Notifications
Clear all
Topic starter
09/06/2026 11:51 pm
TL;DR: MCP standardises how LLMs discover tools and trigger actions, but Lasso Security notes that concentrated capability access, weak scoping, and limited visibility can turn one misconfiguration into broad misuse or exfiltration. That makes protocol-level governance, auditability, and least-privilege boundaries decisive for enterprise AI programmes.
NHIMG editorial — based on content published by Lasso Security: MCP: Enabling Controlled & Composable AI Systems
By the numbers:
- Only 18% of MCP server deployments implement any form of access scoping for tool permissions.
- 53% of MCP servers expose credentials through hard-coded values in configuration files.
Questions worth separating out
Q: What breaks when MCP tools are not tightly scoped?
A: When MCP capabilities are too broad, a model can convert a normal tool call into unsafe operational behaviour, especially if prompt injection or a compromised server is involved.
Q: Why do MCP environments increase identity governance complexity for AI agents?
A: MCP turns model-tool interaction into a repeatable identity event, which means access, logging, and approvals must work at the capability level rather than at the application level.
Q: How do security teams know if MCP governance is actually working?
A: They should be able to answer who invoked which capability, with what parameters, and under what policy.
Practitioner guidance
- Inventory every MCP capability as a privilege-bearing control surface Map each exposed tool, schema, and parameter set to the smallest business action it can perform.
- Enforce capability-based access controls at the protocol layer Bind tool invocation to context, role, and workflow state so the model cannot call a function simply because it is discoverable.
- Treat the orchestrator and registry as privileged identity infrastructure Apply stronger authentication, change control, and isolation to the host broker and any package source used to onboard MCP servers.
What's in the full article
Lasso Security's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step examples of how MCP servers expose tools, context, and workflows to agents in production settings
- The risk table showing where prompt injection, supply chain compromise, and orchestrator privilege create the largest exposure
- Practical guidance on logging, validation, and policy enforcement around MCP traffic
- Implementation detail on how the platform observes MCP requests and blocks unsafe operations
👉 Read Lasso Security's analysis of MCP security risks and tool governance →
MCP security risks for AI agents: are your controls keeping up?
Explore further
10/06/2026 2:23 am
MCP is not just an integration pattern, it is an identity boundary. The moment a model can discover tools and trigger actions through a standard interface, the question changes from application connectivity to delegated authority. That makes tool scoping, auditability, and policy enforcement part of the identity stack, not optional platform extras. Practitioners should treat MCP servers like privileged non-human identities with explicit lifecycle and access governance.
A few things that frame the scale:
- Only 18% of MCP server deployments implement any form of access scoping for tool permissions, according to The State of MCP Server Security 2025.
- 53% of MCP servers expose credentials through hard-coded values in configuration files, which shows how quickly protocol adoption becomes a secrets governance problem.
A question worth separating out:
Q: Who is accountable when an MCP-connected agent misuses a tool?
A: Accountability sits with the organisation that defined the tool exposure, the policy layer, and the oversight model, because MCP does not remove the need for governance. If a server, orchestrator, or registry is trusted without review, that trust decision becomes the control failure, not just the model’s behaviour.
👉 Read our full editorial: MCP concentrates risk in AI tool orchestration and access control
