Agent tool discovery and skills are reshaping MCP governance

At a glance

What this is: This analysis argues that MCP’s next bottleneck is not basic connectivity but how agents discover tools and consume enterprise context at scale.

Why it matters: For IAM and NHI teams, the issue is that broader tool access without tighter scoping and oversight increases mis-invocation risk and governance debt.

👉 Read Astrix Security's analysis of MCP tool discovery and Agent Skills

Context

Model Context Protocol adoption changes the NHI governance problem from simple connection management to controlling how autonomous agents discover, select, and use tools. When a single agent can inherit dozens of tools and large context payloads, the security issue is no longer only authorization. It is also decision quality, privilege scope, and the risk that the agent acts on the wrong tool with the right credentials.

Anthropic’s examples show that enterprise-grade agent behaviour depends on reducing context overload and making organizational knowledge load only when needed. That pattern is typical for fast-moving agent deployments, but it also exposes a familiar IAM lesson: if discovery is broad and controls are shallow, privilege use becomes harder to explain, audit, and contain.

Key questions

Q: How should security teams handle tool discovery for AI agents in MCP environments?

A: Security teams should treat tool discovery as a privilege boundary, not a convenience layer. Limit the tools an agent can see, defer loading until a task requires it, and log which capabilities were exposed before execution. That reduces context overload and makes misselection easier to detect and investigate.

Q: What is the difference between agent skills and a large system prompt?

A: A large system prompt bundles all enterprise context into one static block, while agent skills package knowledge into modular units that load only when relevant. Skills are easier to govern because they can be owned, versioned, and reviewed as separate artefacts instead of buried inside prompt sprawl.

Q: When do MCP tool controls become an IAM issue rather than a platform issue?

A: They become an IAM issue when tool exposure determines what actions an autonomous agent can perform. At that point, discovery, scoping, and auditability are access controls in practice, because they shape which capabilities enter the agent’s decision path and which actions it can take.

Q: Should organisations prioritise tool scoping or skill governance first for AI agents?

A: Tool scoping usually comes first because it immediately reduces the agent’s visible attack surface and limits wrong-tool selection. Skill governance should follow quickly, because unmanaged procedural knowledge creates long-term drift and makes agent behaviour harder to explain, test, and approve.

Technical breakdown

Why MCP tool discovery becomes an access-control problem

MCP gives agents a standard way to discover tools and data sources, but broad discovery changes the security profile. If every available tool is loaded into context, the agent must reason over more definitions, parameters, and error states than many workflows need. That increases token consumption and raises the chance of wrong-tool selection or malformed invocation. A deferred-loading pattern limits what the model sees until a tool is likely to be relevant, which is effectively a context-slimming control. The security value is not just efficiency. It also narrows the surface area an agent can misuse during a task.

Practical implication: Treat tool discovery as part of access control and require scoping before tool definitions are exposed.

How agent skills reduce prompt sprawl and governance drift

Agent Skills move organizational knowledge out of oversized system prompts and into modular files that can be loaded on demand. The short skill descriptor stays visible, while the detailed procedures, references, or scripts remain dormant until the task requires them. That is a better fit for enterprise context because it separates awareness from execution. It also creates clearer boundaries for review, versioning, and policy enforcement. If the skill package contains procedures for brand, reporting, or file handling, governance teams can inspect the unit rather than reverse-engineering a sprawling prompt.

Practical implication: Inventory skills as governed artefacts and review them the same way you review high-impact workflow content.

What deferred loading changes in the threat model

Deferred loading and skills both reduce unnecessary context, but they do not eliminate trust assumptions. The agent still decides when to search, what to load, and how to combine results into action. That means an attacker who can influence the retrieval step, poison the available skill content, or manipulate tool ranking can still steer behaviour. The architecture reduces blast radius, but it also creates a new control point around discovery logic itself. In NHI terms, the question shifts from whether a credential exists to whether the agent should ever have seen the capability in the first place.

Practical implication: Protect discovery paths, not just the end tools, because retrieval can become the real attack surface.

Threat narrative

Attacker objective: The attacker aims to steer a legitimate agent into using the wrong tool or skill so that authorised access produces unauthorised outcomes.

1. Entry begins when an attacker influences what the agent discovers, for example by poisoning search results, tool metadata, or a skill file used during retrieval.
2. Escalation follows if the agent loads the wrong capability or tool definition and then invokes it with legitimate credentials and excessive context trust.
3. Impact occurs when the agent performs an unintended action, discloses sensitive enterprise data, or calls a high-risk tool outside the intended workflow.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Context-aware discovery is becoming the new control plane for agentic systems. Once agents can search for tools and load knowledge on demand, the control question shifts from static permission sets to runtime exposure decisions. That makes discovery logic part of the security architecture, not just a usability feature. Practitioners should treat tool visibility as a governed privilege boundary.

