Subscribe to the Non-Human & AI Identity Journal

What should IAM teams prioritise when MCP is part of the stack?

Prioritise ownership, authentication, secret hygiene, and lifecycle control for every MCP server exactly as you would for a privileged workload. The service should have a named owner, scoped credentials, rotation rules, and a decommissioning path. Without those controls, the protocol becomes another unmanaged non-human identity surface.

Why This Matters for Security Teams

When MCP is part of the stack, the risk is not the protocol itself but the fact that each mcp server becomes a privileged non-human workload with access to tools, data, and downstream systems. If teams treat it like a normal integration instead of a managed identity surface, they usually end up with shared secrets, unclear ownership, and access that survives long after the service should have been retired. The control problem is closer to privileged workload governance than application onboarding.

That is why current guidance increasingly mirrors the OWASP Agentic AI Top 10 and basic NHI hygiene rather than conventional app IAM. NHIMG’s research on The State of MCP Server Security 2025 found that 53% of MCP servers expose credentials through hard-coded values in configuration files, showing how quickly a convenience layer turns into an identity exposure layer. In practice, many security teams encounter the privilege problem only after a server has already been deployed with broad access and no clear decommissioning path.

How It Works in Practice

IAM teams should manage MCP servers as workload identities with explicit ownership, scoped authentication, and short-lived access. The practical model is simple: every server gets a named owner, a unique identity, narrowly scoped tool permissions, and a documented lifecycle. Static credentials should be treated as a temporary transition state, not the end state. For stronger implementations, align the server identity to workload identity primitives such as SPIFFE or OIDC-backed tokens, so the platform can prove what the server is rather than relying only on a stored secret.

At runtime, access decisions should reflect the task being performed, not just the existence of a valid login. That means combining policy-as-code with context-aware checks, so an MCP server can call one tool but not another unless the request, environment, and posture match the policy. This is consistent with NIST SP 800-53 Rev. 5 Security and Privacy Controls, which supports least privilege, credential management, and accountability, even though it was not written specifically for MCP.

For operational maturity, teams should inventory MCP servers, classify the data and tools each one can reach, enforce rotation on every secret, and revoke access automatically when the service is disabled. NHIMG’s Azure Key Vault privilege escalation exposure analysis is a useful reminder that secret repositories themselves can become privilege amplifiers if role assignment is too broad or lifecycle controls are weak. These controls tend to break down in fast-moving developer environments where MCP servers are spun up for experiments, then left connected to production tools after the original owner has moved on.

Common Variations and Edge Cases

Tighter control over MCP servers often increases operational overhead, so teams have to balance developer speed against the risk of unmanaged privilege. That tradeoff is real, especially in pilot environments where teams want to test tool access quickly. Current guidance suggests starting with the highest-risk servers first: anything that can read secrets, modify infrastructure, or invoke external actions should move to stricter ownership and rotation requirements before lower-risk internal connectors.

There is no universal standard for MCP-specific entitlement taxonomy yet, so most organisations adapt existing IAM and PAM patterns while they mature their policy model. One common edge case is shared MCP infrastructure used by multiple teams. In those setups, a single platform identity can hide distinct business owners, making audit and revocation difficult unless per-server metadata and tool-level scoping are enforced. Another edge case is ephemeral test servers, which still need the same decommissioning discipline as production services because temporary access often becomes permanent by accident.

For broader agentic environments, the same lessons appear in NHIMG’s Analysis of Claude Code Security and the OWASP Agentic Applications Top 10: autonomous or semi-autonomous components need identity controls that match their execution authority, not their application label. That is where teams usually discover the gap between policy intent and actual server behaviour.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10, OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-01 Covers ownership and lifecycle for non-human identities, which MCP servers effectively are.
OWASP Agentic AI Top 10 AA-02 MCP servers in agentic stacks need runtime-scoped authorization and tool restrictions.
CSA MAESTRO M2 MAESTRO addresses secure orchestration and access for agentic components and their tools.
NIST AI RMF AI RMF governance supports accountability and risk management for autonomous service identities.
NIST CSF 2.0 PR.AA-01 Identity and access management controls apply directly to MCP server authentication.

Inventory MCP identities, restrict access, and verify each server before granting permissions.