MCP 2025-11-25: are your agent controls ready for year two?

TL;DR: MCP 2025-11-25 adds first-class Tasks for async work, simplifies OAuth with CIMD, and introduces enterprise-managed access through Cross App Access, while also formalising extensions, M2M OAuth, URL-mode elicitation, and sampling with tools, according to WorkOS. The release turns MCP from a protocol for demos into a governable substrate for agents, tooling, and enterprise identity control.

NHIMG editorial — based on content published by WorkOS: MCP 2025-11-25 adds async Tasks, better OAuth, extensions, and a smoother agentic future

By the numbers:

• 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

Questions worth separating out

Q: How should security teams govern MCP access in enterprise environments?

A: Security teams should govern MCP access the same way they govern any other high-value identity path: define the owning identity, constrain the scopes, centralise approval where possible, and log every tool action.

Q: Why do async MCP tasks change the risk model for IAM teams?

A: Async tasks change the risk model because the work continues after the original request finishes.

Q: What do organisations get wrong about delegated OAuth access in MCP?

A: Organisations often assume delegated OAuth access is automatically visible and revocable because the human user approved it.

Practitioner guidance

• Inventory MCP-connected identities and execution paths Map every MCP client, server, and downstream tool to its owning identity, transport, and approval model.
• Treat client metadata as a governed trust object Validate the stability of client_id URLs, redirect URIs, and signing keys before allowing enterprise use.
• Route delegated MCP access through central policy Prefer IdP-mediated controls for enterprise access rather than letting app-to-app OAuth drift into shadow approvals.

What's in the full article

WorkOS's full analysis covers the operational detail this post intentionally leaves for the source:

• Implementation nuance for Tasks, including client polling, task-state handling, and how servers should expose resumable execution.
• OAuth metadata and consent behaviour for CIMD, including what an enterprise actually needs to validate before rollout.
• Cross App Access flow detail for centralised policy enforcement across MCP clients and downstream servers.
• Practical guidance for builders deciding when to use client credentials, URL-mode elicitation, or standard delegated user auth.

👉 Read WorkOS's analysis of the MCP 2025-11-25 spec revision →

MCP 2025-11-25: are your agent controls ready for year two?

Explore further

View Full Forum →  |  NHI Foundation Course →