MCP matters because it turns model connectivity into potential tool access, and tool access is a privilege issue. If a protocol flaw or weak default lets an AI session reach files, secrets, or automation hooks, IAM teams have inherited a new privilege boundary to govern. Treat each connection as privileged and review it like any other high-risk access path.
Why This Matters for Security Teams
MCP changes the question from “Can the model talk to a tool?” to “What privileged action can that session take once the tool is exposed?” That is why IAM teams should care: Model Context Protocol becomes an identity and authorisation boundary as soon as it can read files, call APIs, or trigger automation. The risk is amplified in agentic systems, where autonomous software can chain tools, reuse context, and move from benign prompts to high-impact actions without a human step in the middle.
This is not a theoretical concern. SailPoint reports that 80% of organisations have already seen AI agents act beyond intended scope, including unauthorised system access and credential exposure, which is why governance for these workloads is moving quickly into mainstream access control work. NHI teams should review the OWASP Agentic Applications Top 10 alongside the OWASP Agentic AI Top 10 because MCP often sits exactly where prompt risk turns into privilege risk. In practice, many security teams discover this boundary only after an AI workflow has already touched a secret store or automation hook, rather than through intentional access design.
How It Works in Practice
For IAM teams, MCP should be treated as a workload access layer, not a convenience protocol. The practical control objective is to bind each agent or session to a narrowly defined identity, then evaluate every tool request at runtime. That usually means intent-based authorisation, JIT credential provisioning, and short-lived secrets rather than long-lived API keys. Static RBAC alone is often too coarse for autonomous systems because the agent’s next action is not always predictable from its initial role.
A more resilient pattern is to combine workload identity with policy-as-code. The agent proves who it is through cryptographic identity such as SPIFFE/SPIRE or OIDC-backed workload tokens, then the policy engine decides whether the current request is acceptable in context. Current guidance suggests this should be evaluated per action, not per login, especially when the agent can reach code repositories, ticketing systems, or secret managers. The NHI control model in Analysis of Claude Code Security maps closely to this pattern because code-facing agents need strong command scoping, not blanket trust.
- Issue credentials per task, with TTLs that expire automatically when the job ends.
- Scope tool permissions to the minimum API, path, or command needed for the current intent.
- Log every MCP call as a privileged access event for audit and anomaly review.
- Separate read-only discovery from write or execute permissions wherever possible.
These controls align with the governance direction in the CSA AI Agent Disclosure Accountability Gap whitepaper and the OWASP Top 10 for Agentic Applications 2026, both of which emphasise governance gaps between declared capability and actual runtime access. These controls tend to break down in high-throughput automation environments because teams over-grant access to reduce friction, then lose the ability to distinguish legitimate agent behaviour from privilege creep.
Common Variations and Edge Cases
Tighter MCP control often increases operational overhead, requiring organisations to balance developer speed against real-time authorisation and auditing cost. That tradeoff is unavoidable, especially when agents need to work across many tools or complete multi-step tasks without human pause. There is no universal standard for this yet, so current guidance from Azure Key Vault privilege escalation exposure is to assume secrets reachability is itself a high-risk privilege and to design for least exposure, not just least privilege.
The hardest edge cases are delegated workflows, shared tool brokers, and multi-agent pipelines. In those environments, one agent may request access on behalf of another, which makes RBAC look neat on paper but weak in practice because the real control point is the request context, not the named role. NIST AI Risk Management Framework and CSA MAESTRO both point toward stronger governance over autonomy, traceability, and human oversight, while NIST Zero Trust Architecture reinforces continuous verification rather than trust after first contact. The operational takeaway is simple: if MCP can reach secrets, execution, or identity stores, it is already part of the privileged access perimeter.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Agentic tool access is a core risk in OWASP agent guidance. | |
| CSA MAESTRO | MAESTRO covers governance for autonomous agent behaviour and access. | |
| NIST AI RMF | AI RMF addresses governance, accountability, and monitoring for AI systems. |
Use AI RMF GOVERN and MEASURE practices to define ownership and monitor MCP-driven agent actions.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
