Model Context Protocol, an open way for AI agents to connect to tools and data sources. It improves interoperability, but it also introduces a shared integration layer that must be governed carefully because the protocol can widen access across many systems at once.
Expanded Definition
Model Context Protocol, or MCP, is a standardised integration layer that lets an AI agent call tools, query data, and receive structured context from external systems. In NHI security, it matters because MCP turns many separate integrations into one reusable control plane for access.
That shared layer is useful, but it also concentrates risk. If the protocol server, tool registry, or credential broker is misconfigured, one agent can inherit broad reach across files, SaaS platforms, ticketing systems, and internal APIs. Definitions vary across vendors on whether MCP should be treated as a transport, an orchestration layer, or an access boundary, so governance language needs to be precise. For baseline threat framing, practitioners should compare MCP designs with the OWASP Top 10 for Agentic Applications 2026 and the OWASP Agentic Applications Top 10, because the protocol can magnify tool misuse, over-permissioning, and data exposure faster than traditional app integration patterns.
The most common misapplication is treating MCP as a safe default trust boundary, which occurs when teams enable broad tool access before scoping the agent’s actual mission.
Examples and Use Cases
Implementing MCP rigorously often introduces tighter permission design and more operational overhead, requiring organisations to weigh faster agent enablement against the cost of policy, logging, and review discipline.
- An internal support agent uses MCP to open tickets and read customer records, but only after role-based and purpose-based scoping limits which records it can touch.
- A coding assistant connects to a repository and dependency scanner through MCP, with ephemeral access and approval checkpoints for write actions, similar to the patterns discussed in Analysis of Claude Code Security.
- A finance agent requests invoice data through MCP, while the underlying service account is constrained by OWASP Agentic AI Top 10-style guardrails for tool abuse and data leakage.
- An operations agent pulls incident context from monitoring and CMDB tools, but only after the mcp server validates identity, intent, and request scope per tool invocation.
- A security team provisions a test MCP server to simulate access to secrets and cloud APIs before rolling the protocol into production workflows.
These use cases show that MCP is less about “connecting an agent to everything” and more about deciding exactly what it may do, when, and under whose authority.
Why It Matters in NHI Security
MCP becomes a security issue as soon as it carries NHI credentials, because the protocol can turn one compromised agent into a path toward many downstream systems. That is why the control problem is not just authentication, but also tool scoping, secret handling, and auditability across the full request chain. The OWASP Agentic Applications Top 10 is useful here because it frames the kinds of agent actions that become dangerous when connectors are overtrusted.
NHIMG research shows why this matters in practice: Analysis of Claude Code Security highlights how agent toolchains can widen the blast radius of a single workflow. In the broader MCP ecosystem, Astrix Security reports that 53% of MCP servers expose credentials through hard-coded values in configuration files, and only 18% implement any form of access scoping for tool permissions. That combination is exactly how NHI compromise spreads from one integration point into a wider identity failure. Practitioners should also anchor control design to the OWASP Top 10 for Agentic Applications 2026, especially where autonomous actions can bypass human review.
Organisations typically encounter the real operational cost only after an agent accesses the wrong dataset or reveals a secret, at which point MCP becomes operationally unavoidable to govern.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-02 | Covers secret exposure and overbroad access in non-human identity integrations. |
| OWASP Agentic AI Top 10 | A3 | Addresses tool misuse and excessive agent authority in connected workflows. |
| NIST Zero Trust (SP 800-207) | SP 800-207 | MCP should operate with continuous verification and least-privilege access to resources. |
Inventory MCP secrets, remove hard-coded values, and scope each tool to the minimum required NHI privilege.
Related resources from NHI Mgmt Group
- What is the Model Context Protocol (MCP) and why does it matter for security?
- What is MCP Step-Up Authorisation and how does it implement least privilege for agents?
- What are MCP Authorisation Extensions and why do they matter for enterprise governance?
- What are MCP Authorization Extensions and how do they help organizations?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on May 31, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
