Pomerium

Congratulations to @nickyt.online for giving a successful talk on Agentic Access at Black Hat USA!

Missed the talk? You can come talk to Nick at Booth #6216, right next to Startup City Theater.

#BlackHat #BlackHatUSA #cybersecurity #agenticai #mcp

Attending Black Hat USA?

Pick up free swag, enter our raffle, watch a demo, and talk to the Pomerium team at Booth #6216. We're located right next to Startup City Theater.

#cybersecurity #blackhatusa

Secure your stack before autonomous AI agents ship code for you | Netlify Realize the speed, agility and performance of a scalable, composable web architecture with Netlify. Explore the composable web platform now!

On August 12, our CEO Bobby DeSimone will join other security experts to speak about AI agents at Netlify's virtual event.

Working in security, AI/AX, or trying to stay ahead of the curve? This session is for you.

Join the live or sign up to receive the recording afterwards:
ntl.fyi/4mMLR7l

Why the Managed Context Protocol (MCP) Spec Still Leaves Gaping Security Holes

No AuthZ. No identity checks. No context-aware policy.

The MCP spec is missing core security features, meaning teams deploying MCP-compatible tools are exposing internal APIs without realizing it.

It's time to lock down agent access before it becomes a breach vector.

Read more:
bit.ly/4of50QJ

How Shadow AI Breaks SOC 2 and HIPAA—and What to Do About It Shadow AI bypasses critical access and audit controls required by SOC 2 and HIPAA. Learn how per-route policy with Pomerium restores visibility, enforcement, and audit readiness.

"74% of organizations have already experienced data leakage through unsanctioned AI use, yet most lack visibility into when or how it happens."

Shadow AI breaks the control systems that SOC 2 and HIPAA rely on.

Identity-aware, per-route policy enforcement can help.

Read more:
bit.ly/4lpG8mR

Shadow AI Risk Playbook: Shadow AI Risk Playbook & Zero-Trust Guide (5-Minute Read) | Pomerium Shadow AI tools like ChatGPT create hidden data-leak risks. Use this zero-trust playbook to discover, govern, and secure generative AI with Pomerium.

Shadow AI Is Already in Your Organization.

Employees are pasting sensitive code, customer data, and roadmaps into public LLMs—without approval, visibility, or guardrails. Blocking ChatGPT at the firewall? That won’t cut it.

ShadowAI and Why Prompt Filters and Regex Fall Short:
bit.ly/4l6dfLX

We’re heading to Vegas for Black Hat!
📍 Stop by Booth #6216 for live demos, free swag, and more.

🎤 Make sure to catch @nickyt.online's talk, “Agentic Access: OAuth Gets You In, Zero Trust Keeps You Safe”
🗓️ August 6 at 10:45 AM | Startup City Theater

Come say hi! We're so excited to meet you🥳

LIVE NOW!
Come hang out with @nickyt.online and @den.dev.
youtube.com/live/U9rSRnj...

Native SSH Access

With v0.30, Pomerium now supports native SSH access.
No agents, no tunnels, no special clients required!

Your SSH connections are:
🔐 Zero Trust-aligned
🔑 OAuth-backed and centrally authorized
🔍 Ephemeral & auditable
📈 Easy to manage at scale

Full Changelog for Native SSH Access:
bit.ly/4lIInCA

You're friendly reminder that @pomerium.io makes for a great reverse proxy for third party services like @posthog.com so your analytics or tools aren't blocked. 👀

posthog.com/docs/advance...

Why expose OAuth tokens to every MCP client? @pomerium.io keeps the 'keys to the kingdom' safely locked away while still enabling seamless Google integrations #zerotrust #mcp #security #agenticai

Exclusive Hosted Evening: Food, Networking & Raffles with Founders, VCs and Builders · Luma Presented by: GMI Cloud, Pomerium & Singapore Global Network Date & Time: 📅 Thursday, July 31st 🕠 5:30 PM – 9:00 PM PT Location: 📍 Location will be shared…

@nickyt.online will be speaking about how AI agents need Zero Trust policies that go beyond OAuth's 'what can you do' to answer 'should you be doing this right now' with context-aware, fine-grained controls.

Apply to attend GMI Cloud's AI After Hours—spots are limited:
lu.ma/dr1t68rs

And we're live! Come hang as we chat about the 0.30 release with some demos!

...And we're live! 🥳

Join @nickyt.online's livestream as he explores Pomerium v0.30!
www.youtube.com/live/Iz4fBb-...

Explore and deep dive into the features of Pomerium v0.30 with @nickyt.online, Developer Advocate at Pomerium.

Join us TOMORROW, July 16 at 1PM ET!

Nick Taylor and Den Delimarsky's profile pictures and description along with the theme of their livestream "MCP security and authorization"

MCP Security & Authorization

@den.dev‬, Model Context Protocol (MCP) Steering Committee Member - Security, joins @nickyt.online to discuss MCP security and authorization.

Join us on Wednesday, July 23 at 1PM ET:
www.youtube.com/live/U9rSRnj...

Model Context Protocol (MCP) lets AI agents connect to your tools, but without access control, one prompt can do too much. With @pomerium.io, we set fine-grained policies on servers, all the way down to the tool level. No cooking the books today with zero trust. #mcp #zerotrust #ai

Announcing Pomerium v0.30

Just in: Pomerium v0.30!

Pomerium now covers LLM agents, secure SSH, enterprise-grade policy enforcement, and more!

v0.30 features:
🛡️ 𝗡𝗮𝘁𝗶𝘃𝗲 𝗦𝗦𝗛 𝗔𝗰𝗰𝗲𝘀𝘀
🤖 𝗔𝗴𝗲𝗻𝘁𝗶𝗰 𝗔𝗰𝗰𝗲𝘀𝘀 𝗚𝗮𝘁𝗲𝘄𝗮𝘆
🌐 𝗖𝗿𝗼𝘀𝘀-𝗢𝗿𝗶𝗴𝗶𝗻 𝗔𝘂𝘁𝗵 𝗙𝗶𝘅𝗲𝘀
📈 𝗦𝗰𝗮𝗹𝗮𝗯𝗶𝗹𝗶𝘁𝘆 + 𝗢𝗯𝘀𝗲𝗿𝘃𝗮𝗯𝗶𝗹𝗶𝘁𝘆
🌍 𝗠𝘂𝗹𝘁𝗶-𝗖𝗹𝘂𝘀𝘁𝗲𝗿 𝗖𝗼𝗻𝘁𝗿𝗼𝗹 𝗣𝗹𝗮𝗻𝗲

Full release:
bit.ly/3IkRPx8

A Claude-based IDE with root-level database access was tricked into exfiltrating secrets—just by reading a support ticket.

No vulnerability. Just a convincing prompt.

Read what went wrong, why Row-Level Security (RLS) failed, and what defenses can actually work.
bit.ly/406KwPE

Your Employees Are Already Dumping Company Data to LLMs (Here’s What To Do About It)

Your team is already sharing sensitive internal data with AI. These AI agents must be bounded by proper guardrails.

Our latest post breaks down:
• “Shadow AI,” your biggest security blindspot
• How to build a secure, low-friction LLM gateway
• Real-world case studies

Read more:
bit.ly/3Ir3N8h

Discuss Event-Driven Architecture for AI Agents!

Abhimanyu Selvan, Head of Developer Advocacy (EMEA/APAC) at DigitalOcean, joins @nickyt.online
to discuss event-driven architecture for AI Agents.

Join us on Wednesday, July 16 at 9AM ET:
www.youtube.com/watch?v=-ai4...

June 2025 MCP Content Round-Up: Incidents, Updates, Releases, and more!

It’s been a busy month in the world of Model Context Protocol (MCP), so we’ve compiled June 2025's MCP incidents, industry news, blogs, and other reports for you.

There's a lot to keep up within the space, but it's clear that MCP is here and needs to be secured.

Find it here:
bit.ly/4exZvIz

5 Key Takeaways about ZTA from NIST SP 1800-35

Zero Trust is all about reducing attack surface, enforcing least privilege, and continuously reevaluating risk.

NIST SP 1800-35 is a a how-to Zero Trust manual based on real technologies, interoperable open standards, and 19 separate implementation builds.

Read key takeaways:
bit.ly/3TfcpBl

Asana's AI Connector Leak Exposed Sensitive Data Across Organizations: What It Means for MCP Security Stay up to date with Pomerium news and announcements.

Asana’s MCP bug exposing cross-tenant data serves as a warning that you need guardrails with AI agents.

Things can go wrong when:
→ OAuth is treated as authorization
→ Agent access isn’t scoped or audited
→ No enforcement layer stands between the agent and the system

Read more:

MCP Security: Zero Trust Access for Agentic AI and Autonomous Agents Learn why OAuth alone can't secure the Model Context Protocol (MCP). Discover how Pomerium enforces Zero Trust for agentic AI with per-request authorization, JWT identity, and full audit logging.

Traditional security models weren't built for autonomous agents.

Our latest MCP guide breaks down:
→ Why MCP changes the security model
→ How Zero Trust protects agent actions in real time
→ What you need to do before connecting LLMs to internal tools

Read the security blueprint:
bit.ly/4687OID

The Model Context Protocol Security Reality Check How to close critical gaps and why proxy-enforced OAuth is essential for secure MCP architectures.

OAuth ≠ secure by default.

Proxy-enforced OAuth is mandatory, not optional

Read the break down on what the MCP Security Best Practices actually require and where current implementations are falling short on @nickyt.online's latest @thenewstack.io piece:
thenewstack.io/the-model-co...

𝟭:𝟭𝟱𝗣𝗠 𝗘𝗧:
@javasquip.bsky.social, Head of AX Architecture at Netlify discusses AX, MCPs, and using Netlify to ship ideas to production.
www.youtube.com/watch?v=cnPK...

𝟭𝟭𝗔𝗠 𝗘𝗧:
AI Engineer @tej.as shares about the Langflow project, a new, visual framework for building multi-agent and RAG applications. It is open-source, Python-powered, fully customizable, and LLM and vector store agnostic.
www.youtube.com/watch?v=sIoc...

Tomorrow, we have an incredible guest speaker lineup for our livestreams hosted by @nickyt.online ! Tune in and listen to what @tej.as and @javasquip.bsky.social have to say about building and shipping LLMs and MCPs.

"How do we build these microservice architectures and serverless apps?"

@remotesynthesis.com joined @nickyt.online to discuss LocalStack, an open-core tool that lets developers run a complete AWS cloud environment on their laptop for faster, cost-effective development and testing.