TL;DR: July’s MCP roundup shows the ecosystem is expanding faster than security controls, with critical remote-code-execution flaws in mcp-remote and Anthropic’s MCP Inspector alongside 1,862 internet-exposed MCP servers found without authentication or access controls, according to Pomerium. The governance problem is not adoption itself, but the assumption that agent-facing tooling can be safely treated like ordinary integration infrastructure.
NHIMG editorial — based on content published by Pomerium: July 2025 Agentic Access and MCP Content Round-Up: Vulnerabilities, Governance & Growth
By the numbers:
- Researchers from Knostic scanned 1,862 internet-exposed MCP servers and found that none possessed any kind of authentication check.
- Only 5.7% of organisations have full visibility into their service accounts.
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, according to SailPoint.
Questions worth separating out
Q: How should security teams govern MCP servers used by AI agents?
A: Security teams should treat MCP servers as privileged access points, not passive integration layers.
Q: Why do MCP deployments create new identity governance risks?
A: MCP deployments create new risks because they multiply the number of machine-facing access paths that can be reached by agents, scripts, and developer tools.
Q: What breaks when MCP servers do not require authentication?
A: When MCP servers do not require authentication, the access boundary disappears.
Practitioner guidance
- Inventory every MCP server and connector Map each server, client, and tool surface to an owner, a data classification, and an approval path before it is exposed to users or agents.
- Enforce authentication in front of every exposed MCP endpoint Do not allow an MCP server to rely on obscurity or network placement.
- Apply the same hardening to MCP tooling as to privileged admin tools Review client applications, inspectors, and local connectors for command execution risk, browser exposure, and token handling weaknesses.
What's in the full article
Pomerium's full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step coverage of the July incident list, including the specific MCP tools and releases named in the roundup.
- The vendor's own framing of why MCP security requires context-aware enforcement between agents and downstream systems.
- Additional source links and examples that map the roundup to current product and ecosystem changes.
- The full post's commentary on how Pomerium positions Zero Trust controls for MCP environments.
👉 Read Pomerium's July roundup on MCP vulnerabilities, governance, and growth →
MCP security gaps: what IAM and NHI teams need to fix?
Explore further
MCP is becoming an identity problem before it is a tooling problem. The roundup shows that protocol adoption is outrunning basic enforcement, which means teams are now publishing access surfaces faster than they can govern them. That creates a familiar NHI failure mode: a new class of machine-facing identities is treated as integration plumbing instead of governed access. Practitioners should read MCP growth as a control-plane warning, not a feature story.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Who is accountable when an MCP connector exposes sensitive data or actions?
A: Accountability should sit with the team that owns the server, connector, and downstream access policy, not with the protocol itself. Organisations need clear ownership for approval, monitoring, incident response, and revocation. Without that assignment, agentic access grows faster than governance can follow it.
👉 Read our full editorial: MCP security gaps expose the identity controls agents still lack