According to Forbes, enterprise software follows a predictable pattern where every major technology wave—from the internet to cloud to mobile and now AI—starts by optimizing for capability rather than resilience. OpenAI’s recent commitment to build AI that’s “resilient, secure, and beneficial for everyone” reflects this same tension that J.P. Morgan highlighted in an April letter urging suppliers to prioritize security. The fundamental problem is that markets reward velocity over caution, creating a system where software gets built to work first and only gets secured once it becomes too critical to fail. This dynamic is playing out right now with Anthropic’s Managed Context Protocol (MCP), an open standard being adopted for its utility rather than its security model. The pattern isn’t new, but with GenAI, the cycle is accelerating as interconnected AI systems magnify risk at machine speed.
Sponsored content — provided for informational and promotional purposes.
The speed vs security dilemma
Here’s the uncomfortable truth: telling companies to prioritize security over innovation is like telling a startup to grow slower. It’s not wrong, but it completely ignores how market incentives actually work. When a platform like OpenAI’s or Anthropic’s is in its breakneck growth phase, the existential risk isn’t a cyberattack—it’s irrelevance. Builders ship what works because that’s how they win adoption. And resilience only becomes a priority once there’s something worth defending.
Think about it from both sides. If you’re a vendor and you delay features to tighten security, someone faster eats your lunch. If you’re a buyer and you delay adoption for perfect risk assessment, your competitor beats you to market. In both cases, speed wins and security loses. It might look broken from the outside, but it’s exactly how the system is designed to operate.
The MCP example
Anthropic’s Managed Context Protocol is basically the perfect case study of innovation outpacing security. It’s designed to help AI agents interact with tools, data, and applications faster—not necessarily more safely. From a security perspective, it’s practically a ticking time bomb with opaque permissions, loose interfaces, and unclear blast radius. A dream for builders, but a nightmare for defenders.
And yet it’s not going away. The productivity upside is too valuable, so enterprises are adopting MCP rapidly because innovation always leads with risk. It has to. The job of security isn’t to stop MCP from being used—it’s to manage the chaos it introduces. Sound familiar? We’ve seen this movie before with SaaS, where buyers don’t own the code, can’t see inside it, and can’t stop production changes.
A realistic security playbook
So if modern software is insecure by nature, what should defenders actually do? First, embrace realism over idealism. The apps your business depends on will have vulnerabilities. They will be misconfigured. They will be breached. Build your strategy on that assumption rather than hoping for perfection.
You can’t control the code, but you can control access. Identity-based policies, anomaly detection, and posture management aren’t optional anymore—they’re table stakes. If you don’t own the app, you better own how it’s used. And stop accepting black boxes from vendors. Push for telemetry, audit trails, and incident response SLAs. Security is a team sport, and you can’t play blindfolded.
Here’s the thing: you can’t slow the business down upfront, but you can drive progress over time. Tie renewals to patch responsiveness, transparency, and secure configuration. Reward vendors that move fast safely. Penalize those that don’t. Nothing changes behavior like financial incentive, as J.P. Morgan’s supplier letter clearly demonstrates.
The new security reality
If this all sounds grim, it shouldn’t. If you work in security, this is actually your moment. You’re the control plane between a business that has to move fast and a threat landscape that never stops changing. You’re not here to stop things—you’re here to make things possible, safely.
That’s not easy work. But it’s some of the most creative, impactful, and essential work in any organization. The world doesn’t need more security gatekeepers. It needs enablers. Builders. Realists. What we need is a posture that matches how innovation actually happens, not how we wish it did. Because the pattern isn’t changing—we’re just getting better at managing it.
