Client secrets create risk because they are persistent, copyable, and often reused across pipelines, workloads, and downstream APIs. In MCP, that turns one authentication artifact into a broad access bridge if it leaks. Federated workload identity reduces this exposure by proving identity through signed assertions rather than shared secrets.
Why Client Secrets Are a High-Value Failure Point in MCP
Client secrets are risky in Model Context Protocol environments because they are durable credentials, not proof of intent. Once a secret is embedded in an agent toolchain, shared across environments, or copied into a downstream API call, it becomes a reusable bridge into multiple systems. That matters more in MCP because the protocol often sits inside broader agentic workflows where a single compromise can move from one tool to several.
NHIMG research on the Guide to the Secret Sprawl Challenge shows how quickly secrets accumulate across code, configuration, and collaboration tools, and GitGuardian found 24,008 unique secrets were exposed in MCP configuration files in 2025 alone. That exposure pattern matches the broader warning in OWASP Non-Human Identity Top 10: persistent credentials create standing access that is difficult to scope tightly. In practice, many security teams encounter the blast radius only after a secret has already been reused in an unintended MCP path.
How the Risk Expands Across Agents, Tools, and Pipelines
The technical problem is not just leakage. It is reuse. A client secret can authenticate an MCP client, but the same secret is often copied into CI/CD variables, local developer files, deployment manifests, and integration scripts. In autonomous or semi-autonomous workflows, an agent may chain tool calls in ways the original designer did not anticipate, so a single persistent secret can become the key that unlocks multiple downstream systems.
Current guidance from OWASP Agentic AI Top 10 and NIST Cybersecurity Framework 2.0 points toward reducing standing privilege and shortening credential lifetime. For MCP, that means preferring federated workload identity, signed assertions, and just-in-time issuance over shared secrets wherever the platform supports it. The operational model should be:
- Authenticate the workload with cryptographic identity, not a reusable shared secret.
- Issue credentials per task or per session, with short TTL and automatic revocation.
- Bind access to context, such as tool, tenant, audience, and request purpose.
- Log and correlate every token exchange so secret reuse is visible during review.
This approach aligns with NHIMG guidance in the Ultimate Guide to NHIs — Static vs Dynamic Secrets and the Analysis of Claude Code Security, which both reinforce that short-lived credentials are materially safer than static ones in AI-driven execution paths. These controls tend to break down when MCP clients run in long-lived shared runners because secret reuse and lateral movement become operationally invisible.
Common Variations, Tradeoffs, and Where Guidance Is Still Evolving
Tighter secret controls often increase integration overhead, so organisations must balance security strength against developer friction and release speed. That tradeoff is especially real in mixed environments where some MCP clients can use federated identity and others still depend on vendor-issued client secrets. Current guidance suggests phasing out static secrets first in high-risk paths, then extending the model as platform support matures.
There is no universal standard for this yet, but the direction is clear: use workload identity, limit secret scope, and prefer ephemeral credentials for every machine-to-machine exchange. The strongest evidence for urgency comes from the supply chain side, where NHIMG’s Shai Hulud npm malware campaign and Reviewdog GitHub Action supply chain attack show how quickly secrets escape from build systems into attacker hands. That is why the best practice is evolving toward federated identity and zero standing privilege, not larger secret stores. For teams still depending on static credentials, the main edge case is vendor lock-in, where the MCP ecosystem does not yet support workload identity cleanly and compensating controls become mandatory rather than optional.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Static secrets create standing access and weak lifecycle control. |
| OWASP Agentic AI Top 10 | A1 | Agentic tool use increases the blast radius of a leaked client secret. |
| NIST AI RMF | AI risk governance is needed for autonomous systems that can reuse credentials unpredictably. |
Define ownership, monitoring, and escalation rules for MCP-connected agents under the AI governance program.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 7, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
