MCP security: what identity and access teams need to rethink

TL;DR: MCP standardises how AI agents connect to tools and data, but it also expands trust boundaries, introduces context-injection and privilege-escalation risks, and demands continuous identity verification and auditability, according to Aembit. The security problem is no longer integration convenience, but whether existing IAM and NHI controls can govern runtime tool use by autonomous systems.

NHIMG editorial — based on content published by Aembit: MCP security for agentic AI workflows and the identity gaps it exposes

By the numbers:

• 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%).

Questions worth separating out

Q: How should security teams govern AI agents that use MCP to reach multiple tools?

A: Treat the agent as a governed workload with runtime privileges, not as a one-time authenticated caller.

Q: Why do MCP-based agents create more risk than ordinary API integrations?

A: Because the agent is choosing actions, chaining tools, and preserving context across steps.

Q: What breaks when teams rely on static API keys for agentic workflows?

A: Static keys cannot express session-level intent, tool-specific limits, or changing context.

Practitioner guidance

• Define MCP trust zones Separate low-trust inputs, regulated data sources, and high-impact tools so the agent cannot move freely between them inside one session.
• Bind agent identity to every tool call Use cryptographic identity and continuous authorisation so each MCP action can be traced to a verified workload rather than a one-time login.
• Instrument context handling end to end Log what context entered the session, what was forwarded to each tool, and where sensitive data was returned or stored.

What's in the full article

Aembit's full research covers the operational detail this post intentionally leaves for the source:

• MCP implementation patterns for agent, server, and tool identity binding across distributed systems.
• Concrete examples of context injection and tool chaining failure modes in agentic workflows.
• Policy design considerations for continuous authorisation and per-action evaluation in MCP sessions.
• Operational guidance for auditing agent interactions and reconstructing tool-use histories.

👉 Read Aembit's analysis of MCP security for agentic AI workflows →

MCP security: what identity and access teams need to rethink?

Explore further

View Full Forum →  |  NHI Foundation Course →