The process by which an MCP server or proxy exposes available tools to a caller. If discovery is not filtered by principal and context, it can reveal capabilities that the identity is not actually authorised to use, creating an exposure before execution begins.
Expanded Definition
MCP tool discovery is the step in Model Context Protocol where a server or proxy advertises which tools exist, what they do, and how a caller may invoke them. In practice, discovery is not just a catalog function. It is an authorization-sensitive control point that should reflect the principal, session context, policy state, and any tenant or environment boundary. If discovery is broad while execution is narrow, the identity sees capabilities it should never have been told about. That mismatch matters because exposure can happen before a tool is ever called.
Definitions vary across vendors, but the security expectation is consistent: discovery should be filtered to the same scope that governs use. This aligns with the intent described in the OWASP Agentic AI Top 10, where tool exposure and over-permissioned agents are treated as distinct but related risks. In NHI terms, discovery must be treated like a policy decision, not a convenience feature.
The most common misapplication is exposing a full tool registry to every agent or service account, which occurs when teams reuse a single global discovery endpoint across principals with different authorisation scopes.
Examples and Use Cases
Implementing MCP Tool Discovery rigorously often introduces extra policy checks and more complex testing, requiring organisations to weigh simpler integration against tighter exposure control.
- A finance agent authenticates to an MCP proxy and only discovers payment-reconciliation tools, not payroll, treasury, or admin functions. This is the preferred pattern when the agent’s task is narrow and auditable.
- A developer assistant is allowed to discover repository-read and issue-triage tools, but not secret-retrieval or deployment actions. That separation reduces the chance of accidental escalation during routine code work, a concern echoed in the Analysis of Claude Code Security.
- A proxy filters discovery by tenant so that one customer’s automation cannot enumerate another customer’s internal tools, endpoints, or privileged workflows.
- A just-in-time support agent discovers only the tools required for the current ticket and loses access after the session ends, which supports tighter NHI lifecycle discipline as described in the NHI Lifecycle Management Guide.
- A security team compares advertised tools against runtime policy and removes any entry that appears in discovery but is blocked at execution, using the OWASP Top 10 for Agentic Applications 2026 as a review lens.
Discovery should also be logged as a governance event, because the fact that a tool was visible to a principal can matter even if no call succeeded.
Why It Matters in NHI Security
MCP Tool Discovery is important because visibility itself can become an exposure channel. If an identity can enumerate tools it cannot legitimately use, it gains intelligence about internal capabilities, workflow structure, and privileged operations. That information can help an attacker plan lateral movement, social engineering, or prompt-driven escalation. NHIMG research shows the scale of the broader problem: in AI Agents: The New Attack Surface, 80% of organisations reported AI agents had already performed actions beyond their intended scope, and 33% said agents accessed inappropriate or sensitive data beyond intended scope. Discovery gaps often sit upstream of those failures.
For NHI governance, the key issue is whether the tool list is aligned to the same trust boundary as the secret, token, or certificate that enables the session. If not, discovery becomes an early warning that the environment is overexposed. In the MCP context, this often overlaps with hard-coded configuration and weak scoping patterns highlighted in The State of MCP Server Security 2025.
Organisations typically encounter the consequences only after an agent enumerates restricted tools during an incident review, at which point MCP Tool Discovery becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A2 | Tool exposure and over-broad agent capability discovery are core agentic AI risks. |
| NIST AI RMF | AI RMF focuses on managing transparency and access risks in AI-enabled systems. | |
| NIST CSF 2.0 | PR.AC-4 | Access permissions should be enforced so discovery reflects least privilege. |
Filter discovered tools to the caller's exact authority and remove any capability not needed for the task.
Related resources from NHI Mgmt Group
- How should security teams handle tool discovery for AI agents in MCP environments?
- When should organizations consider adopting advanced tool discovery for AI agents?
- What is the difference between RAG access and MCP tool access?
- When do MCP tool controls become an IAM issue rather than a platform issue?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
