In the past two weeks, four publicly-documented events made the AI agent attack surface concrete in a way vendor marketing usually obscures. They share a single structural property: the agent's trust model is wrong, and the consequences are now measurable. The exposure count tripled in nine months Trend Micro's 2026-04-28 update on exposed MCP servers reports the population grew from 492 (July 2025) to 1,467 — a near-tripling over nine months. Seventy-four percent are hosted on AWS, Azure, GCP, or Oracle. Per Trend Micro, exposed MCP servers "have become powerful vectors for cloud attacks, enabling threat actors to not only access sensitive data but also take control of the cloud services themselves." The attack chain is mundane and operationally serious. A command-injection bug in a community-maintained MCP server like aws-mcp-server (CVE-2026-5058, CVSS 9.8) lets an attacker execute as the EC2 instance the MCP process runs on.…