What should organisations review before connecting AI systems to MCP servers?

Why This Matters for Security Teams

Before any AI system is connected to an MCP server, the key question is not technical compatibility but delegated authority: what identity is being trusted, what downstream tools it can invoke, and whether that access is intentionally bounded. MCP changes the security posture because it can turn a model-driven workflow into an identity-bearing actor with reach into data, tickets, code, or infrastructure. That is why current guidance from the OWASP Agentic AI Top 10 treats tool access, authorization, and autonomy as first-order risks rather than implementation details.

Security teams should review whether the AI system is operating with static entitlement assumptions that were designed for humans, because autonomous or goal-driven behaviour does not follow fixed usage patterns. A model may chain tools, retry actions, or reach for adjacent data in ways that are legitimate from its own workflow perspective but unacceptable from a governance perspective. That is why NHI controls must be paired with runtime authorisation and logging, not just onboarding reviews. In practice, many security teams encounter the real failure only after an AI agent has already overreached, rather than through intentional access design.

How It Works in Practice

The review should begin at the trust boundary: identify which AI workload is allowed to call which MCP server, then define the precise scope of each call. That means checking the workload identity, the server-side policy, and the data sources the server can proxy. Where possible, use workload identity primitives such as SPIFFE or OIDC-backed service tokens so the server can verify what the caller is, not just what secret it presents. For agentic systems, static RBAC is often too blunt on its own; current best practice is evolving toward intent-based or context-aware authorisation evaluated at request time.

A practical review should include short-lived, task-scoped credentials rather than long-lived secrets. If the AI system needs access only for a single workflow, issue JIT credentials, expire them quickly, and revoke them automatically when the task ends. This reduces blast radius if the agent behaves unexpectedly or if the MCP server becomes a pivot point. The OWASP Agentic Applications Top 10 and the OWASP Top 10 for Agentic Applications 2026 both reflect this shift toward runtime control, while NIST AI governance guidance and CSA MAESTRO stress auditability, policy enforcement, and containment around high-risk agent actions.

• Map the AI workload to a named workload identity before any MCP connection is enabled.
• Restrict each server to the minimum tools, datasets, and actions required for the task.
• Prefer ephemeral credentials and dynamic secrets over shared static tokens.
• Log the prompt, tool invocation, decision point, and downstream data touched.
• Review whether the server can access secrets stores, admin APIs, or lateral movement paths.

The Analysis of Claude Code Security shows why tool-mediated development workflows need tighter guardrails, because the model’s access path can become more powerful than the user interface suggests. These controls tend to break down in multi-tenant environments where one MCP server is reused across many agents, because shared service credentials and broad tool catalogs make per-agent scoping difficult to prove.

Common Variations and Edge Cases

Tighter MCP governance often increases integration overhead, requiring organisations to balance velocity against the need for containment. That tradeoff is most visible when teams want broad agent autonomy for productivity but still need strong controls over secrets, records, and production systems. There is no universal standard for MCP server hardening yet, so guidance should be treated as evolving rather than settled doctrine. In environments with high-change workflows, intent-based authorisation may be preferable to static allowlists because the agent’s actions depend on the task context, not a fixed job role.

Edge cases matter. A read-only MCP server can still create risk if it exposes sensitive metadata, cached tokens, or configuration files. Likewise, an apparently harmless assistant may become dangerous if it can request another tool that unlocks privileged paths. The DeepSeek breach is a reminder that exposed credentials and weak scoping can turn an integration into an access-control failure. For organisations aligning governance to framework language, the most relevant mapping is to OWASP-AGENTIC, NIST-AIRMF, and CSA-MAESTRO, with Zero Trust principles used to validate each call instead of trusting the connection once and assuming it stays safe.

Where MCP is connected to production data, code execution, or secrets management, the safest assumption is that every tool call is privileged until proven otherwise. That approach is especially important when agents can act autonomously, because a single overbroad server can become the easiest route from a harmless prompt to an enterprise incident.

Related resources from NHI Mgmt Group

• When is it appropriate to implement MCP in the context of AI systems?
• What is MCP in the context of AI security?
• How should teams govern AI agents that use MCP?
• Why is identity such a critical factor in securing AI agent systems?