Watch for repeated prompts, excessive user rejections, and requests that keep appearing for the same missing context. Those signals suggest the server is compensating for poor design or weak state management. A healthy implementation should request only what is needed, once, and should degrade gracefully when users cancel or refuse.
Why This Matters for Security Teams
MCP elicitation becomes a security issue when the server repeatedly asks for missing context instead of using stable state, clear tool contracts, or sane defaults. That pattern is not just annoying. It often signals that the agent or server is compensating for weak design, which can turn normal workflow friction into prompt churn, user fatigue, and accidental oversharing. The risk is especially visible in agentic environments, where repeated requests can expand the amount of data exposed to the model and increase the chance of unsafe retries. Guidance from the OWASP Agentic AI Top 10 and NHIMG’s analysis of Analysis of Claude Code Security both point to the same operational concern: when an AI workflow keeps asking for more, it may be masking a control failure, not improving accuracy. In practice, many security teams notice overuse only after users have already started bypassing the tool or feeding it more context than intended.
How It Works in Practice
Teams usually detect overused elicitation by looking for repetition patterns, not by counting prompts in isolation. A single clarifying question is normal. The problem starts when the same missing field is requested across multiple turns, multiple tools, or multiple sessions. That usually means the server is not retaining enough state, the tool schema is too loose, or the agent is trying to infer context that should have been explicit from the start.
A practical review process should check for:
- Repeated requests for the same identifier, scope, or approval state
- High refusal or cancellation rates after clarification prompts
- Tool calls that fail because required inputs were not validated earlier
- Context that should be derived from policy, session state, or user role but is instead re-asked each time
- Long chains of follow-up prompts before any meaningful action occurs
This is where runtime governance matters. Current guidance suggests mcp server should minimize prompt loops, use explicit contracts, and rely on stable session context rather than improvising through repeated elicitation. The State of MCP Server Security 2025 highlights how weak configuration and poor access scoping often coexist with broader MCP risk, which is why repeated elicitation should be treated as a design smell, not a usability quirk. The OWASP Top 10 for Agentic Applications 2026 is also useful here because it reinforces the need to constrain tool behavior before the model starts asking the user for every missing detail. These controls tend to break down when the workflow is highly dynamic, because rapid state changes make it difficult to distinguish legitimate clarification from avoidable re-prompting.
Common Variations and Edge Cases
Tighter prompting discipline often increases implementation overhead, requiring teams to balance fewer user interruptions against more upfront design work. That tradeoff is real in MCP-heavy environments, especially when multiple tools depend on partial context or when the agent is allowed to continue across long-lived sessions.
Not every repeated question is a failure. Sometimes the server is correctly refusing to assume intent, especially for destructive actions, privileged tool calls, or ambiguous resource selection. Best practice is evolving here, but the current consensus is that the system should ask once, preserve the answer, and then move to a policy check rather than restarting the conversation. The right test is whether the follow-up request adds new safety value or merely compensates for missing orchestration. Repetition after a clear answer usually means the server is not binding context correctly, while repetition after a refusal may indicate a poorly designed fallback path.
The hardest edge cases appear in multi-step agentic workflows, where a model can chain tools and lose state between steps. In those environments, teams should treat every extra elicitation prompt as a signal to review state management, authorization flow, and the tool schema together. If the same question keeps resurfacing after the user has already answered it, the issue is almost always structural rather than user-driven.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A2 | Repeated elicitation can expose weak agent tool and prompt design. |
| CSA MAESTRO | MAESTRO addresses runtime control and safe orchestration for agentic workflows. | |
| NIST AI RMF | GOVERN | Overused elicitation is a governance signal that the system lacks clear oversight. |
Instrument agent flows to detect repeated clarification and enforce safer runtime decisions.
