An open protocol enabling AI agents to connect to external tools, data sources, and services. MCP introduces new NHI considerations as agents must authenticate with credentials — ideally ephemeral, scoped tokens rather than persistent API keys.
Expanded Definition
Model Context Protocol, or MCP, is an open protocol that standardises how AI agents connect to tools, data sources, and services. In NHI security, MCP matters because each connection creates an identity, trust, and authorization decision, not just an integration path.
Definitions vary across vendors on whether MCP is mainly an interoperability standard or a security boundary. NHI practice treats it as both: a transport layer for context and a control point for credentials, scopes, and auditability. The security question is not whether an agent can reach a tool, but whether it should, under what conditions, and with what disposable access. That aligns closely with the model described in the OWASP Top 10 for Agentic Applications 2026, where tool misuse and overbroad agent permissions are recurring risk themes.
MCP becomes especially important when agents request retrieval, code execution, ticketing, or infrastructure actions. The most common misapplication is treating an MCP connection like a harmless API integration, which occurs when persistent credentials, broad scopes, and weak logging are allowed to follow the agent from one tool to the next.
Examples and Use Cases
Implementing MCP rigorously often introduces onboarding friction for tool owners and more review overhead for security teams, requiring organisations to weigh agent productivity against the cost of tighter credential controls.
- An engineering agent uses MCP to query a code repository and open a pull request, but receives a short-lived token limited to a single project instead of a long-lived API key.
- A support agent connects to a case management platform through MCP and can read ticket metadata, while write actions require explicit approval and step-up validation.
- A data assistant retrieves customer records via MCP, but the connector is restricted to a narrow dataset and the session is logged for audit and incident review.
- An operations agent requests infrastructure status through MCP, then performs a change only after policy checks confirm the action is consistent with OWASP Agentic Applications Top 10 guidance on agentic risk.
- A software delivery workflow uses MCP for build-system access, but the token expires after the task and cannot be reused across environments.
These patterns are reinforced by broader research on autonomous systems in Analysis of Claude Code Security, where constrained execution and scoped access reduce the blast radius of agent actions.
Why It Matters in NHI Security
MCP turns agent connectivity into an identity problem. If the agent can call tools, then the organisation must decide how identities are issued, how privileges are bounded, and how secrets are protected. That is why MCP governance belongs alongside PAM, RBAC, JIT credential provisioning, and Zero Trust Architecture, not inside a generic API management workflow.
Astrix Security reported that 53% of MCP servers expose credentials through hard-coded values in configuration files, showing how quickly protocol adoption becomes a secret-sprawl problem when engineering teams move faster than governance. When agents inherit persistent tokens, one compromised connector can expose multiple systems, making investigation and containment far harder. The same pattern appears in the Schneider Electric credentials breach, where credential misuse and access exposure became operationally significant.
For control design, practitioners should read MCP through the lens of the OWASP Agentic AI Top 10 and enforce ephemeral credentials, explicit tool scopes, and complete audit trails. Organisations typically encounter MCP risk only after a connector is abused, at which point the protocol becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | MCP sessions often fail through exposed secrets and overbroad tool access. |
| OWASP Agentic AI Top 10 | A2 | Agent tool access and escalation risk map directly to agentic misuse controls. |
| NIST Zero Trust (SP 800-207) | SA-3 | Zero Trust requires continuous verification of every agent-tool connection. |
Treat each MCP request as untrusted and verify identity, context, and authorization every time.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 16, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
