CISA has issued guidance on managing risks of integrating AI into operational technology that runs critical public services. With AI’s growing role in infrastructure, vulnerabilities increase as systems connect more via the Internet of Things. While AI can improve efficiency, it also raises risks like data breaches and disruptions. Developed with agencies like Australia’s Cyber Security Centre and the U.K.’s NCSC, the guidelines focus on understanding AI risks, context assessment, governance, and safety practices. CISA warns that without proper cybersecurity, critical infrastructure faces greater threats from malicious attacks.
Recent findings reveal that Microsoft and Anthropic’s most popular Model Context Protocol servers are vulnerable to significant cybersecurity threats, including remote code execution and server-side request forgery. According to researchers, more than 36% of the analyzed MCP servers exhibit these vulnerabilities, which can be exploited by attackers to access sensitive information within cloud environments, such as Amazon Web Services. Notably, the Microsoft MarkItDown server, which has over 85,000 stars on GitHub, lacks proper restrictions on user input, enabling potential SSRF attacks that could compromise internal network resources. Similarly, vulnerabilities in Anthropic’s Git MCP server have been identified, where a combination of flaws could allow malicious actors to execute arbitrary code.
Cybercriminals are exploiting the Windows Blue Screen of Death to install malware, specifically a remote access trojan. Recent research from Securonix reveals that attackers are using fake phishing emails, masquerading as messages from Booking.com, to lure victims into executing malicious code. The campaign, targeting the hospitality industry, employs social engineering tactics that trick users into pasting harmful scripts, leading to the installation of malware capable of remotely accessing and controlling infected computers. Security experts recommend educating employees about these tactics and monitoring for unusual activities involving executable files and PowerShell commands to mitigate risks.
Why do we care?
CISA can warn. It cannot prevent outages. MSPs will still be asked why systems failed safely—or didn’t. It’s implementation that matters.
Then look at the MCP vulnerabilities. These aren’t obscure tools. They’re popular, trusted, and sitting inside cloud environments with meaningful access. The assumption that “open source plus stars equals safety” is actively dangerous in an AI context, where glue code becomes control code.
Vendors are incentivized to ship fast and patch later. MSPs are incentivized to be trusted intermediaries. Those incentives are now misaligned. When AI glue code becomes control code, MSPs must assume that popularity, GitHub stars, and community adoption are no longer proxies for safety. Due diligence is no longer optional—it is the service.
At the human layer, attackers are still winning by asking users to do something “helpful.”
The MSP behavior that causes harm is treating AI adoption as inevitable progress instead of managed risk. That leads to silent expansion of trust, unclear ownership, and fragile environments.
AI is being integrated into systems that cannot fail safely—power, healthcare, transportation, public services. When something breaks, the question won’t be “which vendor caused this?” It will be “who was responsible for integrating it?”
If MSPs don’t assert control—real control, not policy language—they inherit liability without leverage. And that is the worst possible position to be in.