MCP security gaps: what IAM and NHI teams need to fix

TL;DR: July’s MCP roundup shows the ecosystem is expanding faster than security controls, with critical remote-code-execution flaws in mcp-remote and Anthropic’s MCP Inspector alongside 1,862 internet-exposed MCP servers found without authentication or access controls, according to Pomerium. The governance problem is not adoption itself, but the assumption that agent-facing tooling can be safely treated like ordinary integration infrastructure.

NHIMG editorial — based on content published by Pomerium: July 2025 Agentic Access and MCP Content Round-Up: Vulnerabilities, Governance & Growth

By the numbers:

• Researchers from Knostic scanned 1,862 internet-exposed MCP servers and found that none possessed any kind of authentication check.
• Only 5.7% of organisations have full visibility into their service accounts.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope, according to SailPoint.

Questions worth separating out

Q: How should security teams govern MCP servers used by AI agents?

A: Security teams should treat MCP servers as privileged access points, not passive integration layers.

Q: Why do MCP deployments create new identity governance risks?

A: MCP deployments create new risks because they multiply the number of machine-facing access paths that can be reached by agents, scripts, and developer tools.

Q: What breaks when MCP servers do not require authentication?

A: When MCP servers do not require authentication, the access boundary disappears.

Practitioner guidance

• Inventory every MCP server and connector Map each server, client, and tool surface to an owner, a data classification, and an approval path before it is exposed to users or agents.
• Enforce authentication in front of every exposed MCP endpoint Do not allow an MCP server to rely on obscurity or network placement.
• Apply the same hardening to MCP tooling as to privileged admin tools Review client applications, inspectors, and local connectors for command execution risk, browser exposure, and token handling weaknesses.

What's in the full article

Pomerium's full blog post covers the operational detail this post intentionally leaves for the source:

• Step-by-step coverage of the July incident list, including the specific MCP tools and releases named in the roundup.
• The vendor's own framing of why MCP security requires context-aware enforcement between agents and downstream systems.
• Additional source links and examples that map the roundup to current product and ecosystem changes.
• The full post's commentary on how Pomerium positions Zero Trust controls for MCP environments.

👉 Read Pomerium's July roundup on MCP vulnerabilities, governance, and growth →

MCP security gaps: what IAM and NHI teams need to fix?

Explore further

View Full Forum →  |  NHI Foundation Course →