The agent does not run the contract. The agent runs the implementation.

This sounds like an obvious distinction. In practice it is the central security failure mode of the entire agent ecosystem in 2026. We have spent twelve months scanning tool surfaces across six protocols, and the same pattern keeps appearing: the contract is a polite story, the implementation is a different story, and an agent that trusts the polite story will eventually take an action it should not.

The most common failure we encounter is what we call annotation drift. A tool is labelled readOnlyHint: true in its MCP descriptor. The implementation is a shell pipe. The annotation was written by a different engineer, in a different sprint, when the tool was a different thing. Now the agent sees "read-only" and does not think twice about routing user-controlled text into a function that will, in fact, execute that text against a shell.

The fix is not "make engineers write better annotations." The fix is to stop trusting annotations as the source of truth. The contract is a hint; the implementation is the ground truth. A scanner that only reads the contract is a linter for politeness. A scanner that exercises the implementation in an isolated environment and watches what actually happens is doing real security work.

This is why our methodology pairs passive schema analysis with active runtime probing inside a controlled chamber. We need both. The passive layer maps the surface - names, parameters, declared capabilities, annotations. The active layer asks the only question that matters: when this tool is invoked, does it behave the way the contract claims it behaves?

When they disagree, the contract loses. Always. The agent is not negotiating with the documentation. The agent is calling code.

There is a deeper architectural point here, which is that the security model for autonomous AI is going to look more like operating-system security than like web application security. The relevant primitives are: capability declaration, capability enforcement, attestation that the enforcement matched the declaration, and audit trails that prove what was reached. We are not going to build this with annotations and policies alone. We are going to build it with measurement and proof.

In the meantime, the practical advice is short. Treat every tool annotation as untrusted user input. Verify the behavior in isolation. Ship the verification artifact alongside the finding. And do not let any agent take an action whose downstream effects you cannot reproduce in under a minute on a laptop.