MCP bypass risks are exposing AI agent identity controls

At a glance

What this is: This analysis argues that Model Context Protocol only governs AI agents when it is made the mandatory path, because bypass routes like direct APIs and browser automation remove intent, policy, and audit coverage.

Why it matters: It matters because IAM, PAM, and NHI teams must treat agent access as an identity-routing problem, not just a tooling problem, or they will lose control of authorization, logging, and revocation.

👉 Read Strata Identity's analysis of MCP bypass and AI agent identity controls

Context

Model Context Protocol is intended to be the governed path between an AI agent and enterprise systems, but it does not control access if the agent can route around it. That makes the real problem identity enforcement at the edge, not protocol adoption in the abstract, especially for NHI and agentic workflows.

The governance gap is simple: if an agent can call APIs directly, drive a browser, or use a shadow connector, the organisation loses intent binding and auditability. For IAM and security teams, that means the question is not whether MCP exists, but whether every meaningful request is forced through it.

Key questions

Q: How should security teams stop AI agents from bypassing MCP controls?

A: Security teams should make the governed mediation layer the only working path to APIs and web applications. That means blocking direct credentials, requiring identity-aware proxies, and rejecting requests that do not carry approved session attestation. If alternative paths remain usable, MCP becomes advisory rather than enforceable.

Q: Why do AI agents complicate identity governance more than traditional automation?

A: AI agents complicate identity governance because they can choose actions and paths at runtime, including bypass routes that human-designed workflows may never anticipate. That creates a gap between intended policy and actual execution, so access control, audit, and accountability must cover behaviour, not just provisioning.

Q: What breaks when agents use headless browsers instead of APIs?

A: When agents use headless browsers, API controls no longer protect the interaction and session-level abuse becomes harder to detect. Security teams lose clean intent signals, consistent logging, and reliable policy enforcement unless web authentication, provenance tagging, and bot detection are designed for non-human traffic.

Q: How do organisations know whether MCP enforcement is actually working?

A: The clearest sign is that every meaningful agent action produces a consistent attestation trail and can be blocked when the session lacks provenance. If requests still succeed through direct APIs, side connectors, or browser clicks without governance metadata, enforcement is incomplete and the control plane is not authoritative.

Technical breakdown

Direct API calls bypass MCP controls

When an agent receives credentials that work outside the MCP path, the control plane loses visibility into why a request exists. Direct API access strips away intent binding, meaning the system can no longer distinguish a sanctioned task from arbitrary action. In practice, this turns policy enforcement into a best-effort signal rather than a gate. The architectural failure is not weak encryption or missing logging alone. It is that the authoritative decision point is no longer on the request path, so the identity layer cannot prove business purpose or constrain scope reliably.

Practical implication: require every API request to pass through an identity-aware proxy that rejects traffic without MCP attestation.

Headless browser automation creates a web session bypass

Browser-driven agents can avoid APIs entirely by behaving like very fast users, which makes traditional agent controls less relevant. Once the agent operates through a web session, the enterprise must rely on authentication strength, session provenance, and bot detection to distinguish legitimate automation from unauthorised UI manipulation. This is where the control problem shifts from protocol mediation to session integrity. If web authentication does not carry non-human provenance, the organisation may be protecting the API layer while leaving the front door effectively open.

Practical implication: tag browser sessions with agent provenance and harden web authentication for both human and non-human actors.

Continuous access evaluation is the only mid-session brake

Agent behaviour can drift after access is granted, so static token lifetime alone does not address overreach. Continuous Access Evaluation lets the identity layer revoke privileges during the session when behaviour changes, such as unusual download volume or scope expansion. That matters because agent actions are often bursty and task-specific, which makes time-based expiry too blunt to be a real safety control. The architecture has to assume that a valid session can become unsafe before it ends.

Practical implication: wire CAEP into agent sessions so suspicious activity triggers immediate token revocation.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

MCP bypass creates identity blind spots, not just technical exceptions. The important failure is that policy and audit only exist where the control plane actually sits on the request path. Once external agents can choose direct APIs or browser workflows, the organisation is no longer governing agent identity, only hoping the preferred path is used. Practitioners need to treat bypass as a structural governance problem, not an implementation annoyance.

Intent binding is the named concept that collapses first when agents can route around MCP. Intent binding was designed for a world where the identity executor stays inside one governed transaction path. That assumption fails when an agent can improvise via APIs, UI automation, or shadow connectors because the business purpose is no longer attached to the action. The implication is that current review and audit models lose evidentiary value once execution moves outside the mediated path.

Shadow connectors are a lifecycle governance problem in disguise. In-house shortcuts and side channels behave like unmanaged NHIs because they create access that bypasses the approved identity fabric. That means the real issue is not only access control but offboarding, ownership, and review of every alternate route into the system. Teams that do not inventory those routes are governing the declared architecture, not the one actually in use.

Continuous revocation matters more for agents than for many human workflows. Agent activity can change within a single task, so standing approvals and fixed expiry windows are too slow to keep pace with behaviour. The practical conclusion is that enterprise identity programmes must design for within-session drift, because otherwise the control plane only notices after the action is complete.

The market signal is clear: agent identity is becoming an infrastructure control, not a specialist add-on. Protocols, proxies, session provenance, and audit attestation now sit at the intersection of IAM, PAM, and NHI governance. Practitioners should expect the category to converge toward identity fabric patterns that can govern both APIs and web sessions consistently.

From our research:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
• A separate 92% of respondents say governing AI agents is critical to enterprise security, while only 44% have implemented any policies to do so, according to the same SailPoint research.
• For a broader control framework, see OWASP Agentic Applications Top 10 for the specific runtime risks that emerge when agent behaviour escapes the intended control path.

What this signals

MCP governance will increasingly be judged by path enforcement, not protocol availability. If agents can still reach systems through direct APIs or browsers, then the identity programme has only partially solved the problem. The practical next step is to align orchestration, proxying, and session provenance so that every meaningful request is observable and attributable across NHI and agentic workflows.

Intent binding should now be treated as a control objective for agent identity programmes. In practice, that means using a governed path that preserves business purpose from authentication through execution. Teams that cannot show this end to end will struggle to prove policy enforcement, especially as browser automation and shadow connectors become routine bypass patterns.

The broader signal is that agent security is converging on identity fabric thinking, where access routing, revocation, and audit must work across APIs, web apps, and non-human identities. That is why the operational conversation is shifting from whether to use MCP to whether the enterprise can make any alternate path fail safely.

For practitioners

• Force every agent request through a single governed path Make MCP or an equivalent identity bridge the only approved route to APIs and web applications. Block direct API keys, side-door connectors, and unmediated browser access so policy enforcement and audit trails remain complete.
• Bind agent credentials to the mediated session Issue short-lived scoped tokens that are cryptographically tied to the MCP bridge session, and reject them when used outside the approved flow. This limits replay, reduces credential portability, and preserves request provenance.
• Instrument web sessions with non-human provenance Require strong authentication for all browser sessions, then tag non-human sessions so bot detection can distinguish legitimate automation from unauthorized UI interaction. Without session provenance, headless browser abuse will slip past API-centric controls.
• Enable mid-session revocation for anomalous behaviour Use Continuous Access Evaluation so suspicious volume, scope drift, or unexpected destination access can kill the session before the task completes. Static token expiry is too slow for agents that can shift behaviour mid-run.
• Inventory and review shadow connectors regularly Identify internally built shortcuts, unofficial proxies, and alternative integration paths, then assign ownership and offboarding responsibilities for each one. Untracked connectors create unmanaged access that bypasses the identity fabric.

Key takeaways

• MCP only protects AI agents when the organisation makes it the mandatory request path.
• Bypass routes such as direct APIs, headless browsers, and shadow connectors destroy intent, policy enforcement, and auditability.
• Identity-aware proxies, short-lived session-bound tokens, and mid-session revocation are the controls that turn MCP from guidance into governance.

Key terms

• Intent Binding: Intent binding is the control property that keeps an action attached to the approved business purpose that authorised it. For AI agents, that means the request path, session context, and audit record must all point back to the same governed transaction, or accountability collapses.
• Identity-Aware Proxy: An identity-aware proxy is an enforcement layer that mediates access between a requester and an API or application. In NHI and agentic environments, it verifies the identity, policy, and session provenance of each request before the target system accepts it.
• Continuous Access Evaluation: Continuous Access Evaluation is the ability to reassess and revoke access while a session is still active. For non-human and autonomous behaviour, it matters because privilege can become unsafe mid-task, long before a fixed token expiry or review cycle would catch it.
• Shadow Connector: A shadow connector is an unofficial integration path built outside the approved identity and governance model. It behaves like unmanaged NHI access because it can route requests, credentials, and audit gaps around the controls the security team believes are in place.

Deepen your knowledge

MCP bypass, identity-aware proxies, and session-bound token controls are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building governance for AI agents that can choose their own execution path, it is worth exploring.

This post draws on content published by Strata Identity: MCP bypass risks and AI agent identity controls. Read the original.