MCP security is maturing fast, but are controls keeping up?

TL;DR: September’s MCP ecosystem expansion coincided with prompt-injection warnings, supply-chain abuse, and new vulnerability reporting, according to Pomerium’s roundup of the month’s news. The underlying issue is not adoption alone, but that agentic access is reaching production before identity, authorization, and governance models are ready.

NHIMG editorial — based on content published by Pomerium: September 2025 MCP Round-Up on growing adoption and rising security fears

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
• 492 MCP servers were identified as vulnerable to abuse, lacking basic authentication or encryption.

Questions worth separating out

Q: How should security teams govern MCP endpoints used by AI agents?

A: Treat MCP endpoints as privileged access surfaces with explicit ownership, scoped entitlements, and per-request authorisation.

Q: Why do prompt injection attacks become more serious in MCP environments?

A: Prompt injection becomes more serious because the agent can act on manipulated content, not just display it.

Q: What breaks when AI agents can chain tools through MCP without tight policy controls?

A: What breaks is the separation between request, authorisation, and execution.

Practitioner guidance

• Classify MCP servers as governed access surfaces Put MCP endpoints into the same control inventory as privileged APIs, including ownership, approved use cases, and explicit authorization policies for each tool path.
• Separate content trust from action trust Require the agent runtime to validate whether a prompt, document, or web source can influence tool execution before any write or side-effect action is allowed.
• Inspect package provenance before agent consumption Block lookalike packages, verify publisher identity, and review what server functionality they expose before allowing them into agent workflows.

What's in the full article

Pomerium's full blog post covers the operational detail this post intentionally leaves for the source:

• The month-by-month incident list showing how MCP security concerns accumulated across malicious servers, vulnerability rankings, and agent abuse reports.
• The individual article links and commentary that practitioners can use to trace each reported incident back to its original source.
• The vendor's framing of why MCP is maturing quickly and why that creates a sharper security focus for enterprise deployments.
• The source roundup of other blogs and reports if you want to compare perspectives across the wider MCP ecosystem.

👉 Read Pomerium's September MCP roundup on adoption and security fears →

MCP security is maturing fast, but are controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →