MCP and AI agent identities: what IAM teams need to know

TL;DR: MCP gives AI agents a standard way to connect to GitHub, Slack, Postgres, and other systems, but each connection still depends on secrets, scoped tokens, and service accounts that become non-human identities, according to Entro Security. The identity problem is no longer connector sprawl alone; it is ownership, lifecycle, and blast-radius control across agent-driven access paths.

NHIMG editorial — based on content published by Entro Security: MCP: A "USB-C" for AI Is Here: Who's Managing the Identities Behind It?

By the numbers:

• Only 18% of MCP server deployments implement any form of access scoping for tool permissions.
• 53% of MCP servers expose credentials through hard-coded values in configuration files.

Questions worth separating out

Q: How should security teams govern AI agents that connect through MCP?

A: Security teams should govern MCP-connected AI agents as non-human identities with owners, scopes, and lifecycle controls.

Q: Why does MCP increase identity risk even when the protocol is secure?

A: MCP can be secure at the transport and protocol layer while still leaving the identity layer exposed.

Q: What do teams get wrong about AI agent access in MCP environments?

A: Teams often focus on the agent interface and ignore the identity objects that actually authorize actions.

Practitioner guidance

• Inventory every MCP-connected identity Map each AI client, tool server, token, API key, and service account to a named owner and business purpose before broad rollout.
• Enforce scoped, short-lived credentials Require OAuth scopes or equivalent least-privilege controls for each tool connection, and remove any hardcoded credentials from configuration files.
• Tie agent access to lifecycle controls Include MCP-linked identities in joiner, mover, leaver, recertification, and offboarding processes so access can be revoked when the workflow changes.

What's in the full article

Entro Security's full blog post covers the operational detail this post intentionally leaves for the source:

• How MCP client-server authentication works in practice, including the roles of OAuth tokens and service accounts.
• Examples of the AI tools and data sources MCP can connect to, such as GitHub, Slack, Postgres, and internal file systems.
• Why developers still hardcode API keys in AI assistant workflows, despite protocol support for scoped access.
• The article's own framing of ownership, blast radius, and identity visibility across agent-driven access paths.

👉 Read Entro Security's analysis of MCP and the identities behind AI agent access →

MCP and AI agent identities: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →