MCP server security and the governance gap teams are missing

TL;DR: A analysis of 5,205 open-source MCP server implementations found that 88% require credentials, 53% rely on static API keys or PATs, and only 8.5% use OAuth, underscoring how quickly AI agent infrastructure is scaling on weak identity foundations, according to Astrix Security. Static secrets are not a deployment detail here; they are the governance flaw that makes MCP adoption harder to secure than it first appears.

NHIMG editorial — based on content published by Astrix Security: State of MCP Server Security 2025

By the numbers:

• Only 8.5% use OAuth, the modern, preferred method for secure delegation.
• 53% rely on static API keys or Personal Access Tokens (PATs), which are long-lived and rarely rotated.
• 79% of MCP Servers Store API Keys in Environment Variables

Questions worth separating out

Q: How should security teams handle credential storage for MCP servers?

A: Security teams should treat MCP server credentials as production NHIs and remove them from static configuration wherever possible.

Q: Why do MCP servers create more NHI risk than ordinary API integrations?

A: MCP servers sit in the execution path of AI tools, so a compromised credential can become a control point for multiple downstream actions, not just one API call.

Q: What do teams get wrong about environment variables for secrets?

A: Teams often treat environment variables as a safe middle layer, but they are only a delivery mechanism.

Practitioner guidance

• Inventory every MCP server credential path Map where each server receives secrets, including repositories, .env files, CI variables, orchestration settings, and host-level injection points.
• Replace hard-coded MCP secrets with vault-backed runtime injection Move credential retrieval out of code and configuration into a vault-driven launch path so the server never stores reusable secrets on disk or in source control.
• Prioritise OAuth or equivalent delegated access for MCP servers Use delegated authentication when downstream platforms support it so access can be scoped, revoked, and audited without redistributing secrets.

What's in the full report

Astrix Security's full blog post covers the operational detail this post intentionally leaves for the source:

• The full methodology behind how 5,205 open-source MCP server implementations were identified and filtered.
• The credential classification approach used to separate API keys, PATs, OAuth, and unknown patterns across the dataset.
• The MCP Secret Wrapper design and how vault-backed runtime injection changes the deployment path.
• The research appendix on GitHub search limitations and how that shaped the estimate of total MCP server implementations.

👉 Read Astrix Security's analysis of State of MCP Server Security 2025 →

MCP server security and the governance gap teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →