Risk
Insufficient Understanding of Agent Reachable Graph
Description
Failure to clearly map an agent's complete reachable graph โ all tools it can invoke, data stores it can query, downstream agents it can call, and external systems it can affect.
Example
An agent built for invoice processing is found to have transitive access via a shared MCP server to the HR database that nobody mapped at build time.
Assets Affected
AI Agent
AI App
Model Inference Endpoint
Tool
MCP Server
3rd-Party AI Integration
Agent Communication Protocol (ACP)
Mitigation
- Map each agent's reachable graph during build
- document tools, scopes, MCP servers, and downstream agents
- review the graph for over-reach
- restrict transitive access through MCP gateways.
Standards Mapping
- ISO: A.6.2.3, A.4.2
- OWASP agentic: ASI02, ASI03
- OWASP LLM: LLM06:2025
- EU AI Act: Art. 11, Art. 9
- DASF: Agents-Core 13.2, Agents-MCP Server 13.22
- AIUC-1: E004, B006