They usually lose the ability to prove who authorised the action, what consent was granted, and whether the tool call stayed inside scope. That creates an accountability gap across security, compliance, and incident response. The request may have flowed correctly, but the organisation cannot defend the decision behind it.
Why This Matters for Security Teams
MCP proxies are useful transport and mediation layers, but they are not governance controls. A proxy can relay a tool call, inspect a payload, or block obvious abuse, yet it usually cannot prove who approved the action, what consent boundary applied, or whether the agent stayed within its intended scope. That distinction matters because governance evidence must survive audits, incidents, and legal review, not just pass traffic.
Teams often mistake a control point for a control plane. When that happens, the organisation may believe it has oversight while the actual decision logic remains buried in prompts, runtime state, or application code. Current guidance from the NIST Cybersecurity Framework 2.0 still points security teams back to accountable policy enforcement, traceability, and least privilege rather than transport-only mediation. The same problem shows up across Top 10 NHI Issues when secrets, delegation, and revocation are treated as routing problems instead of identity problems.
In practice, many security teams discover the accountability gap only after a high-risk tool action has already been executed and nobody can defend the approval chain.
How It Works in Practice
For autonomous or semi-autonomous systems, governance has to sit at the point where intent becomes action. That means the organisation needs workload identity, runtime policy evaluation, scoped delegation, and audit logs that capture approval context. A proxy can still be part of the design, but its role is to enforce and observe policy, not to replace the policy model itself.
In an agentic workflow, the safer pattern is:
- Authenticate the agent as a workload, not as a shared service account.
- Issue just-in-time credentials with short TTLs for a specific task or tool call.
- Evaluate policy at request time using context such as task, tenant, data class, and approval state.
- Record who authorised the action, what the agent was allowed to do, and which tool scope applied.
- Revoke access automatically when the task completes or the context changes.
This is where standards and research align. The OWASP Agentic AI Top 10 highlights the risk of unbounded tool use, while Analysis of Claude Code Security shows how quickly AI-powered workflows expand beyond a simple request and response model. NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs reinforces the operational point: identity lifecycle, rotation, and revocation need to be designed around actual workload behaviour, not static ownership records.
These controls tend to break down in environments where proxies are shared across tenants, because approval context is lost once multiple agents, users, and toolchains converge on the same mediation layer.
Common Variations and Edge Cases
Tighter proxy enforcement often increases operational overhead, requiring teams to balance stronger control against latency, integration complexity, and exception handling. That tradeoff is real, especially when legacy tools were never built for runtime consent checks or short-lived delegation.
There is no universal standard for this yet, but current guidance suggests treating MCP proxies as enforcement infrastructure, not as the source of truth for governance. In regulated environments, the evidence trail should live in the identity, policy, and authorization layers, with the proxy providing only one observable checkpoint. That is especially important when a proxy masks risky patterns such as shared secrets, over-broad tool scopes, or silent escalation between agents.
NHIMG’s Ultimate Guide to NHIs — Regulatory and Audit Perspectives is useful here because auditors care less about whether a request passed through a proxy and more about whether the organisation can reconstruct consent, scope, and revocation. For implementation planning, the The 2024 ESG Report: Managing Non-Human Identities is a reminder that NHI compromise is already common enough that gaps in control design are not theoretical. The question is not whether a proxy exists, but whether it can prove governance under pressure.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A2 | Addresses over-privileged and unscoped agent tool use hidden behind proxies. |
| CSA MAESTRO | TR-2 | Focuses on trust and authorization for agent actions, not proxy transit. |
| NIST AI RMF | GOVERN | Requires accountable oversight for AI-driven decisions and actions. |
Use policy-aware authorization and logged consent as the governance source of truth.
Related resources from NHI Mgmt Group
- When should teams treat crypto agility as an identity governance issue?
- When should teams treat observability data as part of governance rather than operations?
- How should security teams treat managed DNS in access governance?
- Which frameworks should teams map IGA controls to for audit and governance?
