MCP finds its permanent home in open agentic AI governance

At a glance

What this is: The article argues that MCP’s move into the Agentic AI Foundation makes open, interoperable agent infrastructure more likely, while pushing identity, access, and audit controls to the centre of the stack.

Why it matters: IAM, NHI, and security teams need to treat agentic tooling as governed identity infrastructure because the same protocols that improve portability also expand the control surface for tool access and delegation.

👉 Read WorkOS's analysis of the Agentic AI Foundation and MCP governance

Context

Agentic AI infrastructure is becoming a governance problem because protocols that connect models to tools also define who or what can act across systems. In practice, MCP and related agent standards sit in the same control plane as identity, authorisation, and audit, even when they are discussed as developer plumbing.

The central issue is not whether open standards will exist, but whether enterprises can govern them before agent behaviour spreads across production systems. When a protocol becomes the default connection layer for AI agents, every access decision, tool invocation, and logged action becomes part of the identity programme, not a side concern.

Key questions

Q: How should security teams govern AI agents that use MCP to reach tools and data?

A: Security teams should govern MCP-connected agents as privileged non-human identities with explicit ownership, scoped permissions, and complete telemetry. The practical test is whether every tool call can be traced to a named identity and a policy decision. Without that, the agent can act faster than the organisation can explain its authority or reconstruct its behaviour.

Q: Why does open governance change the risk profile for agentic AI infrastructure?

A: Open governance reduces single-vendor dependency, but it also removes the false comfort that a proprietary platform will solve identity, authorisation, or audit problems for you. Once standards become shared infrastructure, the organisation owns the control design. That makes policy consistency, logging, and revocation the real differentiators, not the protocol label itself.

Q: What breaks when agent frameworks and instruction files are not lifecycle-governed?

A: What breaks is accountability. If agent instructions, project conventions, and delegated access persist after the business need has changed, teams can no longer prove whether current behaviour matches current intent. That creates hidden access residue, especially when agents operate across multiple tools and environments with no clear retirement process.

Q: Which frameworks should teams use to align agentic AI governance and access controls?

A: Teams should anchor agentic governance in the OWASP Agentic AI Top 10, NIST AI Risk Management Framework, and zero trust principles. Those references help translate agent behaviour into controls for identity, authorisation, logging, and review, which is the minimum needed when AI can select tools and execute actions across systems.

Technical breakdown

MCP as the agent tool-access layer

Model Context Protocol is the bridge between an AI agent and the tools or data sources it can use. The protocol itself does not create trust, but it standardises how agents discover and interact with systems, which makes authorisation, logging, and policy enforcement more repeatable. That matters because tool access is where agentic risk becomes operational: once a model can call services, query data, or trigger actions, the security question shifts from model output to governed execution. Open governance can reduce fragmentation, but it also makes the control plane more visible to attackers and misconfiguration alike.

Practical implication: map every MCP connection to a named identity, an explicit privilege scope, and a log source before it reaches production.

Why open governance changes the trust model

Moving MCP, goose, and AGENTS.md into a neutral foundation changes who can set direction, but it does not remove the need for identity controls. Open governance makes the protocol less dependent on a single vendor, which is valuable for long-lived infrastructure, but it also means enterprises cannot assume a product roadmap will solve governance gaps for them. In regulated environments, that shifts attention to assurance questions: who owns the agent, what it may access, how its actions are reviewed, and how exceptions are handled when the agent crosses system boundaries.

Practical implication: define policy ownership for agent infrastructure the same way you would for other shared identity primitives.

Interoperability expands the audit problem

Interoperability is the promise of shared standards, but in agentic systems it can also widen the audit footprint. If an agent can move across multiple tools and environments using common conventions, the organisation needs consistent telemetry to reconstruct what happened after the fact. That means logs, approvals, and policy decisions must survive vendor change and framework drift. The governance challenge is no longer just enabling access. It is preserving evidence across an ecosystem where the agent, not the human operator, may be the active executor.

Practical implication: require audit trails that follow the agent across tools, not isolated logs inside each application.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• AI LLM hijack breach — attackers used stolen AWS access keys to hijack Anthropic LLM models on Bedrock.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Open agent standards are becoming identity infrastructure, not just developer convenience. Once MCP is used as the default way for agents to reach tools and data, it effectively becomes part of the access layer. That means security teams have to govern agent identities, permissions, and telemetry with the same seriousness they apply to service accounts and privileged workloads. The implication is that agentic infrastructure should be treated as a first-class identity domain.

Shared governance lowers fragmentation, but it also raises the bar for control consistency. A neutral foundation can reduce the risk of one-vendor dependency, yet it also makes it harder to rely on proprietary guardrails to enforce policy. Enterprises will need to decide where authorisation lives, how audit data is normalised, and which team owns break-glass decisions when agents cross environments. The implication is that governance cannot be delegated to the protocol itself.

Interop across MCP, goose, and AGENTS.md will expose weak links in lifecycle thinking. Agents that can move between tools and projects create a new kind of lifecycle problem because their permissions, instructions, and context can outlive the task that created them. The named concept here is agent context persistence: operational instructions and delegated access that remain available after the original business need has changed. The implication is that lifecycle controls must account for agent state, not just account creation and deletion.

Security and trust will be decided by how well organisations instrument the agent execution path. The article points to authentication, authorisation, and audit trails as the pressure points, and that is the right framing. In agentic environments, the main failure is rarely that a standard exists. It is that teams cannot prove what the agent was allowed to do, what it actually did, and whether those two states ever diverged. Practitioners should assume evidence quality will become a board-level issue.

The market is signalling convergence around the agentic stack. When cloud, infrastructure, and developer tooling firms participate in the same foundation, the industry is marking agent protocols as durable plumbing. That does not resolve governance, but it does mean identity teams should stop treating agentic AI as experimental. The implication is that control design needs to move now, before interoperability makes bad defaults difficult to unwind.

From our research:

• 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
• For the broader control model, see OWASP Agentic AI Top 10 for the governance patterns teams should translate into policy and telemetry.

What this signals

Agent context persistence: when instruction files, agent memory, and delegated tool access survive beyond the original task, lifecycle governance becomes as important as runtime policy. That shifts the programme from simply granting access to proving when access should disappear, which is a different operational discipline altogether.

With 98% of companies planning to deploy even more AI agents within the next 12 months, the likely failure mode is not adoption hesitancy but control lag, per the New Attack Surface research. Teams should expect pressure on audit, ownership, and revocation processes as shared agent standards spread.

The practical signal for identity leaders is whether their current governance stack can follow an agent across tools, projects, and environments without losing evidence. If it cannot, the organisation is scaling interoperability faster than it is scaling accountability.

For practitioners

• Inventory every agent-to-tool path Build a register of all MCP servers, agent frameworks, and project-level instruction files that can influence production systems. Tie each path to an owner, a privilege boundary, and a logging destination so you can see where delegated access exists today.
• Assign named identities to agentic workloads Do not let shared API keys or unnamed integrations stand in for agent identity. Use distinct credentials, scoped permissions, and revocation points for each agent or workload so access can be traced and removed without collateral impact.
• Standardise audit evidence across tools Require logs that preserve agent actions, tool calls, and policy decisions across systems rather than inside isolated products. This is the minimum needed for incident review, compliance evidence, and post-incident reconstruction when agents operate across environments.
• Review lifecycle controls for agent instructions Treat AGENTS.md files, prompt templates, and other operational guidance as governed assets with change control and retirement criteria. If the instruction set can persist after the original task, it needs an offboarding process as well as an approval process.

Key takeaways

• MCP’s move into open governance makes agentic AI infrastructure more durable, but it also turns identity and audit into core design concerns.
• Shared standards reduce fragmentation, yet they increase the need for consistent authorisation, telemetry, and lifecycle control across tools.
• Enterprises should treat agent frameworks as governed identity infrastructure now, before interoperability makes weak controls harder to unwind.

Key terms

• Model Context Protocol: A standard that lets AI agents discover and connect to tools, services, and data sources in a consistent way. In identity terms, it becomes part of the access layer because it governs how an agent reaches systems, which means authorisation and logging matter as much as connectivity.
• Agentic AI Foundation: A shared governance structure for open agent-related projects such as MCP, goose, and AGENTS.md. It matters because standards that move under neutral governance tend to become durable infrastructure, and durable infrastructure requires durable identity controls rather than ad hoc product settings.
• Agent context persistence: The condition where an agent’s instructions, memory, or delegated access remain available beyond the original business task. This creates lifecycle risk because the agent can continue to act on stale intent, so offboarding, retirement, and change control become part of security governance.
• Non-human identity: A machine, workload, token, service account, or agent that can authenticate and perform actions without being a person. For agentic systems, the definition must include delegated runtime behaviour, because the control problem is no longer just authentication but also the scope and traceability of action.

Deepen your knowledge

MCP governance, agent identity, and delegated access are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for agentic infrastructure, it is worth exploring.

This post draws on content published by WorkOS: The Linux Foundation Launches the Agentic AI Foundation and what it means for MCP. Read the original.