When governance only models tool permissions, it misses the authority created by generated code. A sandboxed script can call multiple APIs, reuse runtime functions, and chain actions in ways that a single tool-call policy does not describe. Teams then lose clarity on what was executed, why it was allowed, and how to certify it.
Why This Matters for Security Teams
MCP governance fails when it treats a tool call as the full unit of authority. Generated code can combine multiple functions, reuse local runtime state, and trigger follow-on API requests that never appear as a single, neatly scoped permission event. That means the real security boundary is not just the declared tool list, but the execution context around the agent, the code it produces, and the secrets it can touch.
This is why current guidance increasingly points to identity and runtime controls, not static allowlists alone. NHI governance needs to account for NIST Cybersecurity Framework 2.0 style risk management, and for agent-specific exposure patterns documented in Analysis of Claude Code Security. When the policy model stops at the MCP boundary, it misses downstream authority created by code generation, which is exactly where the blast radius expands.
That gap is not theoretical. The OWASP Agentic Applications Top 10 and the OWASP Non-Human Identity Top 10 both reflect the same operational truth: autonomy changes the trust model. In practice, many security teams discover overbroad execution only after an agent has already chained actions across systems, rather than through intentional review of the generated path.
How It Works in Practice
Tool permissioning is only one layer. A stronger model treats the agent, its runtime, and its emitted code as a governed workload identity with request-time authorization. That usually means short-lived credentials, explicit runtime policy evaluation, and a clear separation between what the agent may request and what the generated script may actually execute. In MCP-heavy environments, the effective control plane must inspect both the declared tool call and the code path that follows.
Practitioners generally need four controls working together:
- Workload identity for the agent runtime, so each execution instance can be authenticated independently.
- Just-in-time secrets or tokens with tight TTLs, so authority expires after the task finishes.
- Policy-as-code checks at request time, using context such as task intent, target system, and data sensitivity.
- Execution logging that records generated code, invoked libraries, and downstream API calls, not only the initial tool request.
That approach aligns with the direction of OWASP Agentic AI Top 10 and the identity-centric recommendations in Top 10 NHI Issues. It also reflects current zero trust practice, where decisions are made on each request rather than assumed from a prior tool grant. For teams trying to operationalize this, the key is to govern the runtime and the code path, not just the MCP manifest. These controls tend to break down when an agent can spawn child processes or execute dynamic code inside a shared sandbox because the runtime path becomes harder to attribute and constrain.
Common Variations and Edge Cases
Tighter governance often increases friction, so organisations have to balance safety against developer velocity and automation reliability. That tradeoff is especially visible when teams want both fast iteration and strict control over generated code.
Best practice is evolving, but current guidance suggests three common exceptions need explicit handling. First, read-only tools can still become dangerous if generated code uses them to infer sensitive data and pivot into other systems. Second, sandboxed execution is not a complete fix if the sandbox can reach metadata services, internal APIs, or cached secrets. Third, vendor-hosted MCP services may expose a limited tool surface while the real risk sits in downstream credentials, callbacks, or plugin dependencies.
The governance question is therefore broader than MCP itself. It includes lifecycle controls, auditability, and the ability to explain why a given code path was allowed. NHIMG’s Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs and Ultimate Guide to NHIs — Regulatory and Audit Perspectives are useful here because they frame authority as something that must be issued, reviewed, and revoked across the full execution lifecycle. Where teams rely only on static tool scopes, visibility usually fails first in hybrid environments with multiple sandboxes, shared credentials, and runtime-generated API chains.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A2 | Agentic systems fail when generated code exceeds declared tool scope. |
| CSA MAESTRO | 3.2 | MAESTRO addresses autonomous workflow risk beyond simple tool permissions. |
| NIST AI RMF | GOVERN-1 | AIRMF covers accountability for AI behavior that tools-only policy misses. |
Assign ownership for agent decisions and require traceable approvals for risky actions.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 7, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
