MCP security for AI agents: are static scopes enough?

TL;DR: MCP turns AI agents into autonomous operators that can query data, trigger workflows, and update systems, but static OAuth scopes, VPNs, and traditional auth models do not capture real-time intent or per-action risk, according to Pomerium. The governance gap is not authentication alone, but continuous, context-aware authorization for agent behaviour.

NHIMG editorial — based on content published by Pomerium: Secure Access for Model Context Protocol (MCP)

By the numbers:

• Only 18% of MCP server deployments implement any form of access scoping for tool permissions.
• 53% of MCP servers expose credentials through hard-coded values in configuration files.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

Questions worth separating out

Q: What breaks when AI agents rely on static OAuth scopes for MCP access?

A: Static OAuth scopes break because they describe delegated permission at the moment of issuance, not the live intent behind each agent action.

Q: Why do AI agents make Zero Trust more important for identity governance?

A: AI agents make Zero Trust more important because the trust boundary shifts from login to each action the agent performs.

Q: How can security teams know whether MCP authorization is actually working?

A: They should look for evidence that each tool call is being independently judged and that allow or deny decisions are logged with context.

Practitioner guidance

• Move MCP enforcement to the application layer Place an identity-aware proxy or gateway in front of MCP servers so each tool call is authorized against live context instead of relying on bearer-token validity alone.
• Constrain tool permissions by action and context Define policies that distinguish between read, query, update, and administrative actions, then require user role, request origin, and session attributes before allowing each one.
• Log allow and deny decisions with full context Capture who requested access, what tool was attempted, when it happened, and why it was allowed or blocked so investigations can reconstruct agent behaviour.

What's in the full article

Pomerium's full blog post covers the operational detail this post intentionally leaves for the source:

• Step-by-step policy examples for routing MCP traffic through an identity-aware proxy.
• Concrete route rules for restricting MCP tool usage by request attributes and allowed actions.
• Implementation details for JWT injection, no-token-passthrough, and per-request logging.
• Performance and streaming guidance for gRPC, HTTP/2, and WebSocket-based MCP connections.

👉 Read Pomerium's analysis of secure access for Model Context Protocol →

MCP security for AI agents: are static scopes enough?

Explore further

View Full Forum →  |  NHI Foundation Course →