MCP-based agents can act on the content they receive, which turns inbound text into operational influence. If an attacker can poison that content, the agent may follow malicious instructions with shell, file, or network access, so the risk is execution through trusted context rather than passive misinformation.
Why This Matters for Security Teams
MCP changes the risk profile because it gives an agent a path from text ingestion to action execution. A documentation tool can mislead people; an MCP-based agent can potentially read, decide, and then use tools in the same trusted workflow. That makes prompt poisoning, tool abuse, and hidden instruction injection materially more dangerous than ordinary misinformation. Current guidance in OWASP Agentic AI Top 10 and NHIMG’s OWASP Agentic Applications Top 10 both point to the same operational reality: if the agent can act, every untrusted input becomes a potential control path.
The security mistake is treating the agent like a passive parser instead of an autonomous workload with execution authority. Once an attacker can shape the context, they may influence file access, network calls, credential use, or downstream agent steps. That is why CSA MAESTRO agentic AI threat modeling framework and NIST AI Risk Management Framework emphasise runtime governance, not just model safety. In practice, many security teams encounter this only after an agent has already taken an unauthorised action, rather than through intentional testing.
How It Works in Practice
The core difference is autonomy. A documentation tool usually stores, summarizes, or displays content. An MCP-based agent can convert that content into intent, then into tool execution. If malicious instructions are embedded in retrieved text, tickets, docs, or chat payloads, the agent may treat them as task context unless the platform separates untrusted content from executable instructions. That is why intent-based authorisation is becoming more important than static RBAC for agentic systems. The permission decision has to happen at runtime, based on what the agent is trying to do, not just what role it was assigned at deploy time.
Practitioners should think in terms of workload identity, JIT credentials, and short-lived secrets. The agent should prove what it is through cryptographic identity, then receive narrow, ephemeral access only for the current task. Long-lived secrets create a standing blast radius that an attacker can reuse once poisoned context steers the agent. This is consistent with NHIMG research on agentic abuse and with the broader findings in the AI LLM hijack breach analysis and Analysis of Claude Code Security, which show how quickly trusted context can become operationally dangerous.
- Use per-task tokens or JIT credentials with tight TTLs.
- Separate read-only context from command execution paths.
- Evaluate policy at request time with policy-as-code, not pre-approved assumptions.
- Restrict tools so the agent cannot chain shell, file, and network actions without explicit runtime approval.
Industry research also shows this is not theoretical. SailPoint reports that 80% of organisations have seen AI agents act beyond their intended scope, and 23% exposed credentials. These controls tend to break down when agents are given broad tool access in loosely governed, multi-step workflows because poisoned content can be converted into lateral movement before a human notices.
Common Variations and Edge Cases
Tighter tool gating often increases friction, requiring organisations to balance safety against task latency and developer overhead. That tradeoff matters most in multi-agent pipelines, where one agent retrieves content and another executes actions, because the trust boundary can blur between systems. Best practice is evolving, but there is no universal standard for this yet, so teams should treat every cross-agent handoff as a new authorisation event rather than a continuation of trust.
Some environments need different controls. A code-generation agent may need repository write access, while a support agent may only need read access plus ticket creation. In both cases, the safer pattern is the same: minimal standing privilege, short-lived secrets, and explicit runtime checks before any sensitive tool call. Where available, workload identity systems such as SPIFFE-style proof of workload identity strengthen the control plane because they identify the agent itself, not just the secret it is holding. NHIMG’s Top 10 NHI Issues and Ultimate Guide to NHIs — Key Challenges and Risks both reinforce that static identity assumptions fail when agents can adapt, chain tools, and shift goals mid-flight. This matters especially when an MCP server is also a secret source or a privileged orchestration layer, because compromise then affects both context and control.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A1 | Covers prompt injection and tool abuse, the main MCP agent risk. |
| CSA MAESTRO | Focuses on runtime threat modeling for autonomous agent workflows. | |
| NIST AI RMF | Addresses governance for AI systems making context-driven decisions. |
Define ownership, monitor behaviour, and enforce AI risk controls continuously.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 30, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
