Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

MCP security and agentic access: are your controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: August’s MCP and agentic AI roundup shows high-severity RCE flaws, OAuth 2.1 pressure, and vendor adoption momentum, according to Pomerium and the cited incident reports. The core issue is that trust is still being granted to mutable tool chains and configurations that can be altered after approval.

NHIMG editorial — based on content published by Pomerium: August 2025 Agentic Access and MCP Content Round-Up: Security, Innovations & Growth

By the numbers:

Questions worth separating out

Q: How should security teams govern MCP integrations that can execute commands locally?

A: Treat every MCP integration that can execute commands as a privileged runtime path, not a documentation convenience.

Q: Why do MCP-based agent workflows increase identity risk compared with ordinary app integrations?

A: MCP-based workflows increase identity risk because they bind tool access to runtime context, configuration state, and execution triggers.

Q: What do security teams get wrong about zero trust in agentic access environments?

A: Teams often assume zero trust means the initial connection is enough if the gateway is authenticated.

Practitioner guidance

  • Bind approvals to immutable configuration state Require signed or version-locked MCP configurations so an approved tool path cannot be silently swapped after consent.
  • Disable unattended auto-start for mutable MCP integrations Treat project-open triggers as execution events, not convenience features, unless the configuration is integrity-protected and monitored.
  • Revalidate scope at every tool invocation Use zero-trust and OAuth 2.1 controls to re-check scope, audience, and intent whenever an MCP-connected tool requests access to code, data, or infrastructure.

What's in the full article

Pomerium's full blog covers the operational detail this post intentionally leaves for the source:

  • Step-by-step coverage of the Cursor MCP vulnerabilities and how each exploit path worked in practice
  • Vendor-by-vendor news roundup for August MCP and agentic AI developments across infrastructure, IDE, and workflow tools
  • Direct discussion of OAuth 2.1 requirements and how they change MCP authorisation design
  • Additional commentary on agentic AI growth, adoption, and the operational risk trade-offs behind it

👉 Read Pomerium's August roundup on MCP security and agentic access risk →

MCP security and agentic access: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Approval does not equal trust durability: MCP exposes a governance gap where a one-time consent event is treated as if it covers future execution state. That assumption fails because the configuration can change after approval while the tool path still appears legitimate. The implication is that identity governance for agentic access has to follow the lifecycle of the binding, not the lifecycle of the first approval.

A few things that frame the scale:

  • 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.

A question worth separating out:

Q: Who is accountable when an approved MCP tool is later modified and causes compromise?

A: Accountability usually spans the platform owner, the team that approved the integration, and the operator responsible for configuration integrity. The governance failure is treating approval as a one-time event instead of an ongoing control relationship. Frameworks that emphasise access lifecycle and continuous verification are the right reference points here.

👉 Read our full editorial: MCP security and agentic access risks are accelerating in 2025



   
ReplyQuote
Share: