Notifications
Clear all
Topic starter
06/06/2026 11:22 am
TL;DR: MCP's 2026 roadmap says enterprise deployments are being blocked by missing audit trails, static-secret auth, undefined gateway behavior, and poor configuration portability, according to WorkOS. The real issue is not protocol maturity alone but whether existing identity and observability controls can be made to work at MCP scale.
NHIMG editorial — based on content published by WorkOS: MCP's 2026 roadmap makes enterprise readiness a top priority
By the numbers:
- Only 18% of MCP server deployments implement any form of access scoping for tool permissions.
- 53% of MCP servers expose credentials through hard-coded values in configuration files.
Questions worth separating out
Q: How should security teams govern MCP access in enterprise environments?
A: Treat MCP access like any other identity-controlled production surface.
Q: Why do static secrets create problems for MCP deployments?
A: Static secrets break lifecycle governance because they are hard to review, rotate, and revoke at the same cadence as enterprise access.
Q: What breaks when MCP runs behind gateways without defined auth propagation?
A: The downstream service can no longer reliably tell what the original client was allowed to do, which makes authorisation decisions inconsistent.
Practitioner guidance
- Replace static MCP credentials with federated access flows Move MCP authentication into the same identity provider and approval path used for enterprise applications.
- Define an MCP logging schema before production rollout Capture request identity, tool invoked, authorisation context, and execution outcome in a consistent format that can feed SIEM and compliance workflows.
- Set gateway policy for claim propagation and inspection Document how authorisation claims move across proxies, what session state survives intermediary hops, and whether gateways may inspect or alter tool arguments.
What's in the full article
WorkOS' full post covers the operational detail this analysis intentionally leaves for the source:
- A practical breakdown of enterprise-managed auth patterns for MCP, including SSO-integrated flows and scoped token handling.
- Implementation context for gateway and proxy behaviour, including how intermediary layers affect authorisation and session state.
- Configuration portability considerations for multi-client deployments, including how enterprise teams can avoid rebuilding access controls for each client.
- Directional guidance on where the roadmap's auth and validation work may land next, including the implications of DPoP and workload identity federation.
👉 Read WorkOS' analysis of MCP enterprise readiness gaps and auth patterns →
MCP enterprise readiness gaps: what IAM teams need to plan for?
Explore further
06/06/2026 12:08 pm
Enterprise readiness is now an identity governance problem, not just a protocol roadmap item. The roadmap shows that MCP deployments are hitting the same failures enterprises see whenever a new control plane arrives before governance catches up. Auditability, access scoping, and credential lifecycle are not optional extras once tools can be invoked in production. The implication is that MCP must be treated like any other identity-bearing execution surface, not a developer convenience layer.
A few things that frame the scale:
- 53% of MCP servers expose credentials through hard-coded values in configuration files, according to The State of MCP Server Security 2025.
- 24,008 unique secrets were exposed in MCP configuration files in 2025 alone, according to Astrix Security.
A question worth separating out:
Q: Who is accountable when MCP access cannot be audited across clients and proxies?
A: Accountability sits with the organisation operating the MCP environment, because the protocol gap does not remove governance responsibility. Teams need a defined control owner for auth, logging, and gateway behaviour. Without that, incidents become reconstruction problems instead of response problems.
👉 Read our full editorial: MCP's 2026 roadmap shows enterprise readiness gaps still block scale
