The MCP ShiftPart 2: The Solution – Astrix Security
Despite security concerns raised in part 1 of this series, customers tell us that MCP adoption continues to accelerate. The identity and security folks we talk to aren’t surprised by that, though. It offers too much velocity to developers under pressure to deliver AI results to ignore.
In the upcoming part 3, we’ll talk about how this MCP future may look, and (if you haven’t already) you should take our 5-question, no-hassle, multiple-choice survey to tell us what you’re seeing in your world about MCP.
Today, the security and IAM teams we’re talking to are trying to turn MCP’s initial governance challenges into a foundation for scalable AI identity management. Here’s how MCP can transform from being part of the problem to becoming a powerful solution.
Turning a bug into a feature
Ironically, the same thing that caused many of MCP’s issues, mostly its role as a unifying abstraction layer, is also the key to solving them. In traditional software, abstraction layers/control planes are the ideal integration points for identity (think about how we integrate login/auth in a centralized gateway or platform).
Everyone we speak with knows MCP offers a similar strategic chokepoint. Instead of having identity and policy sprawled across each tool and agent, we can enforce them at the MCP layer centrally. The change Anthropic made to separate authorization from the main server shows they know this, too.
Done right, MCP could let us standardize authentication, authorization, and auditing across all AI agent interactions.
One identity framework to rule them all
Some folks we talked to imagine every AI agent tool request flowing through an MCP server that knows who the agent is (or which human it represents) and what it’s allowed to do. Rather than handing out raw API keys to an agent, you give it a sort of proxy identity managed by the MCP. The MCP server, in turn, checks with your enterprise IAM system (IdP, IGA platform, etc.) whenever the agent tries to do something.
This way, policies like “Agent X can read email but not send email” can be enforced consistently, no matter which underlying API or tool is being accessed. Instead of a patchwork of custom integrations, MCP can act as a single, standardized security boundary that enables unified policy and monitoring.
In effect, MCP becomes an IAM overlay for AI agents, giving security teams a fighting chance to answer “who (or what) can do what?” across the board.
Real-world progress
In our customer base and community, we’re already seeing pioneers implement this. Organizations that built their own MCP-like layers didn’t just stop at tool integration, they also baked identity and access controls into it.
For example, one team created an internal “MCP gateway” where each AI agent carries a signed token representing its identity and role. The gateway validates these tokens on every request and logs the action with an audit trail (tying back to a human owner when applicable).
Another early adopter mapped all their MCP tools to specific OAuth scopes and tied those to enterprise roles. The net effect: AI agents became first-class citizens in their IAM system, with requests treated much like a service account’s actions would be. This kind of approach brings much-needed visibility and guardrails: we can finally trace an agent’s actions, attribute them correctly, and apply least privilege (no more one-size-fits-all super keys).
Maturing standards and tools
The future looks bright as the MCP spec and ecosystem incorporate more governance features. Anthropic’s recent moves to enable separate authorization flows and community proposals for things like fine-grained capability discovery with access scopes show that security is now a first-class concern.
We at Astrix are contributing to this evolution as well, advocating for standards that allow continuous authentication, dynamic policy enforcement, and centralized audit streams in MCP. The excitement from the field is noticeable, as some organizations have even told us they’re holding off on broader MCP deployment until these security features bake in.
That patience reflects how important governance is: people want the MCP benefits, but they know long-term success means having the identity piece solved. The good news is that those solutions are coming, turning MCP’s abstraction layer into a strength rather than a weakness.
Solving the “invisible agent” problem
By implementing IAM controls at the MCP layer, we tackle the core fear that launched this discussion: AI agents running wild under the radar. With a governed MCP, every tool action by an agent is visible and authorized.
Developers get the velocity they want from MCP, which everyone we spoke to knows they’re going to use one way or another. Security teams can set policies like they do for human users – e.g., an agent can only access certain data during business hours, or must get approval if it tries something unusual.
No more guessing which API call did what; the MCP logs can tell you exactly which agent did X at what time, and why it was allowed. It’s a level of oversight that was impossible when agents just flung API calls on their own.
In essence, we’re transforming MCP from a problem to a solution, using its centralized nature to impose the kind of AI identity governance that was previously missing. This not only remedies the security blindspots but can even improve development speed (since devs don’t have to reinvent auth for each tool access). It’s a win-win: safer AI integrations without sacrificing the agility that made MCP attractive in the first place.
Conclusion
By viewing MCP through an identity governance lens, we can reimagine it as an AI control plane that enforces trust by design. Rather than seeing MCP’s token-based access as a flaw, we treat the MCP server as the pivotal gatekeeper, fortifying it with enterprise IAM practices.
This flips the script: the “abstraction layer” becomes the centralized place to do things like Zero Trust enforcement, monitoring, and role-based access for AI agents. Our experiences with forward-thinking clients show that MCP can indeed deliver its integration benefits and meet security’s demands, so long as we’re intentional about layering identity and access control into it.
With that foundation, we can finally start to unlock the full potential of AI agents confidently, knowing we have guardrails in place. Which brings us to what’s next: how MCP might evolve further to handle the even bigger challenges on the horizon. Want to help us see the future? If you haven’t already, you should take our 5-question, no-hassle, multiple-choice survey today to tell us what you’re seeing in your world about MCP.
