MCP and agentic AI security: why contextual access is now essential

At a glance

What this is: This analysis argues that Model Context Protocol expands agentic AI capability while exposing a gap in traditional IAM assumptions about human discretion and static privileges.

Why it matters: It matters because AI agents behave like NHI with execution authority, so IAM teams need contextual, time-bound controls rather than broad role-based access.

👉 Read SGNL's analysis of secure agentic AI enablement with Continuous Identity

Context

Model Context Protocol gives AI agents a standardized way to discover tools and act on enterprise data, but that also turns the agent into a powerful non-human identity with real execution reach. The governance problem is familiar even if the technology is new: access policies built for people do not adequately constrain software that keeps trying alternative paths until it gets an answer.

For IAM and NHI practitioners, the key issue is not whether agentic AI will arrive. It already changes how access decisions must be made, because tool discovery, prior responses, and reused context can outlive the moment in which access should have been valid. That makes contextual authorization, traceability, and short-lived privilege the practical control set, not an optional enhancement. The pattern is atypical only in how quickly it turns familiar identity failures into machine-speed amplification.

Key questions

Q: How should organisations govern AI agents that use enterprise tools through MCP?

A: Organisations should treat MCP-connected agents as governed non-human identities and enforce per-request authorization on every tool call. The practical rule is simple: tool discovery, tool execution, and retained context all need separate policy checks so the agent cannot reuse stale access or explore functions outside its task.

Q: When does Zero Standing Privilege reduce risk for agentic AI?

A: Zero Standing Privilege reduces risk when access is truly ephemeral and automatically revoked when the task ends or the context changes. It is most effective for agents that touch sensitive systems, because it limits the blast radius of a compromised identity and prevents long-lived privileges from being reused across prompts.

Q: What is the difference between contextual access and role-based access for AI agents?

A: Role-based access grants permission based on job title or group membership, while contextual access evaluates the request in real time using factors like task, time, device posture, and location. For AI agents, contextual access is usually the safer model because the software can act beyond human discretion and needs tighter task scoping.

Q: Why do AI agents complicate zero trust architecture?

A: AI agents complicate zero trust architecture because they can keep acting after a single trust decision has already been made. Zero trust assumes continuous verification, which fits agentic workflows only if every API call, tool invocation, and context reuse is re-authorized rather than inherited from earlier access.

Technical breakdown

Why MCP changes the access-control model for AI agents

MCP standardizes how an AI client discovers and invokes tools, which makes the agent more than a conversational interface. Once the agent can enumerate functions, call APIs, and pass context across steps, it behaves like an authenticated workload with delegated authority. That creates a new failure mode: the protocol can preserve convenience while obscuring where authorization should be re-evaluated. In practice, the main technical issue is not only authentication but the continuity of authorization across requests, responses, and follow-up actions. Practical implication: treat MCP traffic as governed workload activity, not as harmless prompt traffic.

Practical implication: Classify MCP-connected agents as governed NHI and enforce per-request authorization on every tool call.

Zero Standing Privilege for agentic AI and ephemeral access

Zero Standing Privilege means the agent receives no persistent access that survives the task. Instead, entitlements are evaluated at the moment of use, with task, time, location, and device posture feeding the decision. That matters because AI agents do not naturally stop at the first denied request. They can retry, infer, or chain actions if lingering privileges remain in place. Ephemeral access reduces the duration of exposure, but only if the policy engine is externalized and not hardcoded into the application path. Practical implication: make privilege expiry the default state for agent sessions and tool access.

Practical implication: Use time-bounded, policy-driven grants so agent access expires when the task or context changes.

Tool discovery and context retention as hidden risk multipliers

MCP tool discovery is useful because it lets an agent learn what is available at runtime, but it also creates an information boundary problem. If every user can see every tool, the agent can explore paths that were never intended for that identity. Context retention makes this worse because responses can be reused later even after a user’s access changes. The control objective is to keep discovery, execution, and memory all under the same authorization policy. Practical implication: authorize tool listing, execution, and context reuse as separate decisions, not a single one-time check.

Practical implication: Separate authorization for tool visibility, invocation, and retained context to prevent stale privilege reuse.

Threat narrative

Attacker objective: The attacker seeks to turn agentic automation into an access-amplification path that reveals protected data or triggers unauthorized actions.

