MCP authorization drift: are your controls keeping up?

TL;DR: MCP systems let agents chain tool calls across billing, CRM, and support workflows, but the real failure mode is authorization drift, not authentication bypass, according to Pomerium. Session-based trust and coarse network controls break down when one delegated request can expand into multiple unintended actions.

NHIMG editorial — based on content published by Pomerium: MCP Security: Why MCP Is an Authorization Crisis

Questions worth separating out

Q: How should security teams govern AI agents that use MCP tools?

A: Treat the agent as a delegated identity with bounded authority, not as a passive integration.

Q: Why do session-based controls fail for MCP workloads?

A: Session-based controls assume the trust decision made at login remains valid across the session.

Q: What do organisations get wrong about MCP security?

A: They often focus on network isolation or prompt filtering and miss the real issue: an authorised workload can still perform an unintended action.

Practitioner guidance

• Map delegated agent identities to the originating user Preserve the initiating principal across tool calls so billing, CRM, and support actions retain user context instead of collapsing into a generic service account.
• Move authorization decisions to each tool invocation Re-check policy when the agent calls a billing API, exports data, or updates a record, rather than relying on the trust granted when the session began.
• Enforce policy at Layer 7 with semantic context Inspect method, path, parameters, and originating principal before allowing action, because network-level allow rules cannot distinguish a legitimate summary from a broad refund export.

What's in the full article

Pomerium's full blog post covers the operational detail this post intentionally leaves for the source:

• The full explanation of how layered delegation changes the authorisation path for each tool invocation.
• The article's step-by-step comparison of session trust versus request-time enforcement in MCP environments.
• The architectural discussion of identity continuity, semantic policy checks, and Layer 7 control placement.
• The source's concrete examples of how prompt injection becomes dangerous only when authority is already overbroad.

👉 Read Pomerium's analysis of why MCP security is an authorization crisis →

MCP authorization drift: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →