MCP tool exposure in production: are your controls keeping up?

TL;DR: MCP servers commonly expose every tool by default, which creates both over-permissioned AI agents and context rot that degrades tool selection accuracy, according to Kong. The governance lesson is that production MCP needs default-deny tool filtering, identity-based routing, and credential isolation, not just prompt-injection defenses.

NHIMG editorial — based on content published by Kong: Model Context Protocol (MCP) Security: How to Restrict Tool Access Using AI Gateways

By the numbers:

• 91% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.

Questions worth separating out

Q: How should security teams restrict MCP tool access in production?

A: Security teams should enforce tool-level authorization at the gateway, not at the model.

Q: Why do large MCP tool catalogs create security and reliability risk?

A: Large MCP tool catalogs expand both privilege and prompt size.

Q: What is the difference between gateway-managed credentials and agent-held credentials?

A: Gateway-managed credentials stay outside the agent and are injected only when needed for backend access.

Practitioner guidance

• Inventory every MCP tool exposed to production agents Map which tools each agent can currently discover, not just which ones it is expected to use.
• Enforce default-deny tool filtering at the gateway Block any tool that is not explicitly allowed for the agent persona or consumer group.
• Separate backend secrets from agent identity Use gateway-managed credential injection so agents do not hold reusable backend tokens.

What's in the full article

Kong's full blog post covers the operational detail this post intentionally leaves for the source:

• Step-by-step Kong ai-mcp-proxy configuration examples for gateway-managed credentials and ACL enforcement
• Declarative YAML patterns for consumer groups, routes, and tool allow lists across multiple MCP backends
• Concrete GitHub MCP persona setups showing which tools are exposed to each agent class
• Implementation notes on claim mapping, default deny, and hybrid authentication modes

👉 Read Kong's analysis of MCP tool access control for AI gateways →

MCP tool exposure in production: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →