MCP abuse and zero-click exfiltration: what IAM teams need to know

TL;DR: June’s roundup of MCP, model, and client risks highlights misconfigured servers, cross-tenant data exposure, prompt injection, and zero-click exfiltration across agentic systems, according to Pomerium and the cited sources. Access control assumptions are now failing at runtime, where agents can chain tools, leak data, and widen blast radius faster than traditional IAM review cycles.

NHIMG editorial — based on content published by Pomerium: Top 10 Articles in Agentic Access - MCP, Models, and Clients (June 2025)

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
• 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.
• 7,000 misconfigured MCP servers are live on the public web, with many wide open to remote code execution.

Questions worth separating out

Q: How should security teams govern AI agents that can call tools and APIs?

A: Treat each agent as a governed identity with explicit scope, logging, and approval boundaries.

Q: Why do MCP servers increase the risk of agentic access abuse?

A: MCP servers connect agents to real systems, so a weakly controlled server becomes a privilege bridge rather than a simple integration layer.

Q: What do security teams get wrong about prompt injection in agentic systems?

A: They often treat prompt injection as a text problem instead of an execution problem.

Practitioner guidance

• Inventory every agent-to-tool path Map each MCP server, model client, and downstream API that an agent can reach.
• Move policy checks to runtime Require authorisation at the moment of access for every high-risk tool call.
• Separate untrusted content from action prompts Isolate retrieved text, user input, and external content from any prompt that can trigger a tool call.

What's in the full article

Pomerium's full blog post covers the operational detail this post intentionally leaves for the source:

• The source article names each June story and gives the original publication context for the MCP and agentic access developments.
• It provides the vendor's selection criteria for why these stories matter to practitioners tracking agentic access risk.
• It includes the surrounding commentary on why Pomerium sees access control as the defining challenge of the agentic era.
• It links readers to the underlying articles that describe the vulnerabilities, leaks, and zero-click behaviours in more detail.

👉 Read Pomerium's roundup of June 2025 agentic access risks →

MCP abuse and zero-click exfiltration: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →