Accountability stays with the team operating the server, the client, and the authorization layer, because negotiated extensions still become part of the control environment. The extension model does not remove governance responsibility. If an extension alters consent, logging, or task flow, it must be treated as a security-relevant change.
Why This Matters for Security Teams
When an MCP extension changes approval or audit behaviour, the technical change is never just “inside the protocol.” It alters who can approve actions, what gets recorded, and how security teams prove control over agent activity. That makes the extension part of the control environment, not a cosmetic feature toggle. Current guidance suggests treating these changes with the same rigor as a policy or logging redesign, especially when agents can trigger downstream actions without human review.
This matters because MCP deployments already show weak control discipline in the wild. In Astrix Security’s The State of MCP Server Security 2025, only 18% of mcp server deployments implement any form of access scoping for tool permissions, which means approval logic often exists without enough guardrails around it. NIST’s Cybersecurity Framework 2.0 reinforces the same principle: governance, risk, and control ownership must track the system as it changes.
Practitioners should also read this alongside NHIMG’s Ultimate Guide to NHIs — Regulatory and Audit Perspectives, because auditability is often where extension-driven drift becomes visible first. In practice, many security teams encounter accountability gaps only after an audit exception or approval dispute has already occurred, rather than through intentional change control.
How It Works in Practice
Accountability should follow the component that can actually change security-relevant behaviour. If the server accepts an extension that alters approval thresholds, the server team owns the resulting risk. If the client changes how it requests consent or whether it surfaces user intent, the client owner shares responsibility. If the authorization layer evaluates extension metadata or negotiated capabilities, that policy layer must be versioned, tested, and reviewed as part of the change.
This is why static approval assumptions fail. Extensions can change what counts as a valid task, which actions need consent, and whether an event is logged at all. The right control pattern is to treat extension negotiation as a runtime trust decision, then bind it to policy-as-code, change records, and audit evidence. OWASP’s OWASP Agentic AI Top 10 is useful here because it frames agentic risk as a control-plane problem, not only an application bug.
Operationally, teams should verify four things:
- Whether the extension changes approval state, consent prompts, or task routing.
- Whether audit events still capture the full decision path, including negotiated capabilities.
- Whether the change was reviewed by the server, client, and policy owners together.
- Whether rollback restores the prior control behaviour, not just the prior code version.
NHIMG’s AI Agents: The New Attack Surface report shows why this level of governance matters: 80% of organisations report their AI agents have already performed actions beyond their intended scope. These controls tend to break down when extensions are allowed to alter authorization or logging in environments with distributed ownership and no single approver for control-plane changes.
Common Variations and Edge Cases
Tighter extension governance often increases release friction, requiring organisations to balance faster MCP feature adoption against stronger auditability and approval integrity. That tradeoff becomes sharper in fast-moving agentic systems, where extension changes may look minor but can materially affect consent semantics or evidence retention.
There is no universal standard for this yet, but current guidance suggests a conservative model: if an extension can influence approval, it should be treated like a security control change, not a plugin update. That means separate review paths for changes to consent handling, audit logging, and authorization logic. It also means testing for “shadow policy” effects, where an extension bypasses logging without explicitly disabling it.
Edge cases arise when responsibility is split across vendors, internal platform teams, and application owners. In those cases, accountability should still be explicit, even if implementation is shared. The team operating the server is accountable for server-side behaviour, the client owner is accountable for client-side prompts and request shaping, and the authorization owner is accountable for policy evaluation. NHIMG’s Top 10 NHI Issues is a useful reminder that governance failures often start with unclear ownership, not a lack of technical capability.
The main exception is when an extension only changes presentation without affecting consent, logging, or task flow. In that narrow case, the control impact may be lower, but best practice is evolving and teams should still validate that the behaviour is truly non-security-relevant before downgrading review.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A2 | Covers agentic control changes that affect consent, approval, and audit paths. |
| CSA MAESTRO | GOV-04 | Addresses governance of agentic systems when capabilities and behavior change at runtime. |
| NIST AI RMF | GOVERN | Govern function requires accountability for AI system changes that affect risk and oversight. |
Review extension-driven approval changes as agentic control-plane risk and require policy testing before release.
Related resources from NHI Mgmt Group
- Who is accountable when lifecycle access changes are not completed on time?
- Who is accountable when an AI agent suspends access or changes a response workflow?
- Why do non-human identities create more audit risk than human accounts?
- Why do non-human identities create audit risk in modern environments?