Tools
Qualys TotalAI: MCP Servers Are the New Enterprise Shadow IT — 21% of Deployed Servers Are Unmanaged and Invisible to Security Teams
Qualys published a TotalAI analysis (March 19) framing MCP servers as the 2026 shadow IT vector, reporting that 21% of enterprise-deployed MCP servers are unmanaged and absent from any IT inventory — creating attack surfaces analogous to unsanctioned SaaS sprawl in 2015. The post argues that security teams have no visibility into which MCP servers developers are running, what data scopes are granted, or which external services they phone home to. This follows BlueRock's finding that 36.7% of public MCP servers carry cloud-takeover SSRF exposure, compounding the governance gap.
↳ Follow the thread