Long sessions become harder to manage because schema payloads and accumulated context consume tokens and reduce the model’s ability to track earlier steps. The result is more repetition, more mistakes, and less reliable completion on longer tasks. That is a reliability and cost problem, not just a model-performance issue.
Why This Matters for Security Teams
Large MCP tool schemas are not just a usability issue. They reshape how autonomous systems spend context, which means the model has less room for task state, prior decisions, and guardrail instructions. That makes long-running agent workflows more brittle, especially when tools are numerous, nested, or poorly scoped. Current guidance suggests treating schema size as part of the attack and reliability surface, not as documentation overhead. The OWASP Agentic Applications Top 10 and the OWASP Agentic AI Top 10 both frame excessive tool exposure and weak control boundaries as core agent risks, because the agent can only reason safely about what it can still see.
For security teams, the practical issue is that broad tool schemas encourage over-selection, accidental calls, and repeated retries when the model loses the thread of the workflow. In practice, many security teams encounter the failure as a business outage or data handling mistake only after a long agent run has already consumed tokens and triggered the wrong tool path, rather than through intentional testing.
How It Works in Practice
In agentic systems, each MCP tool schema is effectively part of the prompt budget. When schemas are large, the model spends more tokens parsing available actions and less capacity holding the active plan, intermediate outputs, and authorization context. That is why long sessions degrade first: the agent begins to forget which step it is on, re-asks for data, or calls tools it no longer needs. This is especially problematic when the workflow depends on intent-based authorisation, because the authorisation decision must remain understandable at runtime, not buried inside a huge tool catalog.
A better pattern is to minimise schema surface and issue access just in time. In practice that means:
- Split broad MCP servers into smaller, task-specific tool sets.
- Use short-lived credentials and ephemeral secrets instead of static access that persists across many steps.
- Bind tool access to workload identity, so the system knows what the agent is and what task it is executing.
- Evaluate policy at request time with runtime context, rather than relying only on static RBAC.
This aligns with the direction reflected in Analysis of Claude Code Security and the broader control thinking in OWASP Top 10 for Agentic Applications 2026, where tool sprawl and uncontrolled action paths are treated as security concerns, not just architecture preferences. In environments where the agent must chain many tools across multiple systems, large schemas break down because the model cannot reliably preserve intent, state, and least-privilege boundaries at the same time.
Common Variations and Edge Cases
Tighter tool schemas often increase operational overhead, requiring organisations to balance reliability gains against maintenance cost. Best practice is evolving, but there is no universal standard for how small an MCP schema should be. The right threshold depends on whether the agent is executing a narrow workflow, a multi-step operational process, or a high-risk action path that needs stronger runtime controls.
Edge cases usually appear when teams try to make one agent handle too many jobs. A single general-purpose schema can look efficient, but it creates the same problem seen in overly broad NHI access models: more surface, more ambiguity, and weaker containment. The DeepSeek breach is a reminder that exposed operational detail, excessive reach, and weak scoping can compound quickly once a system is in use. For governance, OWASP Agentic Applications Top 10, OWASP Agentic AI Top 10, CSA-MAESTRO, and NIST-AIRMF all point in the same direction: reduce exposure, evaluate access in context, and assume autonomous behaviour will drift unless constrained.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A1 | Large schemas expand tool abuse and prompt-injection exposure. |
| CSA MAESTRO | Agent workflows need runtime controls for autonomous tool use. | |
| NIST AI RMF | AI RMF addresses reliability and governance risks in agentic systems. |
Set measurable guardrails for context size, tool scope, and escalation paths.
