MCP server security: what IAM and NHI teams need to control

TL;DR: MCP standardises how AI apps connect to tools and data, but Apono’s analysis shows that the protocol also expands NHI exposure through standing tokens, over-scoped access, and weak auditability. The governance problem is not the protocol itself, but the identity controls around it.

NHIMG editorial — based on content published by Apono: 7 Cybersecurity Concerns Related to The MCP Protocol

By the numbers:

• 20% of organizations experienced breaches tied to unauthorized AI tools, with each incident costing up to $670,000 on average.
• Only 18% of MCP server deployments implement any form of access scoping for tool permissions.
• 53% of MCP servers expose credentials through hard-coded values in configuration files.

Questions worth separating out

Q: How should security teams govern MCP tool access in production environments?

A: Security teams should treat MCP tool access like any other privileged integration.

Q: Why do MCP integrations increase NHI risk in AI workflows?

A: MCP integrations increase NHI risk because they rely on service accounts, tokens, and API keys to let AI systems reach real tools and data.

Q: What breaks when MCP servers do not enforce tool scoping?

A: When MCP servers do not enforce tool scoping, models can reach tools and data across users, tenants, or environments that were never meant to be shared.

Practitioner guidance

• Inventory every MCP-connected identity Map which service accounts, tokens, and API keys back each tool server, then document where those credentials are stored and which environments they can reach.
• Enforce request-level scoping for tool calls Pass tenant ID, user role, and purpose context into each MCP request and validate those fields server-side before any tool executes.
• Replace long-lived credentials with short-lived access Use short-lived tokens, JIT-style access, and regular rotation for any credential that can reach production data or state-changing tools.

What's in the full article

Apono's full blog post covers the operational detail this post intentionally leaves for the source:

• Remediation guidance for hard-coded tokens and long-lived service accounts in MCP deployments
• Practical examples of tenant-aware access logic and server-side validation for tool requests
• Detailed logging and observability recommendations for model-to-tool transactions
• Specific mitigation advice for prompt injection, confused deputy issues, and rogue MCP servers

👉 Read Apono's analysis of MCP server security and identity risk →

MCP server security: what IAM and NHI teams need to control?

Explore further

View Full Forum →  |  NHI Foundation Course →