Why do AI agents connected through MCP create zero trust challenges?

Why Traditional IAM Fails for Autonomous AI Agents

zero trust becomes harder with MCP because the agent is not a person sitting inside one session, and it is not a single workload with a stable purpose. It is an autonomous software entity that can chain tool calls, change direction, and reach across data stores in ways static IAM was never designed to describe. That is why current guidance suggests moving beyond role assignment and toward request-level verification, as reflected in NIST AI Risk Management Framework and NIST AI Risk Management Framework.

MCP adds a tool-connection layer that makes each action appear small and legitimate on its own, even when the combined sequence creates broad access. In practice, this breaks the human assumption behind RBAC, where a role is mapped to a fairly predictable job function. An agent does not behave like a clerk or an analyst. It may retrieve a secret, call a ticketing API, query a database, then pass output into another tool without a pause for human judgment. That is why zero trust for agentic systems has to focus on workload identity, continuous authorization, and approval boundaries at the moment of use. The issue is not whether the agent is trusted once; it is whether each tool call still deserves trust right now. In practice, many security teams discover this only after an agent has already traversed multiple tools and data sources without violating any single static policy.

For a deeper model of the threat surface, see OWASP Agentic Applications Top 10 and OWASP NHI Top 10.

How It Works in Practice

Security teams should treat MCP-connected agents as ephemeral workloads that need a narrowly scoped identity and a short-lived path to action. The practical pattern is not “give the agent a broad account,” but “issue just enough access for one task, verify intent at runtime, and revoke on completion.” That is where JIT credentials, ephemeral secrets, and workload identity become essential. A strong implementation uses cryptographic identity for the agent, then layers policy evaluation on top so every request is checked against context such as tool, data sensitivity, approval state, and task objective.

A workable design usually includes:

• Workload identity for the agent, often backed by SPIFFE/SPIRE or another machine identity system.
• Just-in-time credential issuance so secrets are short-lived and bound to a specific task.
• Intent-based authorization, where the agent’s requested action is evaluated at runtime rather than pre-approved by broad role.
• Per-tool logging and approval tracing so every handoff can be reconstructed later.
• Explicit separation between planning, execution, and privileged escalation paths.

NHIMG research shows why this matters: in AI LLM hijack breach and Guide to SPIFFE and SPIRE, the practical lesson is that identity and containment must follow the workload, not the user who started it. External standards also point in the same direction: OWASP Agentic AI Top 10 emphasizes agent-specific abuse paths, while NIST SP 800-207 Zero Trust Architecture reinforces continuous verification and least privilege. These controls tend to break down when one long-lived secret is reused across many tools because the agent can pivot faster than approval and revocation cycles.

Common Variations and Edge Cases

Tighter controls often increase operational overhead, so organisations have to balance security against latency, workflow friction, and the risk of blocking legitimate agent activity. There is no universal standard for this yet, especially where agents act semi-autonomously across multiple vendor tools or where human approval is intentionally deferred.

One common edge case is delegated automation, where the agent is permitted to prepare an action but not execute it. In that model, the policy boundary shifts from “can the agent do this?” to “can the agent request this and present sufficient context for a human or policy engine to approve it?” Another variation appears in high-trust internal workflows, such as code assistants or data ops agents, where teams assume the environment boundary is enough. It is not. If the agent can read secrets, call APIs, or trigger downstream automations, the same zero trust questions still apply. Another issue is that many environments still rely on static API keys or overbroad service accounts because they are easier to operationalise. That convenience creates standing privilege, which is exactly what zero trust is meant to remove.

NHIMG’s Moltbook AI agent keys breach and the broader findings in Ultimate Guide to NHIs — Key Challenges and Risks show the same pattern: when agent credentials live too long, the blast radius grows faster than teams can observe it. The current best practice is evolving toward per-task trust, but many deployments still lack the scoping and telemetry needed to make that model real.

Related resources from NHI Mgmt Group

• Why do AI agents complicate zero trust and least privilege programs?
• Why do MCP-based AI agents create new IAM risk?
• Should organisations allow AI agents to perform side-effecting actions through MCP?
• Why do AI agents create new risk in non-human identity management?