Notifications
Clear all
Topic starter
03/06/2026 2:23 pm
TL;DR: AI agents can chain read, write, delete, and send actions through MCP servers in seconds, often outside the governance, approval, and audit layers security teams use for people, according to Entro Security. Existing IAM assumes visible, reviewable sessions, but agent actions can complete before any control sees them.
NHIMG editorial — based on content published by Entro Security: MCP server actions create a new governance blind spot for AI agents
Questions worth separating out
Q: How should security teams govern AI agent actions through MCP servers?
A: Security teams should govern AI agent actions at the point of execution, not after the fact.
Q: Why do MCP-connected AI agents create more risk than ordinary automation?
A: MCP-connected AI agents create more risk because they can decide which tools to use and chain multiple actions inside one session.
Q: What breaks when IAM only logs AI agent activity after execution?
A: What breaks is containment.
Practitioner guidance
- Inventory every MCP-connected tool path Map which AI agents can reach Slack, Jira, databases, file systems, and similar resources through MCP servers, then document the exact actions each path allows.
- Enforce pre-execution policy for agent actions Require policy checks before write, delete, send, or data-access actions execute, and make denied actions visible to both security teams and operators.
- Separate agent identity from user identity Model the agent as its own governed identity so permissions, approvals, and audit records reflect what the software actor can actually do.
What's in the full article
Entro Security's full article covers the operational detail this post intentionally leaves for the source:
- Policy creation examples for specific agent, target, and action combinations across enterprise tools
- Screen-by-screen guidance for the monitored session log, policy trigger, and blocked action flow
- Implementation detail on how AAA fits into Entro's broader Agentic Governance Architecture
- Practical examples of deny rules for Slack writes, database access, and data exfiltration attempts
👉 Read Entro Security's analysis of AI agent actions through MCP servers →
MCP server actions and AI agents: are your controls keeping up?
Explore further
View Full Forum → | NHI Foundation Course → | Our Services →
03/06/2026 2:31 pm
Agentic access through MCP servers creates an action-layer blind spot, not just a monitoring gap. The governance failure is structural because the agent completes tool calls below the layer where most IAM programmes expect to intervene. That means the problem is not missing logs alone, but the fact that the action itself is already over by the time many controls see it. Practitioners should treat this as a control-boundary shift, not a visibility tuning issue.
A few things that frame the scale:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Who should be accountable for AI agent actions in enterprise systems?
A: Accountability should sit with the team that owns the agent, its policies, and the connected tools, not only with the person who typed the original prompt. When a software actor can send messages, update records, and move data across systems, responsibility must follow the governed identity and its enforcement layer.
👉 Read our full editorial: MCP server actions create a new governance blind spot for AI agents