1. Entry via an AI agent or MCP client that can discover tools and query enterprise systems under delegated identity.
2. Escalation when the agent retries denied requests or reuses prior context to infer information beyond intended scope.
3. Impact when stale privileges or broad access expose confidential data, business workflows, or downstream systems at machine speed.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Context-aware authorization is now a core NHI control, not an advanced IAM feature. Agentic AI changes the access model because the system is not simply asking for data, it is attempting to complete a task. That shifts the control question from who asked to what the software is trying to do right now. The practical conclusion is that NHI governance must evaluate request context continuously, not at login or provisioning time.

Ephemeral credential trust debt: when agents inherit broad access for convenience, organisations accumulate hidden risk that persists after the task changes. The longer an agent can retain a privilege, the more likely it is to reuse stale access across new prompts, new data, or new workflows. Teams should treat every durable grant as future blast radius, then design it out wherever possible.

MCP widens the gap between discovery and authorization. A tool can be discoverable without being legitimately usable, and that difference matters more in agentic systems than in human workflows. If discovery is unrestricted, the agent can map the environment even when execution is blocked. Practitioners should align tool visibility with entitlement and logging so exploration does not become reconnaissance.

Security leaders should stop framing agentic AI as a binary choice between adoption and control. The article’s strongest operational lesson is that safe enablement depends on policy, not restraint. When access is evaluated in context and privilege is time-scoped, organisations can adopt agentic workflows without turning every agent into a standing insider. The right response is governance that makes safe use possible.

From our research:

• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• For a broader control perspective, OWASP Agentic Applications Top 10 frames the risk areas that security teams should map to agent behaviour and tool use.

What this signals

Ephemeral credential trust debt: the deeper problem is not whether agents can be given access, but how long that access remains valid after the original task has changed. As organisations adopt more autonomous workflows, lifecycle control becomes more important than static entitlement design, and that makes policy review, expiry, and revocation part of the core operating model.

With 98% of companies planning to deploy even more AI agents within the next 12 months, the control gap is likely to widen unless teams separate agent capability from standing privilege. That means identity, access, and audit teams need a shared operating model before scale turns exceptions into standard practice.

The practical signal for programmes is that agent governance should be designed alongside privileged access, not after deployment. Security teams that can align agent policy with the NIST AI Risk Management Framework and continuous authorization patterns will be better positioned to contain blast radius as autonomous workflows expand.

For practitioners

• Implement contextual authorization for every agent action Require policy evaluation on each tool call using task, identity, device posture, location, and time. Do not rely on a single login event to justify later actions; re-check entitlements as the workflow changes.
• Adopt Zero Standing Privilege for AI agents Issue time-bound access only when the task requires it, then revoke it automatically when the context expires. Pair this with short TTLs for sensitive data access and explicit approval for privileged workflows.
• Restrict tool discovery by identity and role Authorize tool listing separately from tool execution so agents only learn about functions they are allowed to use. Log discovery events alongside execution to distinguish normal use from environment mapping.
• Separate memory from authorization state Treat retained context as a governed asset. If permissions change, the agent should not keep using previous responses or cached decisions as if they were still valid.

Key takeaways

• Agentic AI turns access control into a runtime problem because software can keep trying until it finds a path.
• The real governance gap is that most organisations still lack policies for AI agents even though they recognise the risk.
• Practitioners should combine contextual authorization, short-lived privilege, and tool-level logging before expanding MCP-connected workflows.

Key terms

• Model Context Protocol: A protocol that lets AI agents discover tools and interact with data sources in a standardized way. In security terms, it matters because the agent can move from conversation to action, which makes authorization, logging, and context control part of the identity problem.
• Zero Standing Privilege: An access model in which no privilege persists beyond the moment it is needed. For NHI and agentic AI, it means credentials should be time-scoped, context-scoped, and automatically revoked so a software actor cannot accumulate unnecessary reach.
• Contextual authorization: A policy approach that evaluates access using real-time signals such as task, location, device posture, and time. It is more precise than static role assignment because it matches how autonomous agents operate, where intent and risk can change across a single workflow.
• Tool discovery: The process by which an AI agent learns what functions or actions are available to it at runtime. It becomes a security issue when discovery is broader than entitlement, because the agent can map capabilities even when it should not be able to use them.

Deepen your knowledge

MCP, contextual authorization, and Zero Standing Privilege are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for agentic AI from an IAM starting point, it is worth exploring.

This post draws on content published by SGNL: How CISOs can secure agentic AI and accelerate enterprise transformation. Read the original.