Do not trust it. Require signed metadata, verified registries, and explicit allowlisting before any connection is accepted. If a server cannot prove provenance, it should never receive tokens or sensitive requests, because discovery without identity verification creates a direct path to rogue tool use.
Why This Matters for Security Teams
An mcp server that cannot prove identity is not a harmless discovery problem. It is an access-control failure at the point where tools, tokens, and data converge. Current guidance from the OWASP Top 10 for Agentic Applications 2026 and NHIMG research on the OWASP Agentic Applications Top 10 points to the same operational risk: autonomous or tool-using software will happily connect to anything that looks useful unless identity is checked first.
That matters because MCP servers often sit close to secrets managers, source code, ticketing systems, and internal APIs. If provenance is unclear, a rogue or spoofed server can become a shortcut into sensitive workflows, especially when operators assume the protocol itself provides trust. NHIMG’s Ultimate Guide to NHIs shows how quickly non-human access expands once credentials are issued without strong lifecycle controls, and the same pattern applies here. In practice, many security teams discover the identity gap only after a tool has already been granted access, rather than through intentional registration and verification.
How It Works in Practice
The correct pattern is to treat server identity as a prerequisite, not an optional attribute. Before any client connects, the server should present signed metadata, and that metadata should be checked against a trusted registry or allowlist. If the server cannot be matched to a known publisher, expected endpoint, and approved purpose, the connection should fail closed. That is the practical security boundary, not the fact that the server responds on the network.
For teams implementing this in agentic environments, three controls usually matter most:
- Signed metadata or attestations that bind the server to a known source, version, and deployment context.
- Verified registries or explicit allowlists so clients only discover servers that have been pre-approved.
- Token gating so no secrets, API keys, or delegated permissions are issued until identity and policy checks succeed.
Workload identity is the stronger primitive here. Standards such as SPIFFE/SPIRE and OIDC-based workload tokens are designed to prove what a workload is, not just what credential it presents, which is a better fit for non-human systems than static network trust. That aligns with broader NHI governance lessons in the Top 10 NHI Issues and with identity-first design patterns described by IETF and SPIFFE. Where possible, pair this with runtime policy checks so a server is not just known, but approved for the specific request being made.
52 NHI Breaches Analysis shows how frequently identity and secret handling failures cascade once trust is assumed too early. These controls tend to break down when organisations auto-discover internal services across multiple clusters or tenants because registry accuracy and issuance boundaries become inconsistent.
Common Variations and Edge Cases
Tighter identity checks often increase operational overhead, requiring organisations to balance faster discovery against safer admission. That tradeoff is real, especially in fast-moving AI environments where teams want new servers to appear automatically. Best practice is evolving, but there is no universal standard for this yet, so teams should prefer conservative defaults and document any exceptions.
Some environments can safely allow dynamic registration, but only when registration itself is authenticated, signed, and traceable. Other cases need stricter controls, such as air-gapped toolchains, regulated data zones, or high-risk production agents that can chain multiple tools in one workflow. In those settings, the question is not whether the server is reachable, but whether it is authorised to exist in that trust domain at all. NHIMG’s guidance in the Ultimate Guide to NHIs is clear that lifecycle governance, revocation, and visibility matter as much as initial onboarding.
Teams should also watch for edge cases where a server is valid but the deployment is not. A signed binary on an unapproved host, a legitimate endpoint with stale metadata, or a proxy that masks the real origin can all defeat simplistic allowlists. In those cases, the stronger control is to validate both server identity and runtime provenance, then refuse any token exchange until both checks pass. That is the direction supported by current agentic guidance, including the OWASP Agentic AI Top 10.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A04 | Covers untrusted tool and server interactions in agentic workflows. |
| CSA MAESTRO | M1 | Addresses secure orchestration and trust boundaries for autonomous services. |
| NIST AI RMF | GOV | Identity proofing and trust decisions are part of AI governance and oversight. |
Verify MCP server identity before tool registration and block token issuance until trust is established.
Related resources from NHI Mgmt Group
- How can organizations secure their MCP server credentials?
- How should security teams reduce phishing risk in cloud identity environments?
- How should security teams reduce friction in remote identity controls without weakening security?
- How do teams know whether identity-first passwordless is actually working?
