Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

MCP security is maturing fast, but are controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: September’s MCP ecosystem expansion coincided with prompt-injection warnings, supply-chain abuse, and new vulnerability reporting, according to Pomerium’s roundup of the month’s news. The underlying issue is not adoption alone, but that agentic access is reaching production before identity, authorization, and governance models are ready.

NHIMG editorial — based on content published by Pomerium: September 2025 MCP Round-Up on growing adoption and rising security fears

By the numbers:

Questions worth separating out

Q: How should security teams govern MCP endpoints used by AI agents?

A: Treat MCP endpoints as privileged access surfaces with explicit ownership, scoped entitlements, and per-request authorisation.

Q: Why do prompt injection attacks become more serious in MCP environments?

A: Prompt injection becomes more serious because the agent can act on manipulated content, not just display it.

Q: What breaks when AI agents can chain tools through MCP without tight policy controls?

A: What breaks is the separation between request, authorisation, and execution.

Practitioner guidance

  • Classify MCP servers as governed access surfaces Put MCP endpoints into the same control inventory as privileged APIs, including ownership, approved use cases, and explicit authorization policies for each tool path.
  • Separate content trust from action trust Require the agent runtime to validate whether a prompt, document, or web source can influence tool execution before any write or side-effect action is allowed.
  • Inspect package provenance before agent consumption Block lookalike packages, verify publisher identity, and review what server functionality they expose before allowing them into agent workflows.

What's in the full article

Pomerium's full blog post covers the operational detail this post intentionally leaves for the source:

  • The month-by-month incident list showing how MCP security concerns accumulated across malicious servers, vulnerability rankings, and agent abuse reports.
  • The individual article links and commentary that practitioners can use to trace each reported incident back to its original source.
  • The vendor's framing of why MCP is maturing quickly and why that creates a sharper security focus for enterprise deployments.
  • The source roundup of other blogs and reports if you want to compare perspectives across the wider MCP ecosystem.

👉 Read Pomerium's September MCP roundup on adoption and security fears →

MCP security is maturing fast, but are controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

MCP security is becoming an identity governance problem before it becomes a protocol problem. The article shows that enterprises are adopting MCP as a practical interface for agentic access, but the real control question is who or what is authorised to use those tools, under which context, and with what audit trail. That is classic NHI governance, only now the subject is an agent-mediated control plane. Practitioners should treat MCP endpoints as governed identities, not just integration plumbing.

A few things that frame the scale:

  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface.
  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.

A question worth separating out:

Q: Who is accountable when a malicious MCP server exposes enterprise data or actions?

A: Accountability sits with the organisation operating the agent, the team approving the server, and the owners of the connected systems. The important governance question is whether provenance checks, runtime policy, and audit logging were in place before the server was trusted. If they were not, the failure is shared and preventable.

👉 Read our full editorial: MCP adoption is outpacing security controls for agentic access



   
ReplyQuote
Share: