Now in early access, book a 30-minute demo →
Overview

Key Entities in an Agentic Environment

The building blocks of an AI-powered working environment: the endpoint, the agent, MCP servers, skills and rules files, and the local and external resources they can reach.

Developer endpointlaptop / workstation Anomity Endpoint Sensorinventory + hook AI agentIDE + CLI agents MCP serverslocal + remote tools Skills + rules filesSKILL.md / CLAUDE.md Local resourcesfiles, secrets, shell External resourcesSaaS, repos, web runs instructions calls tools reads / executes reaches allow / deny / log
The agentic environment: instructions flow into the agent; the agent's authority flows out to local and external resources.

Before you can reason about how an agentic environment gets attacked, you need a precise picture of what is in it. An AI-powered working environment is more than a chat window: it is a set of entities with real authority on the endpoint, wired together by instructions and tool calls. This page defines the entities the rest of the threat model refers to.

The developer endpoint

The laptop or workstation where agents run is the anchor of the model. It holds the crown jewels an attacker wants: source code, cloud credentials, session tokens, SSH keys, browser cookies, and network position inside the corporate perimeter. Every other entity in this model inherits some slice of what the endpoint can do, which is why agentic security is, first, endpoint security.

The AI agent

The agent is the primary actor: the software that talks to an LLM and acts on its output. In practice that means IDE-based agents (Cursor, VS Code with Copilot, Windsurf) and CLI agents (Claude Code, Gemini CLI, Codex), plus a long tail of desktop and background agents. Agents write code, run shell commands, edit files, and invoke MCP tools. The defining security property is that the agent's actions are driven by natural language, so anything that can put text in front of the agent can, in the worst case, steer what it does with the endpoint's authority.

MCP servers

MCP servers extend agents with typed tools: query a database, read a wiki, call a SaaS API, control a browser. They run locally as processes on the endpoint or remotely as services, and thousands of them circulate publicly with no central vetting. Each server is simultaneously a capability grant (the agent can now do more) and a trust decision (the server's code and the content it fetches now sit inside the agent's loop). See how to build an MCP server registry.

Skills and rules files

Agents are configured by files that behave like software. Skills (SKILL.md packages of instructions plus optional code) and rules files (CLAUDE.md, AGENTS.md, .cursorrules) load into the agent's context and shape its behavior for every task. They are the instruction supply chain of the environment: portable across agents, shared informally, and rarely reviewed. The Agent Skills open standard has made this layer ecosystem-wide.

Local resources

Whatever the agent's process can touch: the filesystem, environment variables, plaintext secrets, the shell, other processes, and the local network. Agents typically run with the developer's full user privileges, so "local resources" is shorthand for everything the human could do at the keyboard, now executable by software that reads instructions from files and web pages.

External resources

The systems the environment reaches out to: git hosting, package registries, SaaS APIs, documentation sites, and the open web. External resources matter twice over. They are targets (an agent with a GitHub token can rewrite CI), and they are input channels, because content fetched from them lands in the agent's context window, where it can carry instructions. That dual role is where most of the risks in this model begin.

Why the map matters

Each threat surface and risk page in this model is a path through this diagram: attacker-controlled input entering through one entity and agent authority exiting through another. Most organizations cannot draw this diagram for their own fleet - they do not know which agents, MCP servers, or skills are installed, let alone what those can reach. That inventory gap is the first finding of the threat model, and the reason the practical work starts with building an AI agent inventory.

See this surface in your own fleet

Anomity's Endpoint Sensor discovers every AI agent, MCP server, skill, and rules file on every endpoint, and governs each tool call at the hook. Book a 30-minute demo.

Ask AI about Anomity
ChatGPT Claude Perplexity Google AI Grok