MCP adoption is outpacing security controls for agentic access

At a glance

What this is: A September 2025 roundup showing MCP moving into mainstream use while security concerns around prompt injection, malicious servers, and weak governance rose alongside it.

Why it matters: It matters because MCP endpoints are becoming production identity surfaces for agents, and IAM, NHI, and agentic AI teams need controls that keep authorization, auditability, and context in step with adoption.

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
• 492 MCP servers were identified as vulnerable to abuse, lacking basic authentication or encryption.
• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.

👉 Read Pomerium's September MCP roundup on adoption and security fears

Context

Model Context Protocol is becoming a practical integration layer for AI agents, which means it now behaves like an identity and authorization boundary as much as a connectivity standard. Once agents can reach tools, data, and workflows through MCP, the question shifts from compatibility to governability, especially for agentic AI access and MCP security.

This roundup shows the market moving faster than the control plane. The article points to prompt-injection risk, malicious MCP packages, and broader supply-chain exposure, all of which turn tool access into a governance problem for NHI and autonomous system access, not just an application design choice.

Key questions

Q: How should security teams govern MCP endpoints used by AI agents?

A: Treat MCP endpoints as privileged access surfaces with explicit ownership, scoped entitlements, and per-request authorisation. The control model should record which agent, package, or service can invoke each tool, under what context, and with what downstream effect. Without that, MCP becomes a hidden pathway for overreach across connected systems.

Q: Why do prompt injection attacks become more serious in MCP environments?

A: Prompt injection becomes more serious because the agent can act on manipulated content, not just display it. If the agent can call tools after reading hostile input, the attack can cross from text influence into real system action, including data access, workflow changes, or exfiltration. The risk is action abuse, not output corruption.

Q: What breaks when AI agents can chain tools through MCP without tight policy controls?

A: What breaks is the separation between request, authorisation, and execution. A single agent session can move from one system to another, combine partial permissions, and create a wider blast radius than any individual entitlement suggests. Traditional access reviews miss this because they rarely model chained tool behaviour in real time.

Q: Who is accountable when a malicious MCP server exposes enterprise data or actions?

A: Accountability sits with the organisation operating the agent, the team approving the server, and the owners of the connected systems. The important governance question is whether provenance checks, runtime policy, and audit logging were in place before the server was trusted. If they were not, the failure is shared and preventable.

Technical breakdown

MCP as an identity-bearing tool layer

MCP is more than a transport for tool calls. In practice, it exposes structured endpoints that can carry identity context, permissions, and request intent into data sources and operational systems. That makes it similar to an API gateway with stronger semantics around who is calling, what they can invoke, and whether the action should be allowed in context. The security challenge is that agents using MCP often chain multiple tools in one session, so the access decision cannot be treated as a one-time login event. If the server, client, or package chain is compromised, the trust boundary moves with it.

Practical implication: Treat MCP servers as production access surfaces and enforce identity-aware authorization at every request.

Prompt injection and tool abuse in agentic workflows

Prompt injection becomes more dangerous when an agent can act on instructions rather than merely display them. An attacker can shape the agent’s behaviour indirectly through retrieved content, web pages, or data it processes, then use that influence to push the agent toward unsafe tool calls. In MCP-enabled environments, the risk is not just corrupted output. It is unauthorized action across connected systems. That makes content trust, tool trust, and execution trust separate problems that need separate controls, especially where the agent can read from one system and write to another.

Practical implication: Segment read and write privileges so malicious context cannot become cross-system action.

Software supply chain risk around MCP servers

The roundup highlights a malicious MCP server hidden in a lookalike npm package, which is a classic supply-chain pattern adapted to agentic infrastructure. The attack works because developers and platforms increasingly trust packages that expose useful tool interfaces, then let agents consume them with little inspection. That creates a double dependency: the package must be trusted, and the server it exposes must be trusted. When either layer is impersonated, agents inherit the compromise. The security model therefore needs provenance, package hygiene, and runtime validation, not just perimeter controls.

Practical implication: Verify MCP package provenance and inspect exposed server behavior before allowing agent consumption.

Threat narrative

Attacker objective: The attacker seeks to turn trusted agent connectivity into unauthorized access, data theft, or malicious action inside connected enterprise systems.

1. Entry occurred when attackers and researchers demonstrated malicious MCP servers and prompt-injection paths that could reach agent runtimes through trusted-looking packages and content.
2. Escalation followed when those agent runtimes were able to call connected tools and, in some cases, move from text manipulation into unauthorized cross-system actions or data exposure.
3. Impact is the loss of control over agent-mediated access, including sensitive data exfiltration, unsafe tool execution, and supply-chain compromise of downstream systems.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

MCP security is becoming an identity governance problem before it becomes a protocol problem. The article shows that enterprises are adopting MCP as a practical interface for agentic access, but the real control question is who or what is authorised to use those tools, under which context, and with what audit trail. That is classic NHI governance, only now the subject is an agent-mediated control plane. Practitioners should treat MCP endpoints as governed identities, not just integration plumbing.

Prompt injection is the first sign that content trust and action trust have been collapsed into one control surface. When an agent can read untrusted content and then invoke tools, the distinction between malicious instructions and legitimate requests disappears unless the policy layer separates them. That is why this class of issue is so difficult for traditional IAM models: authorisation was built for explicit requests, not for inferred intent derived from hostile context. Practitioners need to recognise that the failure is structural, not merely procedural.

Malicious MCP packages expose a supply-chain identity problem, not just a code integrity problem. The first-party and third-party trust chain now extends into the agent runtime, where a package can define not only software behaviour but also the scope of machine action. This is where workload identity, package provenance, and runtime authorisation meet. The practical implication is that agentic systems inherit compromise from both code and context, so governance must extend beyond signing into execution controls.

Zero Trust for MCP only works if the policy engine understands intent, context, and session scope. The roundup’s conclusion that teams should treat MCP like a production API is directionally correct, but not sufficient on its own. Production APIs assume a stable caller and a bounded action. Agentic access can vary by prompt, retrieved content, and chained tools, which means the control model must evaluate each request in real time. Practitioners should expect authorization logic to become more dynamic as agent behaviour becomes more autonomous.

Identity blast radius is the right concept for agentic access hubs. Once one agent can reach multiple systems through MCP, the damage from a single compromised integration is no longer confined to one service. The blast radius expands across every connected tool the agent can call, every dataset it can reach, and every downstream account it can impersonate or trigger. That should push teams toward narrower scopes, stronger segmentation, and better review of agent-to-tool delegation chains.

From our research:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• That gap is why practitioners should pair agent governance with the OWASP Agentic Applications Top 10 and the Ultimate Guide to NHIs before scaling MCP beyond pilots.

What this signals

Identity blast radius is now a programme-level concern for agentic access. As MCP spreads from developer tooling into data platforms and enterprise workflows, the governance question shifts from single-session authorization to cross-system containment. Teams that still model access one tool at a time will miss how one trusted agent session can span multiple systems, multiple identities, and multiple failure domains.

The operational signal is clear: if your organisation cannot describe which agents can reach which MCP servers, it cannot prove control over agentic access. That is why runtime policy, auditability, and provenance checks need to be part of the identity operating model, not bolted on after deployment.

With 92% of organisations saying AI agent governance is critical but only 44% having implemented policies, the field is moving faster than most control frameworks can absorb, according to our research.

For practitioners

• Classify MCP servers as governed access surfaces Put MCP endpoints into the same control inventory as privileged APIs, including ownership, approved use cases, and explicit authorization policies for each tool path.
• Separate content trust from action trust Require the agent runtime to validate whether a prompt, document, or web source can influence tool execution before any write or side-effect action is allowed.
• Inspect package provenance before agent consumption Block lookalike packages, verify publisher identity, and review what server functionality they expose before allowing them into agent workflows.
• Limit cross-system tool chaining by default Restrict agents so a single session cannot freely move from one data source to another write-capable system unless the policy explicitly allows that route.
• Log tool calls with identity, context, and outcome Capture the agent identity, triggering context, invoked tool, and resulting action so investigations can reconstruct how a request turned into a side effect.

Key takeaways

• MCP is no longer just an integration protocol. It is becoming an identity boundary that security teams must govern like a production access layer.
• The main risk is not adoption itself, but the way prompt injection, malicious packages, and weak authorization can turn agent connectivity into unauthorized action.
• Practitioners should inventory MCP servers, separate content trust from action trust, and enforce per-request policy before agentic access expands further.

Key terms

• Model Context Protocol: A standard that lets AI agents connect to tools, systems, and data through structured interfaces. In identity terms, it creates a governed access path, so the real question becomes who or what may invoke each tool, under what conditions, and with what audit trail.
• Prompt Injection: A technique that manipulates an AI system through crafted content so it follows attacker influence instead of intended instructions. In agentic environments, the danger is not just bad output but unsafe tool execution, because the agent may convert hostile context into real actions.
• Identity Blast Radius: The total scope of systems, data, and actions that can be affected if one identity or delegation chain is abused. For MCP-connected agents, the blast radius can expand quickly because one session may span multiple tools, multiple systems, and multiple privileges.
• Agentic Access: Access exercised by an AI system that can choose actions at runtime and invoke tools to complete work. It is governed differently from static automation because the identity may change what it does based on context, which makes session-level control and auditability essential.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM or identity security programme, it is worth exploring.

This post draws on content published by Pomerium: September 2025 MCP Round-Up on growing adoption and rising security fears. Read the original.