The fake remote IT worker story gets talked about like hiring fraud, sanctions exposure, or payroll diversion.

Your agent kept notes. AI-agent memory is not vibes. It is storage.

AI coding tools are becoming trusted middlemen. That gives defenders a new attack path to understand before it gets ugly.

Known AI agents are becoming trusted traffic. The first defender move is finding claims without proof.

Everyone wants the AI bug hunter.

Fewer people want the patch clock that comes with it.

That’s the part getting buried under the stage fog: if the models are better at finding and understanding real bugs, your org does not get safer by applause. It gets safer if it can move before somebody else does.

Everyone’s hunting “AI attacks.” Meanwhile the ugly money is still in trusted pages, stolen sessions, and users politely pasting the command for them.

Three intrusion sets already excel at getting users to approve tools and auth flows. This assessment is probabilistic: it highlights who is best positioned to adapt that tradecraft to MCP-style environments next..