They should reduce the amount of sensitive content that can enter the context window, constrain which tools can act on that content, and block unnecessary outbound communication. Prompt injection becomes far less effective when the model cannot both see valuable data and exfiltrate it through a permitted channel.
Why This Matters for Security Teams
MCP workflows can turn a helpful assistant into a high-risk data path because the model is not just reading text, it is selecting tools, carrying context, and sometimes acting on behalf of users. Prompt injection matters most when untrusted content can influence a tool call that reaches sensitive systems. That is why current guidance from the OWASP Agentic AI Top 10 treats indirect prompt injection as a workflow security issue, not only a model-quality issue.
For NHI Management Group, the practical concern is that MCP expands the attack surface by connecting model context to credentials, APIs, and downstream actions. If the assistant can see secrets, fetch internal documents, and call external services in the same flow, a single malicious instruction embedded in content can redirect the system. The risk is amplified when organisations rely on static allowlists and broad tool permissions instead of runtime controls. NHIMG research on OWASP Agentic Applications Top 10 shows that agentic systems fail most often at the boundary between context ingestion and action execution. In practice, many security teams discover prompt-injection paths only after an agent has already exposed data or executed an unintended tool call, rather than through intentional testing.
How It Works in Practice
The strongest way to reduce prompt-injection risk in MCP workflows is to break the attacker’s chain of access. That means limiting what enters context, limiting which tools can consume that context, and limiting where output can go. The model should not have broad visibility into sensitive data unless that data is strictly needed for the task, and it should not be able to transmit data to arbitrary destinations.
At implementation time, three controls matter most:
- Use context minimisation so only task-relevant content is passed into the prompt window.
- Separate retrieval from action so untrusted text cannot directly trigger privileged tool calls.
- Apply egress controls so the model cannot exfiltrate data through email, webhooks, paste targets, or chat responses.
- Require human approval or policy checks for any tool that changes state, moves data, or touches credentials.
That design aligns with the current direction of the OWASP Top 10 for Agentic Applications 2026 and the NIST Cybersecurity Framework 2.0, both of which emphasise least privilege, monitoring, and controlled data flows. It also matches NHIMG guidance in the Ultimate Guide to NHIs — Key Challenges and Risks, where identity scoping and secret containment are treated as primary guardrails. The direct answer on this page is the operational core: reduce sensitive context, constrain tools, and block unnecessary outbound communication. These controls tend to break down when MCP servers are reused across teams because shared tools quietly accumulate permissions and trusted inputs.
Common Variations and Edge Cases
Tighter prompt-injection controls often increase workflow friction, requiring organisations to balance security against automation speed and developer convenience. That tradeoff is real, especially in environments that depend on broad search, summarisation, or code-assist use cases.
Best practice is evolving, and there is no universal standard for this yet. In some MCP deployments, the safest pattern is to classify tools by risk and allow low-risk read actions automatically while forcing approvals for write actions. In others, the better pattern is to isolate untrusted content into a separate retrieval tier so the model never sees raw material that could contain hostile instructions. Both approaches can work if the policy engine evaluates requests at runtime rather than relying on a static prompt template.
Edge cases appear when workflows must process user-generated content, external documents, or code repositories that are inherently untrusted. In those environments, prompt injection can be embedded in markdown, comments, issue text, or page metadata. The right response is not to trust the model to “ignore bad instructions” but to make sure the workflow cannot convert those instructions into privilege. For deeper background on how agentic systems fail when actions and data are coupled, see NHIMG’s Analysis of Claude Code Security. Current guidance suggests the hardest cases are shared MCP environments with mixed-trust inputs, because one poisoned source can influence many downstream tool decisions.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A3 | Addresses indirect prompt injection and unsafe tool use in agent workflows. |
| CSA MAESTRO | TA-03 | Covers threat-aware orchestration across multi-tool agentic workflows. |
| NIST AI RMF | GOV | Supports governance for runtime controls over model behaviour and data flows. |
Filter untrusted inputs before tool calls and block model-driven state changes without policy checks.
Related resources from NHI Mgmt Group
- How can organisations reduce risk from prompt injection and tool misuse?
- How can organisations reduce the risk of prompt drift in AI-assisted workflows?
- When does just-in-time access reduce risk for agentic AI, and when does it fall short?
- When do AI agent credentials create more risk than they reduce?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
