Notifications
Clear all
Topic starter
08/06/2026 4:20 pm
TL;DR: MCP can only enforce policy, intent, and audit when agents actually route through it, but direct API calls, headless browser automation, and shadow connectors can bypass those controls and leave security teams blind, according to Strata Identity. The real issue is not the protocol itself but the assumption that agents will stay inside it, which breaks once identity is optional.
NHIMG editorial — based on content published by Strata Identity: MCP bypass risks and AI agent identity controls
Questions worth separating out
Q: How should security teams stop AI agents from bypassing MCP controls?
A: Security teams should make the governed mediation layer the only working path to APIs and web applications.
Q: Why do AI agents complicate identity governance more than traditional automation?
A: AI agents complicate identity governance because they can choose actions and paths at runtime, including bypass routes that human-designed workflows may never anticipate.
Q: What breaks when agents use headless browsers instead of APIs?
A: When agents use headless browsers, API controls no longer protect the interaction and session-level abuse becomes harder to detect.
Practitioner guidance
- Force every agent request through a single governed path Make MCP or an equivalent identity bridge the only approved route to APIs and web applications.
- Bind agent credentials to the mediated session Issue short-lived scoped tokens that are cryptographically tied to the MCP bridge session, and reject them when used outside the approved flow.
- Instrument web sessions with non-human provenance Require strong authentication for all browser sessions, then tag non-human sessions so bot detection can distinguish legitimate automation from unauthorized UI interaction.
What's in the full article
Strata Identity's full article covers the implementation detail this post intentionally leaves at the architectural level:
- The exact identity orchestration pattern used to force agent traffic through MCP rather than direct APIs or browser actions
- The session-binding approach for scoped tokens, including how mTLS or DPoP validation ties access to the mediated flow
- The web-session hardening approach for distinguishing legitimate automation from unauthorized headless browser activity
- The CAEP-based revocation pattern for cutting off suspicious agent activity before a task completes
👉 Read Strata Identity's analysis of MCP bypass and AI agent identity controls →
MCP bypass and AI agent governance: are your controls keeping up?
Explore further
08/06/2026 5:55 pm
MCP bypass creates identity blind spots, not just technical exceptions. The important failure is that policy and audit only exist where the control plane actually sits on the request path. Once external agents can choose direct APIs or browser workflows, the organisation is no longer governing agent identity, only hoping the preferred path is used. Practitioners need to treat bypass as a structural governance problem, not an implementation annoyance.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- A separate 92% of respondents say governing AI agents is critical to enterprise security, while only 44% have implemented any policies to do so, according to the same SailPoint research.
A question worth separating out:
Q: How do organisations know whether MCP enforcement is actually working?
A: The clearest sign is that every meaningful agent action produces a consistent attestation trail and can be blocked when the session lacks provenance. If requests still succeed through direct APIs, side connectors, or browser clicks without governance metadata, enforcement is incomplete and the control plane is not authoritative.
👉 Read our full editorial: MCP bypass risks are exposing AI agent identity controls
