Two AI agent security startups raised $98 million in 72 hours last week. Arcade.dev closed a $60 million Series A on June 15; Convey followed with $38 million on June 17. Back-to-back rounds from two companies solving overlapping problems is not a funding coincidence — it is a market signal. AI agents are flooding production environments, and almost nobody has built the authorization and security layer that makes them safe to run there.
The Numbers Are Bad #
According to the State of AI Agent Security 2026 report, 80.9% of technical teams have AI agents in active testing or production. Only 14.4% of those agents went live with full security and IT approval. The other 66.5% are running in production with nobody formally accountable for what they can access.
The incident rate confirms the problem: 88% of organizations confirmed or suspected an AI agent security incident in the past 12 months. Healthcare sits at 92.7%. The average cost of an AI-related data breach is $4.8 million.
The root cause is mostly embarrassing in its simplicity. Only 21.9% of teams treat AI agents as independent, identity-bearing entities — the baseline you would apply to any human employee or service account. The rest are running agents under shared API keys (45.6%), hardcoded credentials (27.2%), or service accounts with far more access than the task requires. Seventy percent of surveyed enterprises confirmed their AI systems have more access than equivalent human roles performing the same work. Teams that apply least-privilege controls see a 4.5x lower incident rate than those that do not. That gap is not subtle.
There is also a confidence gap that makes this worse. Eighty-two percent of executives believe their existing policies protect against unauthorized agent actions. The data says they are wrong.
The MCP-Specific Problem #
If you are building agents with the Model Context Protocol, the authorization problem is even more specific — and a deadline is approaching. There are now over 9,400 registered MCP servers, up from roughly 1,200 in Q1 2025. Only 8.5% of them implement OAuth 2.1, which is the protocol’s own mandatory security standard for remote deployments. The other 91.5% are running unauthenticated or with basic API keys in an ecosystem that was always designed to be OAuth-first.
The MCP 2026-07-28 specification update — described by maintainers as the largest revision since launch — makes OAuth 2.1 formally required. Sessions are eliminated entirely. The Mcp-Session-Id
header is gone. Servers must implement RFC 9728 Protected Resource Metadata so clients can auto-discover the correct authorization endpoint. Clients must include Resource Indicators (RFC 8707) on every token request, which closes the confused deputy vulnerability: the class of attack where a malicious MCP server tricks a client into using tokens that were scoped to a different server.
July 28 is approximately five weeks away. If you are running MCP servers in production today, the migration window is already open.
What Arcade and Convey Are Actually Selling #
Arcade and Convey are solving adjacent pieces of the same gap, which explains why both got funded in the same week.
Arcade operates as an MCP runtime — the authorization layer between your agents and every system they touch. Its model is user-centric: agents act on behalf of real users through existing OAuth flows, with dual-constraint enforcement (what the user can do AND what the agent is scoped to do, both conditions required). It ships 8,000+ pre-built MCP tools designed around how agents actually call APIs — not mirroring REST API wrappers — which reduces parameter hallucination and failed tool calls. It produces a unified audit trail that answers “which agent, on behalf of which user, in which system, did what.” Tool call volume on the platform is up 25x in six months.
Convey’s angle is different. Instead of a runtime layer, it sells “AI teammates” — agents that own business outcomes rather than assist with individual tasks. Non-technical workers set them up in about three hours; IT controls identity, permissions, and guardrails. Faire used one to automate invoice processing that had consumed hundreds of manual hours. An unnamed streaming service reclaimed 23,000 annual hours of reporting and advertising work. The framing matters: this is the approach for getting entire organizations into safe agent usage, not just the engineers already writing agent code.
Four Things to Do Before You Ship #
The gap between “it works in the demo” and “it is safe in production” is an engineering problem, not a compliance problem. Here is what fixing it looks like:
Give every agent its own identity. No shared API keys, no shared service accounts. Individual credentials mean individual accountability, individual scoping, and individual revocation when something goes wrong.Scope permissions to the task, not the role. Grant access at task initiation and revoke it at completion. An agent that processes invoices should not hold standing access to your CRM. Temporary credentials with narrow OAuth 2.0 scopes are the baseline.Log at machine speed. Structured logs for every API call, data access, inter-agent communication, and external action. Over 50% of production agents currently generate zero audit trail. That makes post-incident investigation nearly impossible.If you are running MCP servers: start the July 28 migration now. Remove session dependencies, implement OAuth 2.1, add the.well-known/oauth-protected-resource
metadata endpoint, and include Resource Indicators in all token requests. Five weeks is enough time, but not enough time to procrastinate.
Ev Kontsevoy, CEO of Teleport, put the diagnosis plainly: “It’s not the AI that’s unsafe. It’s the access we’re giving it.”
The $98 million says investors agree. The 88% incident rate says the problem is already here. The July 28 deadline says the window for doing this proactively is narrowing fast.