MCP permissions and AI agent access control: what changes now?

TL;DR: AI agents using the Model Context Protocol can now invoke tools, APIs, and transactions, but the article shows that coarse tokens, static rules, and implicit trust leave them exposed to prompt injection, over-broad access, and confused-deputy failures, according to Cerbos. The governance problem is no longer whether agents can act, but whether their delegated permissions stay bounded, auditable, and policy-driven.

NHIMG editorial — based on content published by Cerbos: MCP permissions for AI agent tool access and dynamic authorization

By the numbers:

• 53% of MCP servers expose credentials through hard-coded values in configuration files.
• Only 18% of MCP server deployments implement any form of access scoping for tool permissions.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

Questions worth separating out

Q: How should security teams implement least privilege for MCP-based AI agents?

A: Start by assigning permissions to individual tools and actions, not to the entire agent session.

Q: Why do MCP-based agents create new access control risks for IAM teams?

A: Because they turn a model from a text generator into a delegated actor that can reach real systems.

Q: What do security teams get wrong about authorization for AI agents?

A: They often assume the initial login or API key is enough.

Practitioner guidance

• Define a per-tool permission model Break MCP capabilities into separate read, write, and administrative actions so no agent receives a bundled entitlement that hides higher-risk functions.
• Replace static access logic with central policy Move authorization out of code branches and into a policy engine that can evaluate user identity, resource attributes, and context at request time.
• Use short-lived delegated credentials Issue scoped credentials that expire quickly and map them to the user’s actual rights so the agent cannot continue acting after the task boundary ends.

What's in the full article

Cerbos's full article covers the operational detail this post intentionally leaves for the source:

• A deeper walkthrough of MCP client, server, host application, and tool flow for implementation teams
• Concrete examples of dynamic authorization logic for read, write, and admin tools
• Policy design patterns for delegated access, denial logging, and per-request control decisions
• Practical guidance on integrating OAuth 2.1 and scoped tokens into MCP deployments

👉 Read Cerbos's analysis of MCP permissions for AI agent tool access →

MCP permissions and AI agent access control: what changes now?

Explore further

View Full Forum →  |  NHI Foundation Course →