By: Jake Smiths
There is a structural problem embedded in how enterprise AI security has developed. The platforms built to secure AI workloads were designed around cloud infrastructure. They monitor what happens inside cloud environments with increasing precision. What they were not designed to monitor is what happens before the cloud, on the devices where developers actually build, test, and run AI-powered workflows.
That structural problem now has a name: the AI security gap between endpoint and cloud. And Upwind Security has announced a capability designed to close it.
The company’s new AI Sensor for Endpoints extends Upwind’s cloud and AI security platform to cover developer workstations, giving security teams a unified view of AI activity that spans from individual laptops to cloud infrastructure. The announcement reflects a broader recognition that AI adoption has fundamentally changed where enterprise risk originates.
How the Gap Formed
Security categories have always been somewhat artificial. Endpoint security tools cover devices. Cloud security platforms cover infrastructure. Network security covers what moves between them. For most of enterprise computing history, those categories were close enough to the actual architecture that treating them separately was workable.
AI agents and MCP connections have made that separation untenable. When a developer’s laptop is running an AI agent that connects through MCP to cloud services and SaaS platforms, the laptop is not a device that occasionally touches cloud infrastructure. It is a node in the same system, carrying the same permissions and capable of initiating the same actions.
The gap between endpoint visibility and cloud visibility is no longer a gap between two different domains. It is a gap in the middle of a single threat path.
The Role of MCP
Model Context Protocol has become a central integration layer for AI agents in enterprise environments. It allows agents running on developer workstations to connect to external servers and execute actions across platforms with a level of reach and automation that previous integration patterns did not enable.
That reach is what makes MCP-connected endpoints so consequential from a security perspective. A developer laptop with MCP connections is not holding credentials that an attacker would need to manually exploit. It is holding live connections to systems that can take actions automatically, without additional authentication barriers at each step.
Amiram Shachar, CEO of Upwind Security, put the stakes clearly: “In the new world of AI Agents and MCP servers, the cloud risk extended to the edge, where tokens, permissions, and cloud actions are now taken automatically from the developers’ workstations. To truly protect the cloud, we must help security teams see the journey from the endpoint.”
What Upwind Built
The AI Sensor for Endpoints delivers three capabilities. Security teams can monitor MCP connections initiated from developer endpoints in real time, understand which servers devices are communicating with and what those communications are driving. They can correlate endpoint activity with cloud identity and action data, connecting device-level events to their downstream effects in cloud infrastructure. They can also detect anomalous AI-driven actions across SaaS and cloud platforms, catching behaviors that only become visible when endpoint and cloud data are analyzed in context with each other.
These capabilities feed directly into Upwind’s existing platform, which already covers cloud workloads and runtime behavior. Security teams see endpoints, cloud, identities, actions, and prompts together in a single view rather than working across disconnected tools.
Why Unified Visibility Changes the Investigation
Separate tools for endpoint and cloud security do not just create a management burden. They create an investigation problem. When an unusual cloud event occurs, a security team working with separate systems has to manually correlate that event back to whatever caused it at the device level. That process takes time, requires context that is often missing, and frequently produces conclusions that are incomplete.
When endpoint and cloud data land in the same platform, the correlation is part of the system rather than part of the workload. An action that originates at a developer laptop, passes through an MCP server, and produces an effect in cloud infrastructure is visible as a continuous chain. The investigation starts at the right place, with the right context, automatically.
Timing and Context
The announcement comes as enterprise AI adoption continues its rapid expansion. AI agents have moved from experimental tools to standard components in developer workflows. MCP has emerged as a widely adopted integration standard that is accelerating how broadly those agents can reach.
Security tooling has been slower to adapt. Cloud security platforms developed their capabilities around the assumption that the cloud was where the risk concentrated. As that assumption has become less accurate, the gap between what security tools can see and what is actually happening in enterprise environments has widened.
Upwind’s AI Sensor for Endpoints is a direct response to that widening gap. By pulling endpoint visibility into the same platform that already covers the cloud, Upwind gives security teams coverage that matches the actual architecture of modern AI-driven enterprise environments, rather than the architecture those environments used to have.
