequate maintenance, questionable provenance, or insufficient transparency around ownership and operation. In many cases, organizations have little objective information available to evaluate the risks associated with deploying these services.

This growing ecosystem requires a consistent, industry-wide approach to evaluating MCP security. That need is a key driver behind our participation in the RiskRubric v2 initiative.

Expanding RiskRubric for the Agentic Era

RiskRubric v1 established a framework for evaluating AI models across six pillars of trustworthiness and operational integrity. Version 2 significantly expands that vision by incorporating MCP servers and AI agents as distinct service types requiring specialized evaluation methodologies.

The framework evaluates systems across six core pillars:

• Transparency
• Reliability
• Security
• Privacy
• Safety and Societal Impacts
• Excessive Agency

The new Excessive Agency pillar addresses risks unique to autonomous systems, including privilege abuse, delegated trust exploitation, goal drift, authorization failures, and other behaviors that could cause AI systems to exceed their intended scope.

As part of the initiative, PointGuard AI worked with the CSA and other contributors to help define how MCP security should be evaluated within these pillars. Our focus was on expanding RiskRubric's definitions to address the realities of MCP architectures while maintaining consistency with the broader framework.

These contributions are reflected in Appendix A of the RiskRubric v2 Concept Paper, which introduces MCP-specific indicators covering transparency, reliability, security, privacy, and excessive agency. Examples include:

• Tool description fidelity 
• Provider identity and provenance
• Tool execution reliability
• Supply chain integrity
• Vulnerability identification
• Hardcoded secret detection
• Data exposure risks

Together, these metrics provide a practical foundation for evaluating MCP servers and the risks they introduce into agentic AI environments.

A Commitment to Industry Collaboration

One of the most important aspects of RiskRubric v2 is its transition to a multi-scanner ecosystem.

Rather than relying on a single evaluation engine, the framework allows independent organizations to contribute evidence and assessments using RiskRubric-compliant methodologies. These assessments can then be aggregated to provide broader coverage and increased confidence in risk evaluations.

This approach aligns closely with PointGuard AI's commitment to transparency and information sharing.

AI security challenges are evolving too quickly for any single organization to address alone. Effective security requires shared standards, independent validation, and collaboration across vendors, researchers, enterprises, and industry groups.

By contributing both expertise and real-world assessment data, PointGuard AI is helping build a stronger foundation for evaluating AI systems and advancing security across the broader ecosystem.

Looking Ahead

Our work with the CSA is only the beginning.

In the coming months, PointGuard AI plans to contribute MCP security assessment data directly into the RiskRubric knowledge base, helping provide a consistent source of evidence for MCP server evaluations.

We also plan to launch public access to our MCP security research, enabling developers, enterprises, and security teams to explore security findings and risk assessments for thousands of publicly available MCP servers.

In addition, we intend to offer on-demand testing capabilities that allow the community to submit new MCP servers for evaluation, helping improve visibility and security across the rapidly expanding ecosystem.

As AI systems become increasingly agentic, organizations need objective ways to understand and manage the risks associated with the tools and services those systems rely on.

RiskRubric v2 represents an important milestone in that journey. By helping define MCP security standards, evaluating more than 20,000 public MCP servers, and sharing our findings with the broader community, PointGuard AI is committed to helping organizations adopt AI safely while advancing security across the entire AI ecosystem.