MCP security and agentic access: are your controls keeping up?

TL;DR: August’s MCP and agentic AI roundup shows high-severity RCE flaws, OAuth 2.1 pressure, and vendor adoption momentum, according to Pomerium and the cited incident reports. The core issue is that trust is still being granted to mutable tool chains and configurations that can be altered after approval.

NHIMG editorial — based on content published by Pomerium: August 2025 Agentic Access and MCP Content Round-Up: Security, Innovations & Growth

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%).
• 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.

Questions worth separating out

Q: How should security teams govern MCP integrations that can execute commands locally?

A: Treat every MCP integration that can execute commands as a privileged runtime path, not a documentation convenience.

Q: Why do MCP-based agent workflows increase identity risk compared with ordinary app integrations?

A: MCP-based workflows increase identity risk because they bind tool access to runtime context, configuration state, and execution triggers.

Q: What do security teams get wrong about zero trust in agentic access environments?

A: Teams often assume zero trust means the initial connection is enough if the gateway is authenticated.

Practitioner guidance

• Bind approvals to immutable configuration state Require signed or version-locked MCP configurations so an approved tool path cannot be silently swapped after consent.
• Disable unattended auto-start for mutable MCP integrations Treat project-open triggers as execution events, not convenience features, unless the configuration is integrity-protected and monitored.
• Revalidate scope at every tool invocation Use zero-trust and OAuth 2.1 controls to re-check scope, audience, and intent whenever an MCP-connected tool requests access to code, data, or infrastructure.

What's in the full article

Pomerium's full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step coverage of the Cursor MCP vulnerabilities and how each exploit path worked in practice
• Vendor-by-vendor news roundup for August MCP and agentic AI developments across infrastructure, IDE, and workflow tools
• Direct discussion of OAuth 2.1 requirements and how they change MCP authorisation design
• Additional commentary on agentic AI growth, adoption, and the operational risk trade-offs behind it

👉 Read Pomerium's August roundup on MCP security and agentic access risk →

MCP security and agentic access: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →