Notifications
Clear all
Topic starter
07/06/2026 8:31 pm
TL;DR: MCP standardizes how LLMs call tools and services, but Strata Identity argues that missing user context, weak auditability, and untrusted tool sources turn that convenience into a wider attack surface, especially when approvals and policy enforcement are absent. Identity-aware policy checks are the deciding control, not the protocol itself.
NHIMG editorial — based on content published by Strata Identity: MCP security and identity context for LLM tool access
By the numbers:
- 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.
Questions worth separating out
Q: How should security teams govern MCP tool access in enterprise environments?
A: Security teams should govern MCP tool access the same way they govern other privileged actions: bind each request to identity, evaluate policy at runtime, and log the full decision path.
Q: Why do MCP workflows create risk when identity context is missing?
A: MCP workflows create risk when identity context is missing because the model can make or relay actions without a verifiable subject behind them.
Q: What do organisations get wrong about securing model-driven tool use?
A: Organisations often secure the model and ignore the tool boundary.
Practitioner guidance
- Bind every tool request to a verified identity Require role, entitlement, and risk evaluation before any MCP tool invocation is allowed to proceed.
- Treat MCP registries as governed access surfaces Limit tool discovery to curated registries, review definitions for provenance, and revoke tools that are not tied to policy.
- Log the full identity chain for every action Capture the initiating user, the model request, the tool selected, the policy decision, and the response.
What's in the full article
Strata Identity's full article covers the operational detail this post intentionally leaves for the source:
- The exact runtime sequence used to pair a tool request with user identity, role, permissions, and risk state.
- How approval gates are inserted for sensitive MCP actions and how those gates are tied to contextual policy.
- The curated registry approach the vendor describes for controlling which tool definitions can be invoked.
- The practical flow for linking prompts, function calls, and responses into a usable audit trail.
👉 Read Strata Identity's analysis of MCP security and identity context →
MCP tool access and identity context: where do controls break?
Explore further
07/06/2026 10:26 pm
Identity context is the control plane for MCP, not an optional wrapper. The article is right to treat missing user context as the root cause behind most MCP risks. Once tool calls are separated from a verified identity, traditional role and policy enforcement no longer has a reliable subject to evaluate. For practitioners, that means MCP belongs in the identity governance conversation, not just the application integration stack.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface report.
- In the same research, 92% of respondents agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.
A question worth separating out:
Q: How do teams know whether MCP controls are actually working?
A: Teams know MCP controls are working when every tool invocation can be traced to a verified identity, a policy decision, and a recorded approval state where required. If logs cannot answer who asked, what was allowed, and why the call ran, then the controls are not governing the workflow. They are only documenting its existence.
👉 Read our full editorial: MCP security needs identity context before tool access scales
