Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

MCP server access and AI agents: are your controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: AI agents and Model Context Protocol are pushing enterprises toward identity-aware tool access, but static API keys, broad service accounts, and weak authorization models still dominate MCP implementations, according to Cerbos. Zero Trust for agents now depends on short-lived delegated credentials, fine-grained policy checks, and auditable on-behalf-of flows rather than shared secrets.

NHIMG editorial — based on content published by Cerbos: AI agents meet Zero Trust through MCP and delegated identity

Questions worth separating out

Q: How should security teams govern AI agents that use MCP servers?

A: Security teams should treat AI agents as first-class identities, not as hidden extensions of a user session.

Q: Why do static API keys create risk for AI agent access?

A: Static API keys create risk because they are long-lived, reusable, and difficult to tie to a specific action.

Q: What breaks when MCP tools are exposed without policy controls?

A: Without policy controls, MCP tools become a discoverable privilege surface rather than a governed capability set.

Practitioner guidance

  • Define agents as governed identities Assign each AI agent a unique identity, separate from human users and separate from generic service accounts.
  • Remove long-lived shared secrets from agent workflows Replace static API keys and copied admin tokens with short-lived, scoped credentials issued for a single task or delegation path.
  • Scope tool discovery by policy Filter which MCP tools and resources an agent can see based on user role, agent trust level, and context.

What's in the full article

Cerbos' full blog post covers the operational detail this post intentionally leaves for the source:

  • Step-by-step examples of how MCP clients connect to servers over STDIO, HTTP, and Server-Sent Events
  • Specific policy enforcement patterns for fine-grained tool access and parameter-level restrictions
  • Discussion of on-behalf-of token flows and OAuth 2.0 token exchange for delegated AI actions
  • Implementation considerations for embedding policy decision points inside agent workflows

👉 Read Cerbos' analysis of MCP server identities and Zero Trust for AI agents →

MCP server access and AI agents: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Agent identity is becoming the control plane for tool-using AI. The article shows that MCP standardisation alone does not create security, because the real risk sits in how identities are issued, scoped, and audited. When an agent can reach tools through broad credentials, the governance problem is no longer prompt quality but access design. Practitioners should treat every agent as a governable identity, not as a feature wrapped around a user session.

A few things that frame the scale:

  • 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.

A question worth separating out:

Q: What is the difference between agent authentication and delegation?

A: Authentication proves the agent or the user is who they claim to be. Delegation proves what the agent is allowed to do on someone else's behalf and keeps that authority narrow and visible. For AI agents, delegation is the more important governance problem because it defines the real security boundary for downstream tool calls.

👉 Read our full editorial: MCP server identities and Zero Trust for AI agents



   
ReplyQuote
Share: