Because the agent can select tools and chain actions at runtime, which means authority is no longer fixed at issuance. Traditional IAM assumes a stable entitlement set, but MCP lets context change behaviour, so the real risk is authority drift across the session.
Why This Matters for Security Teams
MCP-based agents change the governance problem because the agent is no longer limited to a fixed, pre-approved workflow. At runtime, it can discover tools, decide which capabilities to invoke, and chain actions based on live context. That means the identity question is not just “who issued the credential?” but “what authority did the agent accumulate during this session?” Guidance from OWASP Agentic AI Top 10 and NHI governance research in Ultimate Guide to NHIs both point to the same issue: static entitlements do not describe runtime behaviour well enough for autonomous workloads.
This matters because MCP expands the blast radius of a single identity event. If an agent can request tools across systems, weak scoping, overlong secrets, or permissive delegation can turn one compromised session into lateral movement. NHI Mgmt Group research shows that 52 NHI Breaches Analysis is not an isolated pattern but part of a broader identity failure mode where privileges outlive the task that needed them. In practice, many security teams encounter tool-chain abuse only after an agent has already executed an unexpected action path, rather than through intentional testing.
How It Works in Practice
The practical control shift is from static authorization to context-aware authorization. For MCP-based agents, that usually means treating the agent as a workload identity, not a person surrogate. The agent proves what it is with cryptographic workload identity, then receives task-specific access only when a policy engine confirms the request still fits the current context. Standards work from NIST Cybersecurity Framework 2.0 and the NIST AI Risk Management Framework supports this broader principle: evaluate risk continuously, not only at issuance.
In operational terms, the strongest patterns today are:
- Issue just-in-time credentials per task, then revoke them automatically when the task completes.
- Use short-lived tokens and avoid static secrets that survive across long agent sessions.
- Evaluate policy at request time using policy-as-code, with full context about the tool, data, and action.
- Scope tools narrowly so the agent cannot chain unrelated capabilities without a fresh decision.
- Log every tool call with the originating task, policy decision, and downstream effect.
That approach aligns with NHI lifecycle guidance in Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs and the threat modeling direction in CSA MAESTRO agentic AI threat modeling framework. These controls tend to break down when an MCP server exposes broad, shared tool permissions and the agent can pivot across internal systems without fresh authorization.
Common Variations and Edge Cases
Tighter session-based control often increases integration overhead, requiring organisations to balance runtime safety against developer friction and latency. That tradeoff becomes more visible in multi-agent workflows, where one agent delegates to another or where a planner agent composes several tool calls in sequence. Best practice is evolving, and there is no universal standard for how much delegation should be permitted before a new authorization step is required.
Some environments also introduce exceptions. Read-only analytics agents may tolerate broader access if the underlying data is already heavily segmented. Regulated environments, by contrast, usually need stricter approval gates, stronger audit trails, and clearer separation between the agent’s workspace and production systems. The question is not whether MCP is inherently insecure, but whether the identity model can keep pace with dynamic tool selection and goal-driven behaviour.
For organisations formalising that model, the most useful references are Ultimate Guide to NHIs — Regulatory and Audit Perspectives and the NIST AI Risk Management Framework, which help translate runtime governance into reviewable controls. The main edge case is long-lived agent orchestration inside legacy systems, where shared service accounts and broad API keys make authority drift much harder to detect.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A2 | MCP agents can chain tools and expand authority at runtime. |
| CSA MAESTRO | T1 | MAESTRO addresses agentic threat modeling and delegation risk. |
| NIST AI RMF | GOVERN | AI RMF governance supports accountability for dynamic agent behaviour. |
Model delegated tool paths and require fresh authorization for risky transitions.