Agent Skills formalise a pattern IAM teams already recognise, which is scoped operational knowledge. The difference is that the scope now applies to software that can act, not just people that can read. That creates a need for reviewable skill ownership, lifecycle controls, and change management. Organisations that do not version and approve skills will accumulate invisible governance debt.

Context overload is a security issue because confused agents behave like confused operators. When an agent sees too many tools or too much organisational lore, the likelihood of wrong-tool selection rises. The practical lesson is that least privilege must now extend to context, not just credentials. Security teams should reduce exposed capability before they try to optimise agent performance.

Discovery-layer abuse deserves the same attention that prompt-injection now gets in agentic security models. If attackers can influence search, ranking, or loading decisions, they can redirect legitimate automation without breaking core authentication. That is why NHI governance needs controls around tool registries, skill repositories, and retrieval pipelines. Teams should audit the path to execution, not only the execution endpoint.

From our research:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
• 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
• For related context on agentic risk modelling, see OWASP Agentic Applications Top 10, which helps teams map retrieval and tool-use failures to specific control gaps.

What this signals

Context-aware agent governance is now an operating requirement, not a design preference. As agent fleets grow, the number of tools, skills, and data sources available to them will expand faster than most review processes can keep up. That creates a structural mismatch between autonomous discovery and human approval cycles, so teams should move to tighter defaults, stronger logging, and explicit approval for high-risk tool paths.

Ephemeral context is becoming the security boundary for agentic workflows. The more an organisation can reduce what the agent sees at any moment, the easier it becomes to reason about privilege and misuse. In practice, that means discovery rules, skill ownership, and audit trails matter as much as credential rotation and secret storage.

With 92% of organisations agreeing that governing AI agents is critical to enterprise security, yet only 44% having implemented any policies, the policy gap is already visible in day-to-day operations, according to AI Agents: The New Attack Surface report. Teams should expect this gap to widen unless they build governance into agent onboarding, not after deployment.

For practitioners

• Scope tool exposure by task Limit MCP tool definitions to the minimum set required for a workflow and defer loading everything else until the agent proves need. Review the top matching tools that are exposed in high-risk workflows and remove broad discovery from default agent profiles.
• Treat skills as governed content Assign owners, review cycles, and change control to each skill package so that procedural knowledge does not drift outside policy. Keep the skill descriptor short and audit the underlying scripts, references, and file formats that the agent can load later.
• Protect retrieval and ranking paths Validate the sources that feed tool search, metadata lookup, and skill retrieval so an attacker cannot steer selection through poisoned content. Log which search paths were used and which definitions were loaded before the agent acted.
• Add auditability to agent tool use Record tool selection, loaded context, and invocation results so teams can reconstruct why the agent chose a capability. That evidence is essential when a legitimate credential produces an unintended action.

Key takeaways

• Agent tool discovery is becoming a control problem because what the agent can see directly affects what it can do.
• Agent Skills reduce prompt sprawl, but they also create governed content that needs ownership, review, and lifecycle control.
• Security teams should manage discovery paths, skill repositories, and tool exposure as part of NHI governance, not as post-deployment tuning.

Key terms

• Agent Skill: A reusable package of task-specific knowledge and procedures that an autonomous agent can load when needed. In practice, it separates general awareness from operational detail, which makes enterprise context easier to govern than a single oversized prompt.
• Tool Discovery: The process by which an AI agent finds available tools, evaluates which ones are relevant, and decides what to load or invoke. In MCP environments, discovery becomes a security control because it shapes the agent’s visible capability set before any action occurs.
• Context Overload: A condition where an agent receives too many tool definitions, instructions, or knowledge sources to reason effectively. The result is higher token usage, weaker tool selection, and a greater chance that the agent will choose the wrong action or misapply a valid one.
• Deferred Loading: A pattern where tool definitions or knowledge are not loaded into the agent’s context until they are needed. This reduces unnecessary exposure, but it also shifts attention to the retrieval and ranking logic that decides what becomes visible later.

What's in the full article

Astrix Security's full article covers the operational detail this post intentionally leaves for the source:

• A step-by-step explanation of deferred tool loading in MCP clients and how the discovery tool is invoked.
• The full mechanics of Agent Skills, including directory structure, SKILL.md loading, and optional scripts.
• Concrete examples of how the vendor maps enterprise knowledge into skills for common file and workflow formats.
• The implementation context around Claude console beta features and how practitioners can evaluate readiness.

👉 The full Astrix Security article covers deferred loading, skill structure, and enterprise context handling in more detail.

Deepen your knowledge

Agent tool discovery and Agent Skills are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are trying to govern autonomous agents without overloading context, this is a practical place to start.