By NHI Mgmt Group Editorial TeamDomain: Agentic AI & NHIsSource: JupiterOnePublished August 12, 2025

TL;DR: Natural-language access to cloud and security data only works safely when teams enforce HTTPS, OAuth 2.1, rate limiting, I/O sanitization, and strict trust boundaries for third-party MCP servers, according to JupiterOne. The deeper issue is that MCP makes AI access operationally useful before most organisations have defined who can safely use which tools, data sources, and outputs.


At a glance

What this is: This is a practitioner guide to using a JupiterOne MCP Server for AI-driven security workflows, with its central finding that secure use depends on strict endpoint, input, and trust controls.

Why it matters: It matters because MCP turns cloud and security data into agent-consumable context, which means IAM, NHI, and policy teams must govern how tool access is exposed, routed, and audited before AI workflows expand.

👉 Read JupiterOne's tips for using the MCP Server in security workflows


Context

MCP, or Model Context Protocol, is a standard for connecting AI systems to tools and data sources. In identity terms, that makes it a control problem, not just an integration problem, because the moment an AI system can query assets, logs, and policies in real time, the question becomes who or what is authorised to use those connections and under what constraints.

JupiterOne’s advice is aimed at making MCP use safer inside cloud security operations, but the article itself shows the gap practitioners should focus on: the protocol can widen operational access faster than governance can keep up. That is typical of emerging AI-enabled tooling, where convenience arrives before consistent identity scoping, audit design, and trust classification.


Key questions

Q: How should security teams govern MCP server access in AI workflows?

A: Security teams should govern MCP server access as a delegated identity path, not as a generic integration. That means scoping each client to specific tools, restricting server trust by environment, logging every request and response, and reviewing whether the AI can move from insight to action without a separate approval boundary. Governance should follow the data path, not the dashboard.

Q: Why do MCP servers create risk for IAM and NHI programmes?

A: MCP servers create risk because they let AI clients reach across assets, logs, policies, and actions through one conversational interface. That collapses traditional boundaries between query, decision, and execution, which means IAM and NHI programmes must manage tool scope, token scope, and connector trust together rather than as separate controls.

Q: What do teams get wrong about securing AI tool connectors?

A: Teams often assume that authentication alone is enough, but authenticated access can still be too broad or too fast for safe governance. The common failure is allowing AI systems to inherit the same trust as a human operator without adding limits on rate, data class, connector provenance, and downstream action authority.

Q: What is the difference between a secure MCP pilot and a production-ready deployment?

A: A secure pilot proves that endpoints, scopes, and logging work under controlled conditions. A production-ready deployment adds accountability, change control, validated third-party trust, and tested containment for failures. If those pieces are missing, the MCP server may be functional, but it is not yet governed for enterprise use.


Technical breakdown

How MCP changes security data access patterns

MCP is a transport and tool-calling layer that lets an AI system interact with external systems through structured context instead of hard-coded integrations. In this article, the practical effect is that cloud assets, vulnerability data, IAM changes, and logs become queryable through natural language. That shifts risk from static application access to runtime access orchestration, where the same AI workflow may touch multiple systems in a single session. The security issue is not simply exposure of data, but exposure of authority across tools, scopes, and response channels.

Practical implication: treat each MCP connection as a governed access path, not as a convenience layer.

Why HTTPS, OAuth 2.1, and rate limiting matter for MCP

The article recommends HTTPS and OAuth 2.1 because MCP servers become privileged interfaces between AI clients and internal systems. HTTPS protects transport integrity, while OAuth 2.1 provides federated authorisation for delegated access. Rate limiting matters because AI-driven clients can generate high-frequency, bursty, or repeated requests that look operationally normal but can overwhelm controls or expand blast radius. Strict I/O sanitization is equally important because prompts and responses are now part of the attack surface, especially when natural language can trigger downstream actions or surface sensitive context.

Practical implication: validate request volume, token scope, and input handling before enabling AI-driven access to production data.

Why third-party MCP servers require semi-trusted status

A third-party MCP server should be treated as semi-trusted until validated because it sits in the middle of identity, tool access, and data movement. Once an AI client trusts that server, the server can shape what the model sees, what it can call, and what context it can pass forward. That creates an identity trust chain that is broader than a simple API integration. In practice, the risk is not just a compromised endpoint. It is an unreviewed intermediary becoming part of the decision path for data access and action execution.

Practical implication: classify external MCP endpoints as identity-sensitive dependencies and require validation before production use.


NHI Mgmt Group analysis

MCP creates an identity trust boundary where many teams still see only an integration layer. Once AI systems can query cloud and security data in real time, access control is no longer confined to a login event or a single API token. The governance question becomes whether the tool chain itself is authorised, bounded, and auditable across each context switch. Practitioners should treat MCP as a control plane for identity exposure, not as a harmless connector.

Ephemeral prompt-driven access is a new form of access sprawl. The article’s natural-language workflow model encourages rapid expansion from query to dashboard to alerting to action. That means privilege can be distributed across prompts, connectors, and downstream automations faster than entitlement reviews can track it. For IAM and NHI teams, the concern is not just how much access exists, but how quickly conversational access can become operational authority.

Tool permissions need scope boundaries, not just authentication gates. The vendor’s own guidance on strict I/O sanitization and trusted endpoints points to a wider problem in MCP governance: authenticated does not mean constrained. Without explicit scoping, AI clients can still overreach across assets, logs, and actions. The lesson for NHI governance is that runtime context can amplify access even when the credential model looks conventional.

MCP exposes a policy gap between human-operated systems and machine-paced access. Human IAM controls often assume a person initiates, observes, and reviews access in a predictable sequence. MCP-enabled AI workflows compress that cycle, which makes audit and approval assumptions weaker unless they are redesigned for machine-paced interaction. Practitioners should rethink whether existing approval, logging, and exception processes can keep pace with AI-mediated access paths.

Secure MCP adoption will be decided by trust classification, not feature breadth. The article shows that organisations will use MCP to connect identity stores, logs, and cloud controls because the operational value is obvious. The differentiator for security teams is whether each server, client, and connector is classified by trust level and tied to a measurable access policy. That is where sustainable governance will either emerge or fail.

From our research:

  • 33% of organisations report their AI agents have accessed inappropriate or sensitive data beyond their intended scope, according to AI Agents: The New Attack Surface report.
  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to SailPoint.
  • For a broader agent governance lens, the OWASP Agentic AI Top 10 maps the failure modes that matter once tool use becomes runtime behaviour rather than static automation.

What this signals

Identity teams should expect MCP to shift control effort from authentication to authorisation design. As tool-connected AI becomes more common, the programme question will no longer be whether a model can connect, but whether each connector is constrained, auditable, and revocable in practice. The organisations that treat MCP as a governed access path will be better positioned to prevent implicit privilege expansion.

Tool sprawl is becoming identity sprawl. The more AI workflows can pull from logs, cloud data, and IAM systems in one session, the harder it becomes to explain which identity actually exercised control. That is why practitioner programmes should align MCP governance with the Ultimate Guide to NHIs , Why NHI Security Matters Now, especially where service access and machine access blend together.

73% of organisations said machine identity governance is a top priority in our latest survey, which is the right direction when AI toolchains can reach operational systems through conversation. The next step is to tie that priority to connector trust, token scoping, and runtime auditing, not just inventory exercises.


For practitioners

  • Classify every MCP endpoint by trust level Separate internal-only servers from third-party connectors, and require a review step before any server can access identity, cloud, or log data. Treat the server as an identity-sensitive dependency, not as a normal integration.
  • Enforce OAuth 2.1 scope design for AI clients Bind each MCP client to the narrowest practical token scope, and review whether the scope matches the tool set the client can actually invoke. Reassess token boundaries whenever the prompt set or downstream workflow changes.
  • Sanitize prompts and outputs at the MCP boundary Validate both inbound prompt content and outbound data returned to the model, especially when natural language can surface logs, asset inventory, or IAM state. Put rejection rules in place for unsafe instructions and overly broad data responses.
  • Limit AI access to internal-only MCP pilots first Start with internal servers while you test logging, rate limiting, and owner accountability. Move to broader exposure only after you can prove which data each connector can reach and how each request is audited.
  • Review tool permissions as runtime scope, not static enablement Reconfirm which tools the AI can call, which data sources those tools expose, and whether any action crosses from insight into change management. Use that review to prevent conversational access from becoming unbounded operational access.

Key takeaways

  • MCP turns AI access into a governed identity problem because tool use, data access, and response handling now happen in one runtime path.
  • The article’s security advice points to a broader control gap: authentication is necessary, but scope, trust, and audit boundaries decide whether the deployment is actually safe.
  • Practitioners should classify MCP servers, constrain token scope, and validate connector trust before treating conversational AI access as production-ready.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-03The article focuses on tool access and trust boundaries for MCP-connected AI systems.
NIST CSF 2.0PR.AC-4The post centers on access permissions and delegated use of AI-connected tools.
NIST Zero Trust (SP 800-207)MCP requires continuous trust decisions for tool and data access.
OWASP Agentic AI Top 10AI tool use and scope control are central concerns in the post.
NIST SP 800-53 Rev 5AC-6Least privilege is the core control principle behind secure MCP scoping.

Apply zero trust principles to every MCP connection and verify each request path before granting access.


Key terms

  • Model Context Protocol: A protocol that lets an AI system connect to external tools and data sources through structured context. In security terms, it shifts attention from a single application login to the governance of tool access, data exposure, and runtime actions across multiple connected systems.
  • MCP Server: A server that exposes tools, data, or actions to an AI client using Model Context Protocol. It is more than a connector because it can become part of the trust chain for identity, authorisation, and audit, especially when it can surface cloud, IAM, or security telemetry.
  • Tool Scoping: The practice of limiting which tools an AI system can call and under what conditions. For MCP-enabled workflows, tool scoping is a governance control that determines whether conversational access stays bounded or expands into broad operational authority.
  • Trusted Connector: An integration path that has been validated for provenance, permissions, and data handling before production use. With AI-driven access, a trusted connector is not assumed by authentication alone; it must be reviewed for downstream authority, sanitization, and auditability.

What's in the full article

JupiterOne's full post covers the operational detail this post intentionally leaves for the source:

  • Prompt examples for querying risky Lambda functions, misconfigurations, and asset exposure through MCP
  • Step-by-step dashboard creation workflows for tracking risks over time in the JupiterOne interface
  • Operational alert-routing examples for Slack, Teams, and severity-based notifications
  • Implementation notes on HTTPS, OAuth 2.1, sanitization, and internal-only MCP pilots

👉 The full JupiterOne post covers prompt patterns, dashboard setup, alert routing, and secure MCP implementation guidance.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM or NHI governance programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org