MCP and AI agent credentials: are your access controls ready?

TL;DR: AI agents can use MCP to discover and call tools, but 1Password argues that raw credentials should stay out of non-deterministic model flows because authentication needs deterministic, auditable boundaries, not probabilistic inference, according to 1Password. The practical issue is not whether agents are useful, but where secrets and least privilege stop being safely enforceable.

NHIMG editorial — based on content published by 1Password: AI agents and MCP boundaries for secure credentials

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

Questions worth separating out

Q: How should security teams handle credentials in AI agent workflows?

A: Treat credentials as delivery-only secrets, not model inputs.

Q: Why do AI agents complicate least privilege decisions?

A: AI agents complicate least privilege because they can choose actions at runtime, which makes intent harder to predict at provisioning time.

Q: What breaks when secrets are passed through an LLM context?

A: Secret handling breaks because the secret may become copyable, cacheable, or redistributable across prompts and downstream tools.

Practitioner guidance

• Separate metadata access from credential access Allow AI agents to query low-risk SaaS metadata such as owners, application mappings, and licence metrics, but keep raw secrets and bearer credentials out of the same workflow.
• Inject secrets on behalf of the agent Use brokered delivery patterns where the platform supplies credentials at execution time without exposing them to the model context, then audit every use path.
• Require explicit approval for sensitive actions Add human approval gates for any workflow that can change access, retrieve protected data, or move from read-only discovery into operational state changes.

What's in the full article

1Password's full post covers the operational detail this post intentionally leaves for the source:

• How 1Password separates low-risk metadata access from secret handling in MCP-enabled workflows
• The specific trust boundaries it sets for agentic access, including when credentials are injected versus disclosed
• Why it rejects raw credential exposure through public APIs and model context, with implementation rationale
• How its MCP Server for 1Password SaaS Manager is positioned for read-only organisational discovery

👉 Read 1Password's analysis of MCP boundaries for AI agent credentials →

MCP and AI agent credentials: are your access controls ready?

Explore further

View Full Forum →  |  NHI Foundation Course →