RAG access controls what information the model can retrieve and place into context, while MCP tool access controls what the system can do with that context. Retrieval risk is mainly exposure, but tool risk includes execution. Both need separate policy boundaries because a safe read path can still feed an unsafe action path.
Why This Matters for Security Teams
RAG and MCP are often discussed as if they are both “AI access,” but they sit on different sides of the risk boundary. RAG is a retrieval control: it decides what content can enter the model’s context window. MCP is a tool control: it decides what an agent can execute once it has that context. That distinction matters because a read path can still become an action path when the system is autonomous, goal-driven, and able to chain steps without a human in the loop.
For security teams, the practical risk is not only leakage. It is also credential exposure, over-broad tool permissions, and unintended execution. NHIMG research on Analysis of Claude Code Security shows how quickly agentic workflows collapse when read and write boundaries are not separated. That is consistent with the broader pattern in OWASP Agentic AI Top 10, where tool misuse and over-permissioned workflows are recurring control failures. In practice, many security teams discover the gap only after an agent has already used retrieved data to trigger an unsafe tool action, rather than through intentional policy design.
How It Works in Practice
Think of RAG as the information supply chain and MCP as the execution layer. RAG usually governs which documents, tickets, code snippets, or records can be retrieved into context. MCP governs which tools, endpoints, and operations the agent can invoke with that context. The controls should be separate because the trust decision is different: one is “may the model see this,” the other is “may the agent do something with what it sees.”
In a mature design, the agent’s identity is established first, then retrieval policies are applied, then tool permissions are checked at request time. That means intent-based authorisation is more useful than static role assignment for many agentic workloads, because the agent’s actions are dynamic and task-driven. Current guidance suggests pairing short-lived credentials with workload identity so the system can prove what the agent is, not just what token it holds. For background on the identity layer, see Ultimate Guide to NHIs and the OWASP Non-Human Identity Top 10.
- RAG policies should constrain data exposure by source, sensitivity, tenant, and task.
- MCP policies should constrain tool scope, method, destination, and permissible side effects.
- JIT credentials and ephemeral secrets should be issued per task, then revoked when the task ends.
- Policy checks should happen at runtime, not only during onboarding or static review.
A useful mental model is that RAG reduces what the agent can know, while MCP reduces what the agent can do. That separation is especially important when tool access includes write operations, admin functions, or secret-bearing systems such as CI/CD, ticketing, and cloud control planes. These controls tend to break down when a single MCP server exposes broad tools to many agents because the permission model stops matching the actual execution path.
Common Variations and Edge Cases
Tighter tool scoping often increases integration overhead, requiring organisations to balance stronger containment against developer friction. That tradeoff becomes sharper in multi-agent systems, where one agent retrieves information and another executes the work. The standard answer still applies, but the policy model gets more complex because each agent may need different context, different tools, and different revocation timing.
There is no universal standard for this yet, but best practice is evolving toward layered control: RAG for data minimisation, MCP for tool governance, and zero standing privilege for anything that can modify state. If a workflow uses shared memory, function chaining, or autonomous retries, the boundary can blur quickly. NHIMG’s OWASP Agentic Applications Top 10 is useful here because it frames tool misuse as a system design issue, not just a prompt issue. For implementation detail on identity and credential exposure risk, 52 NHI Breaches Analysis is a strong reminder that long-lived access and poor scoping still drive most failures.
One edge case is read-only tools that appear safe but can still be dangerous if they reveal secrets, tokens, or sensitive operational data that the agent can reuse elsewhere. Another is when a tool call triggers downstream automation outside MCP’s direct visibility. In those environments, the main control question is not “is the tool read-only” but “does this action create a chain of authority the agent should not have.”
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A3 | Separates tool misuse and agentic execution risk from simple data retrieval. |
| CSA MAESTRO | AI-03 | Covers runtime governance for autonomous agent decisions and tool use. |
| NIST AI RMF | Addresses governance for trustworthy AI behaviour across data and action layers. |
Apply runtime policy checks before each agent action and require task-scoped approvals for sensitive tools.
Related resources from NHI Mgmt Group
- What is the difference between MCP access and ordinary app integration?
- What is the difference between governing human access and governing AI agent access?
- What is the difference between scopes and role-based authorization in MCP?
- What is the difference between access control and intent governance for AI agents?
