AI Access Control

Wiz makes its MCP server generally available and turns security teams into agent builders

Wiz moved Wiz MCP to general availability on July 2, giving security teams a way to build their own AI agents on top of the company's Security Graph, its Red, Blue, and Green Agents, and a library of reusable Skills. The same access that lets an agent investigate and remediate also gives it broad reach into an organization's security data, which turns this launch into a governance decision as much as a productivity one.

Updated on July 02, 2026
Wiz makes its MCP server generally available and turns security teams into agent builders

Wiz announced on July 2 that Wiz MCP, its connector between the Wiz security platform and outside AI tools, is now generally available. The company had run the product in preview since April 2025, and the version it shipped this week does more than answer questions. Wiz now pitches Wiz MCP as the foundation for building AI security agents, the kind that investigate a threat, write a fix, and open a pull request without a person driving each step. Wiz frames the shift around a claim about its customers, arguing that security teams are moving beyond chat-based assistants to agentic workflows.

Three things Wiz already owns hold the release up. The Wiz Security Graph supplies the context, mapping cloud infrastructure, identities, code, data, and runtime so an agent reasons over real findings and attack paths instead of loose data points. The Red, Blue, and Green Agents supply the analysis, letting a customer's own AI borrow reasoning that Wiz already runs rather than rebuild it. Wiz AI Skills supply the playbooks, packaging vulnerability triage, remediation, and investigation into reusable workflows an agent can call in one step.

The move changes what Wiz sells. The preview gave you a way to query your security data in plain language. The general release gives you the parts to assemble agents that act on that data, with Wiz's own agents and playbooks sitting inside the loop.

Conditions driving the event

Wiz did not move MCP to general availability on impulse. A year of preview use and a set of hard market pressures pushed the company from a query tool toward an agent platform, and four forces stand out.

  • The protocol underneath it grew up. Anthropic introduced MCP in November 2024, and by the middle of 2026 the standard reached its largest revision, adding a stateless core, an authorization model that lines up with OAuth and OpenID Connect, and an enterprise-managed authorization extension that Anthropic, Microsoft, and Okta have adopted. The earlier version made enterprise security teams nervous about handing a protocol broad access without central control. A product sold to large buyers needed to sit on a standard those buyers could govern, and MCP finally offered the authorization plumbing to support that pitch.

  • Customers had already proven the pattern in production. Cohere built a security agent on Wiz to handle vulnerability triage, investigation, and remediation, and Grammarly reported cutting its security investigation time by more than 90 percent using workflows built on Wiz MCP. Infosys went further, wiring the remote server into its Cyber Next platform to run weekly posture briefs that reached analysts before they logged on. Wiz had spent the preview year seeding these references through an AWS Marketplace listing and other integrations, so the general release arrived with proof rather than promises.

  • The parent company raised the stakes. Google completed its acquisition of Wiz in March 2026, and at its own conferences Google began selling an Agent Gateway and agent identity controls that inspect MCP traffic and enforce policy on every agent connection. Google also warned, citing its Mandiant M-Trends 2026 research, that attackers now hand off access between each other in 22 seconds rather than eight hours, which is the machine-speed threat agentic defense is meant to answer. A Wiz that stayed a read-only query tool would have looked thin next to the agent-building story its owner was already telling.

  • Rivals moved onto the same ground. Google Security Operations shipped its own remote MCP server for building security agents, and the wider security market spent early 2026 racing to attach agent capabilities to their platforms. Wiz owns the Security Graph, the asset that gives an agent context most competitors cannot match, so the company had every reason to convert that lead into a platform before the category hardened around someone else's stack.

What AI security looked like before

Before this release, wiring an AI assistant into Wiz meant using the preview MCP server to ask questions and read back answers. An analyst could type a request in plain language, and the server would translate it into a real query against the Security Graph and return findings, misconfigurations, or a list of exposed resources. The convenience was real, but the reasoning still lived with whoever wrote the prompt. The server fetched the data, and a person decided what it meant and what to do next.

A team that wanted an agent to run an investigation from start to finish had to string the steps together itself. Someone had to pull the threat, correlate it against the SIEM, build a timeline, weigh the blast radius, decide the next move, and file the ticket, prompt by prompt. Wiz had pushed the preview into tools like Notion Custom Agents across 2025 and early 2026, which widened where the connector could run, yet the customer still owned the orchestration. Each organization rebuilt the same investigation logic on its own, with no way to borrow the reasoning Wiz's analysts had already built.

The deeper limit sat one layer down. Wiz ran its in-product assistant, Mika AI, inside the platform, and the security judgment encoded in Wiz stayed inside Wiz. A customer could reach the data through MCP, but the playbooks, the exposure validation, and the remediation guidance that made the platform useful did not travel with it. Buyers got a faster way to ask questions, while the expertise behind the answers stayed on Wiz's side of the line.

What AI security looks like now

With Wiz MCP generally available, a customer's own agent can borrow the parts that used to stay inside Wiz. It reads the full Security Graph, calls on the Red, Blue, and Green Agents for analysis Wiz already runs, and executes a verified Skill instead of assembling a workflow by hand. The Skills package Wiz's own procedures, so an agent runs the remediation playbook or the compliance-mapping playbook as one reusable step rather than a stack of individual tool calls.

The general-availability post walks through five jobs teams are handing to agents today. A developer can point an agent at a repository, have it trace a production issue to the code that caused it, pull Green Agent remediation guidance, apply and test the fix, and open a pull request for review. A vulnerability team can ask an agent to surface only the flaws an attacker could realistically chain to reach sensitive data, rank them by exploitability rather than raw severity, and explain each attack path using the Security Graph.

The pattern continues across the security lifecycle. A SOC analyst can hand an agent a live threat and get back a documented investigation, a SIEM correlation, a full timeline, and a ticket with recommended next steps. A red team can import an outside penetration-test report, map its findings to real cloud resources, and create tracked Penetration Test Findings inside Wiz instead of leaving a static PDF to sit unread. A security leader can compare an internal framework against existing Wiz policy coverage, flag the gaps, and generate an auditable coverage summary before an audit.

The intelligence behind all of it now comes from Wiz rather than from each team's prompt engineering. Infosys built a reference architecture on the same remote server, coordinating specialized agents across the security lifecycle while keeping a person in the loop and logging every action. The work that used to run through a chain of manual steps runs as a playbook, and the playbook carries Wiz's expertise inside it.

Our Take

AI Security Take

I keep comparing this to last year's version, and the difference bothers me. When Wiz shipped the MCP server in preview, it published the announcement next to its own research warning and told buyers to treat the connector as a privileged path into their data. Wiz Research put it plainly, advising teams to "treat MCP with the same discipline you'd apply to any privileged integration surface." The general-availability post drops that caution almost entirely.

The risk did not shrink when the product left preview. It grew, because an agent that writes code, files tickets, and opens pull requests can cause far more damage when someone turns it against you than a read-only assistant ever could. Wiz Research had already documented the ways an MCP deployment goes wrong, including prompt injection, supply-chain compromise, and exposed remote servers, and none of those failure modes vanished when the label changed to general availability. The GA post runs pages of capability and customer proof without naming a single one of them.

The governance questions are specific, and they land on the accountability layer most programs skip. An enterprise needs to know which identity can invoke a Skill that changes production, and whether that identity is scoped or shared across teams. It has to define what a borrowed Blue Agent investigation is allowed to reach, and enforce that boundary somewhere real. Ownership of the audit trail is the hardest question, because that record is what answers a regulator asking who approved the change once an agent remediates on its own.

An agent without a named owner and a logged decision path is the same governance gap the Workday case exposed, now moved onto a security agent. The controls to close it already exist, which makes the omission stranger. Wiz's own parent, Google, spent the spring selling an Agent Gateway, agent identities, and a Model Armor layer built to inspect MCP traffic and catch prompt injection, and Wiz's reference architecture with Infosys keeps a human in the loop for the same reason. Wiz built something useful here, and the demonstrations are real.

Buyers should bring back the caution Wiz itself printed in 2025 and answer the ownership questions before they let an agent touch production. The general-availability pitch left that part out, and the teams deploying these agents are the ones who inherit the gap.

Related Articles

ServiceNow Launches Autonomous Workforce and Integrates Moveworks Into Its AI Platform AI Governance Platforms

Feb 27, 2026

ServiceNow Launches Autonomous Workforce and Integrates Moveworks Into Its AI Platform

Read More
Arize vs Fiddler vs Arthur: Which AI Monitoring Platform Actually Fits Your Enterprise? Model Observability

Mar 1, 2026

Arize vs Fiddler vs Arthur: Which AI Monitoring Platform Actually Fits Your Enterprise?

Read More
ServiceNow Introduces the Enterprise Identity Control Plane Following Its Acquisition of Veza AI Access Control

Mar 2, 2026

ServiceNow Introduces the Enterprise Identity Control Plane Following Its Acquisition of Veza

Read More

Stay ahead of Industry Trends with our Newsletter

Get expert insights, regulatory updates, and best practices delivered to your inbox