TL;DR: September’s MCP ecosystem expansion coincided with prompt-injection warnings, supply-chain abuse, and new vulnerability reporting, according to Pomerium’s roundup of the month’s news. The underlying issue is not adoption alone, but that agentic access is reaching production before identity, authorization, and governance models are ready.
NHIMG editorial — based on content published by Pomerium: September 2025 MCP Round-Up on growing adoption and rising security fears
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
- 492 MCP servers were identified as vulnerable to abuse, lacking basic authentication or encryption.
Questions worth separating out
Q: How should security teams govern MCP endpoints used by AI agents?
A: Treat MCP endpoints as privileged access surfaces with explicit ownership, scoped entitlements, and per-request authorisation.
Q: Why do prompt injection attacks become more serious in MCP environments?
A: Prompt injection becomes more serious because the agent can act on manipulated content, not just display it.
Q: What breaks when AI agents can chain tools through MCP without tight policy controls?
A: What breaks is the separation between request, authorisation, and execution.
Practitioner guidance
- Classify MCP servers as governed access surfaces Put MCP endpoints into the same control inventory as privileged APIs, including ownership, approved use cases, and explicit authorization policies for each tool path.
- Separate content trust from action trust Require the agent runtime to validate whether a prompt, document, or web source can influence tool execution before any write or side-effect action is allowed.
- Inspect package provenance before agent consumption Block lookalike packages, verify publisher identity, and review what server functionality they expose before allowing them into agent workflows.
What's in the full article
Pomerium's full blog post covers the operational detail this post intentionally leaves for the source:
- The month-by-month incident list showing how MCP security concerns accumulated across malicious servers, vulnerability rankings, and agent abuse reports.
- The individual article links and commentary that practitioners can use to trace each reported incident back to its original source.
- The vendor's framing of why MCP is maturing quickly and why that creates a sharper security focus for enterprise deployments.
- The source roundup of other blogs and reports if you want to compare perspectives across the wider MCP ecosystem.
👉 Read Pomerium's September MCP roundup on adoption and security fears →
MCP security is maturing fast, but are controls keeping up?
Explore further
MCP security is becoming an identity governance problem before it becomes a protocol problem. The article shows that enterprises are adopting MCP as a practical interface for agentic access, but the real control question is who or what is authorised to use those tools, under which context, and with what audit trail. That is classic NHI governance, only now the subject is an agent-mediated control plane. Practitioners should treat MCP endpoints as governed identities, not just integration plumbing.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Who is accountable when a malicious MCP server exposes enterprise data or actions?
A: Accountability sits with the organisation operating the agent, the team approving the server, and the owners of the connected systems. The important governance question is whether provenance checks, runtime policy, and audit logging were in place before the server was trusted. If they were not, the failure is shared and preventable.
👉 Read our full editorial: MCP adoption is outpacing security controls for agentic access