Harold Byun, CEO of BlueRock – Interview Series
Harold Byun
, CEO of BlueRock, is a veteran enterprise technology executive with deep expertise in cybersecurity, SaaS platforms, cloud security, and enterprise product leadership. Before becoming CEO in April 2026, he served as the company’s Chief Product Officer, where he helped shape BlueRock’s direction around agentic AI security and observability. Prior to joining BlueRock, Byun held senior leadership roles at AppOmni, ServiceNow, Skyhigh Networks, Symantec, and Citrix following its acquisition of Zenprise. Across those roles, he built a reputation for helping enterprises secure increasingly complex cloud and data environments, experience that now directly aligns with the emerging security challenges surrounding autonomous AI agents and Model Context Protocol (MCP) ecosystems.
BlueRock
is focused on securing the execution layer of agentic AI systems, an area becoming increasingly critical as enterprises deploy autonomous AI agents capable of interacting with tools, APIs, codebases, and sensitive enterprise data. The company develops security and observability technologies designed to monitor, sandbox, and enforce guardrails around AI agent behavior, particularly within MCP-based environments. BlueRock’s platform emphasizes runtime visibility and execution-layer protection rather than relying solely on prompt-level safeguards, reflecting a broader industry shift toward securing how AI agents act, not just what they say. As organizations move from AI experimentation toward autonomous workflows in production, companies like BlueRock are positioning themselves at the center of what could become a major new category within enterprise cybersecurity.
You’ve spent years in cloud, SaaS, Data Loss Prevention (DLP), and enterprise security at companies like AppOmni, Symantec, ServiceNow, and Skyhigh Networks. What convinced you that runtime security for AI agents was going to become the next major security category?
What became obvious to me is that AI changes where meaningful operational risk and complexity actually occur. In traditional software, most behavior is defined before deployment. In agentic systems, behavior increasingly emerges during execution through prompts, context, tools, APIs, MCP servers, and downstream interactions.
That creates a very different operational model. Once agents can dynamically make decisions and take actions across systems, organizations lose the clear visibility and operational understanding they relied on for years.
I’ve seen similar platform shifts before in cloud and SaaS security, where infrastructure evolved faster than the systems used to manage it. AI is creating another one of those moments. The long-term challenge is not just model safety. It is enabling organizations to safely operate agentic systems at scale.
The category that ultimately matters will be the one that helps organizations understand what agents are actually doing in production and gives them confidence to scale AI-native operations responsibly.
BlueRock talks about the “Agentic Execution Gap,” where organizations lose visibility once agents begin acting autonomously at runtime. Why do traditional observability and security tools fail in these environments?
Traditional observability and security tools were built for deterministic systems with relatively predictable execution paths. They assume developers largely know how applications are supposed to behave before they run.
Agentic systems break that assumption.
Agents can dynamically discover tools, invoke MCP servers, chain workflows, interact with APIs, and make decisions in real time. The execution path often emerges during runtime.
Most existing tooling captures fragments like logs, traces, telemetry, or model outputs. But organizations increasingly need causal understanding across the full execution path: why an agent selected a tool, what context influenced the decision, what downstream systems were touched, and what actions occurred as a result.
That is the Agentic Execution Gap. Execution has become dynamic, but visibility and control models have not evolved alongside it.
A growing number of enterprises are experimenting with Model Context Protocol (MCP)-based architectures and autonomous AI workflows. What are the biggest security misconceptions organizations still have about MCP servers and agentic systems?
MCP is rapidly becoming foundational infrastructure for how AI agents discover, connect to, and interact with tools, systems, and enterprise data.
What makes MCP important is that it dramatically lowers friction between AI systems and operational environments. It increases developer velocity and unlocks powerful workflows, but it also massively expands the number of execution paths agents can take across enterprise systems.
In many cases, organizations may already have AI tools interacting with MCP-connected services without fully understanding the downstream operational exposure being created.
Another misconception is that controlling prompts or models is sufficient. In practice, the larger risks emerge after the model makes a decision. Once agents can invoke tools, execute workflows, retrieve sensitive data, or interact with infrastructure, the challenge shifts toward runtime behavior and execution control.
The operational surface area is growing much faster than most governance and observability models were designed to handle.
BlueRock’s research found serious vulnerabilities across public MCP servers, including Server-Side Request Forgery (SSRF) and command injection exposure. Are enterprises underestimating how quickly MCP ecosystems could become a new software supply chain attack surface?
Yes. I think the industry is still early in understanding how important the MCP ecosystem could become from a supply chain and operational trust perspective. For example, over 36% of the 11,000 MCP servers we’ve analyzed have unbounded SSRF vulnerabilities. Most people in industry don’t understand that this effectively opens up their entire network from a data access perspective. That would never be knowingly allowed in pretty much every enterprise environment in the world today.
Historically, organizations worried about libraries, containers, and open source dependencies because those components became part of the software stack before deployment. MCP changes that model. Agents can now dynamically discover and interact with external tools and services during runtime itself. And, in many instances, developers and the business have just run forward and deployed MCP without understanding or assessing the risks.
That creates a very different trust problem.
Organizations are no longer just managing static dependencies. They are increasingly managing dynamic execution dependencies that emerge while systems are running. Agents may invoke tools, chain workflows, or access downstream systems in ways operators do not fully anticipate or observe.
Our research around SSRF, command injection, and other vulnerabilities reflects how immature parts of the ecosystem still are. But the larger issue is broader than individual vulnerabilities. As MCP adoption accelerates, organizations will need much deeper visibility into how autonomous systems interact with external services during execution.
