Allow MCP only when the organisation can prove three things: distinct identity for the agent, narrowly scoped tool permissions, and reliable auditability across the full delegation chain. If any one of those is missing, the integration should stay out of sensitive environments until the control gap is closed.
Why This Matters for Security Teams
MCP can make sensitive systems more usable, but it also turns a model or agent into a delegated actor with real tool access. That is a very different risk profile from a normal API integration, because the model may chain prompts, tools, and context in ways the original designer did not anticipate. Security teams should treat MCP as an authorisation and delegation problem first, not just an integration choice.
The practical test is whether the organisation can bind every request to a distinct workload identity, constrain what that identity can do, and preserve an audit trail from the agent action back to the initiating user or workflow. Without that chain, sensitive systems lose the ability to prove who asked for what, which matters for incident response, compliance, and privilege review. Current guidance from the OWASP Agentic AI Top 10 aligns with this view: autonomous access must be evaluated at runtime, not assumed safe because the interface is standardised.
NHIMG’s analysis of Analysis of Claude Code Security shows how quickly tool-enabled AI can exceed the narrow task the operator intended. In practice, many security teams encounter MCP risk only after a connector has already been granted broad access and the audit gap becomes visible during an investigation, not during design.
How It Works in Practice
A defensible MCP decision starts with the workload identity, not the model name. Sensitive environments should require cryptographic identity for the agent or service account, then map that identity to tightly scoped permissions for the exact tools and resources it needs. Where possible, use short-lived credentials issued per task, with automatic revocation when the task ends. Static secrets are a poor fit because autonomous systems can retry, branch, and continue acting long after the original human session is gone.
Teams usually need three checks before allowing MCP into a sensitive system:
- Can the agent be uniquely identified at runtime, ideally through workload identity rather than shared credentials?
- Are tool permissions narrowly scoped to the minimum set of actions, with no implicit broad read or write access?
- Can every action be logged in a way that links the agent, the delegated user, the tool call, and the target data or system?
That last point is often the hardest. An mcp server may be technically well-formed but still unsafe if it can reach secrets stores, production data, or administrative functions without policy checks at request time. The better pattern is real-time policy evaluation, so each call is judged by context, purpose, and current risk rather than by a one-time approval. The OWASP Top 10 for Agentic Applications 2026 reinforces that runtime decisions matter more than static allowlists when the actor is autonomous.
NHIMG research on The State of MCP Server Security 2025 shows why this caution is warranted, including widespread secret exposure and weak tool scoping in real deployments. These controls tend to break down when MCP is connected to legacy systems that cannot enforce per-request policy or produce trustworthy delegation logs.
Common Variations and Edge Cases
Tighter MCP controls often increase integration friction, so organisations have to balance developer convenience against blast-radius reduction. That tradeoff is real, and current guidance suggests it is safest to start with read-only or low-impact tools, then expand only after identity, scoping, and logging have been proven in production-like conditions.
There is no universal standard for this yet, which means teams should avoid treating MCP as inherently unsafe or inherently approved. A low-risk analytics connector may be acceptable with strong workload identity and immutable logs, while a connector that can change production records, retrieve customer secrets, or trigger financial actions should face a much higher approval bar. Sensitive systems also require special caution when the agent can chain multiple tools, because apparently limited actions can become privileged through sequence and context.
For governance, the question is not whether MCP exists in the environment, but whether the surrounding controls can contain it. If the organisation cannot show least privilege, short-lived credentials, and end-to-end accountability, then the correct decision is to keep MCP out of that system until the gap is closed. For a broader view of agent risk, the OWASP Agentic Applications Top 10 is a useful reference point for emerging failure modes.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A03 | Covers tool misuse and unsafe delegation in agentic integrations. |
| CSA MAESTRO | TR-1 | Addresses trust, runtime control, and delegated agent behaviour. |
| NIST AI RMF | Supports governance of autonomous AI risk and accountability. |
Restrict MCP tools to minimum actions and review every delegated capability before production use.
Related resources from NHI Mgmt Group
- How can organisations decide whether to start with MCP, A2A, or both?
- How do organisations know whether MCP enforcement is actually working?
- When is it appropriate to implement MCP in the context of AI systems?
- Should organisations allow contractors to access sensitive systems from personal devices?
