MCP communication security: where identity controls break down

TL;DR: MCP expands agent-to-tool connectivity across local and remote servers, but it also creates new trust boundaries around prompt injection, impersonation, token leakage, and unauthorized access, according to Riptides. The real issue is not tool access alone but whether identity, policy, and secret handling still hold when agents discover and invoke servers at runtime.

NHIMG editorial — based on content published by Riptides: Securing MCP Communication with Riptides

Questions worth separating out

Q: How should security teams govern agent-to-MCP communication?

A: Security teams should treat agent-to-MCP communication as a governed identity path, not just an application integration.

Q: Why do local MCP servers create secret exposure risk?

A: Local MCP servers often receive API keys or tokens through environment variables, which makes secrets visible to the process and potentially to logs, memory, and inspection tools.

Q: When should organisations require mTLS for MCP traffic?

A: Organisations should require mTLS whenever an MCP server is remote, externally managed, or able to reach third-party services on behalf of an agent.

Practitioner guidance

• Separate agent identity from server access policy Define explicit allowlists for which MCP servers each agent may contact, then bind those decisions to workload identities rather than hostnames or environment-wide trust.
• Remove reusable secrets from MCP server environments Replace environment-variable injection with runtime secret delivery so API keys and tokens are never visible to the server process or its inspection surface.
• Require mutual TLS for remote MCP connections Make server authentication mandatory before any tool call, and reject endpoints that cannot present a trusted workload identity and certificate chain.

What's in the full article

Riptides' full post covers the operational detail this post intentionally leaves for the source:

• Kernel-level request interception flow for outbound MCP traffic and how policy is enforced in practice
• The local-server secret injection pattern and how it avoids exposing credentials through environment variables
• SPIFFE-based identity handling for remote workloads and how mTLS is validated before tool calls
• Auditing and traceability details for mapping agent identity to each outbound request

👉 Read Riptides' analysis of securing MCP communication with workload identity →

MCP communication security: where identity controls break down?

Explore further

View Full Forum →  |  NHI Foundation Course →