Your platform emphasizes “agentic observability” rather than just monitoring prompts or outputs. What does meaningful runtime visibility actually look like once agents are making dynamic decisions across tools, APIs, and infrastructure?
Meaningful runtime visibility requires understanding the full execution path, not just isolated events.
Organizations need to see how a model decision turns into actions across tools, MCP servers, APIs, infrastructure, and downstream systems. That means understanding why an agent selected a tool, what context influenced the decision, what permissions were used, what downstream actions were triggered, and what operational outcome was ultimately created.
That becomes especially important as agents operate across distributed and ephemeral environments where traditional monitoring quickly fragments.
Prompt monitoring alone is not enough because prompts do not explain operational behavior. Outputs are not enough because they do not reveal what systems were impacted downstream.
The future of observability in agentic systems is execution-aware. It is about understanding behavior from decision to action to outcome in real time.
BlueRock’s Trust Context Engine appears to attach identity, trust, and capability data directly to execution flows in real time. How important will contextual trust become as AI agents increasingly interact with external tools and systems autonomously?
Contextual trust becomes foundational in agentic systems because agents make decisions dynamically at runtime.
Traditional systems relied heavily on static trust assumptions. But agents increasingly operate across changing contexts, external tools, APIs, MCP servers, identities, and permissions.
Organizations need to evaluate trust continuously during execution itself. Not just whether a model is safe, but whether the tool being invoked is trusted, whether the requested action matches expected behavior, and what operational risk the action introduces.
That is why we believe trust context becomes critical infrastructure for the next generation of AI systems.
We’re seeing rapid adoption of AI coding agents and autonomous developer workflows. What are the most concerning risks when agents gain the ability to modify infrastructure, deploy code, or interact with production systems without human review?
The biggest shift is that organizations are trying to dramatically increase development velocity by enabling far more people to build with AI, not just traditional software engineers.
AI coding agents can already generate code, modify infrastructure, interact with CI/CD pipelines, invoke cloud services, and access sensitive systems. The productivity upside is enormous because enterprises can now unlock both experienced developers and a new generation of AI-native and citizen developers.
The challenge is that operational complexity grows just as quickly. The concern is not only malicious behavior. It is the adverse impact an agent can take which causes product outages and affects the availability of data and infrastructure for an organization. This type of off-the-rails behavior is akin to the public S3 bucket problem of a decade ago. We expect agents to behave. We expect guardrails and checks to be put in place. But, there are pathways to unintended behavior, excessive permissions, hidden dependencies, unsafe tool usage, or execution paths nobody anticipated. And that will result in more outages or sub-optimized deployments where people become button pushers and ROI doesn’t get fully realized.
Organizations need operational visibility and execution-aware controls that move with the workload so they can safely scale AI-native development without slowing innovation down.
Many organizations still think about AI security primarily through the lens of model safety and prompt injection. Why do you believe the industry now needs to shift toward securing actions and execution paths instead?
Model safety and prompt injection absolutely matter, but they represent only part of the challenge.
The industry is moving from systems that generate answers to systems that take actions. Once agents can invoke tools, modify systems, retrieve sensitive data, execute workflows, or interact with infrastructure, the operational risk shifts toward execution behavior itself.
A perfectly aligned model can still create risk if it invokes the wrong tool, accesses the wrong system, or triggers unintended downstream actions. That is why securing prompts alone is insufficient. And there will always be novel approaches to bypass these types of prompt guardrails. That will be a constant game of cat-and-mouse.
Organizations need to recognize that those guardrails will get bypassed, and when they do, the potential adverse impact is highest later in the execution path. As a result, they increasingly need visibility and control across the full execution path and operational impact of agent behavior in real time.
Some researchers have compared MCP adoption to giving AI systems a “universal USB port” into enterprise infrastructure. How should companies balance the enormous productivity upside of connected agents with the operational risks they introduce?
The productivity upside is real. MCP dramatically simplifies how agents connect to tools, systems, and workflows, which is one reason adoption is accelerating so quickly.
But organizations should avoid thinking about MCP purely as a connectivity layer. It effectively becomes part of the operational fabric of the enterprise.
The balance comes from enabling developers and AI-native builders to move quickly while maintaining execution-aware visibility and control.
That means understanding the security of the MCP server implementation itself, which is why we built the
registry. And it means understanding which MCP servers agents are interacting with, the types of tools those servers expose, what permissions are granted, and how actions propagate during runtime.
The organizations that succeed will be the ones that build operational trust around autonomous execution.
Looking ahead, what does a mature enterprise AI security stack eventually look like in a world where autonomous agents routinely collaborate, make decisions, and execute tasks across multiple systems in production?
I think the mature enterprise AI stack becomes much more execution-centric.
Organizations will still need model security, identity, data protection, and infrastructure security. But the larger shift is that enterprises will need operational systems designed for autonomous and non-deterministic software.
As agents increasingly collaborate, make decisions, and take actions across tools, infrastructure, and business workflows, organizations will need continuous visibility into how AI systems actually behave during execution.
The future stack will combine observability, trust context, operational governance, execution-aware policy enforcement, identity, and runtime security into a unified operational layer for agentic systems.
The organizations that succeed will be the ones that can continuously understand and operationalize autonomous execution without slowing innovation down.
Thank you for the great interview, readers who wish to learn more should visit
BlueRock
.
