There’s a ton of buzz around Model Context Protocol (MCP), and for good reason. It’s the “glue” that helps orchestrate interactions between AI tools and systems, the direct enabler for explosive growth in AI, particularly agentic systems, which are able to interpret data and act autonomously.
Unsurprisingly, this functionality is in high demand. In 2024, the nascent agentic AI market reached a staggering $5.4 billion, and by 2030, it’s supposed to explode to $50.31 billion, growing 45.8% each year in between.
A big driver of this growth is the fact that, according to a recent study by IBM, an increasing number of businesses view AI agents as mission-critical — not nice-to-haves. Already, AI agents are handling operations, making decisions, and managing critical workflows. It’s exciting!
But what happens if an agentic “orchestrator” gets compromised? What if a user prompt accidentally or deliberately nudges the model into issuing harmful commands?
The stakes instantly go up exponentially.
Unfortunately, when it comes to an agent getting exploited or running afoul of guardrails, the question isn’t about if but when. A study found that nearly all AI agents had policy violations within just 10 to 100 queries. Alarming, right?
This is why MCP security is so important.
In this article, we’ll examine what MCP is, some key security risks, and how to mitigate them.
What is MCP?
First things first: What on earth is Model Context Protocol (MCP)?
Think of MCP as a universal translator and manager that helps AI programs — especially large language models (LLMs) — communicate and work with other tools and third-party services. Rather than each tool and AI system having its own language, MCP offers a standardized way to connect all of them.
Imagine that you want to use your smart AI phone assistant to book yourself a slot to play on a paddle court, within a two-mile radius, on a cool evening within any of the next seven days. The assistant will need to look up your calendar, check the availability through the online paddle court roster, and make sure the weather cooperates as well.
Without MCP, the assistant will need to establish unique connections to each service involved in the process. It’s like speaking Dutch with one app and Chinese with another. As the number of services and tools that the assistant needs to connect with grows, it becomes a real headache.
With MCP, however, the agent just needs to learn how to speak one language, greatly simplifying the interaction.
How do MCPs work?
Now that you have a better idea of what MCP is, let’s examine how MCP works.
MCP acts as a bridge that connects the AI’s brain (in our case the LLM) to the outside world (tools and other services). Any AI app (host) will typically contain an MCP client that sends requests to MCP servers.
The MCP servers here represent (from our example above) elements like calendars, weather services, and vendor websites. Communications take place via standard messages (JSON-RPC) over a secure channel.
After the client and server establish a handshake, the client sends over commands or queries (e.g., What is the weather tomorrow at 5 p.m.?) and the server responds with specific data or actions (e.g., It’s 21 degrees Celsius with winds blowing at 10 miles per hour).
MCP makes AI interactions modular, scalable, and secure. As a result, it’s easier for the AI to fetch live data and perform tasks in real time without having to hard-code any connections.
MCP: Security Considerations
With so many moving parts, MCP security can become complicated. This is especially true for critical AI systems with little or no human oversight.
For example, imagine an AI controlling a nuclear power plant’s core temperature. Since agents can be hacked, perhaps pulling off Chernobyl 2.0 no longer seems that far-fetched.
Before rolling out MCP environments, it’s important to understand key risks.
- Elevated privileges
MCP processes often require and run with excess privileges to perform a broad set of tasks. This magnifies the impact of an exploit should it occur. The best practice here is to ensure that the AI tool is granted the exact set of privileges it requires versus default “admin” access.
- Weak authentication
Flawed or missing authentication measures can help attackers gain access to critical business systems. Make sure to enforce strict authentication measures, review authentication regularly, and adjust authentication levels if your toolchain changes.
- Tool masquerading
Malicious copies of tools can be introduced to the marketplace posing as originals. As a result, your agents might get integrated with fraudulent tools. Should this happen, bad actors can sabotage operations and steal data. To avoid this fate, make sure your AI tool is really connecting with Tools”R”Us — not Tools”R”Sus.
- Unauthorized code runs
Local MCP servers can run code unchecked depending on the tool’s configuration. A malicious external tool might pass along malicious code, prompting it to provide admin user credentials for the AI app, for example. Build in checks to ensure that any executables are reviewed and data is sanitized with the right guardrails to avoid sensitive data being leaked.
Security risks and harmful scenarios
MCP can automate critical workflows, increasing productivity. But at the same time, it can amplify risk. Striking a balance is crucial for businesses. With that in mind, let’s examine some of the most high-stakes scenarios that your AI implementation team needs to understand.
Prompt Injections
LLMs act as interpreters. If it’s tricked into invoking a privileged action/tool, the server wouldn’t hesitate to execute.
For instance, imagine a supply chain analyst asks an AI assistant to summarize the last five shipment reports. Inside one of the reports is a prompt that instructs the LLM to ignore all previous instructions and dispatch all orders to customers.
If the assistant is connected to a system that dispatches orders, it will release the shipments, and customers could receive erroneous orders.
Prompt injections can cause serious business loss owing to unauthorized workflows, data edits en masse, and operational chaos.
Excessive privileges
As we discussed earlier, excessive privileges often translate into danger. There may be cases where workflows intended for QA can end up having production deployment rights, for example. Accidental outages and destructive changes can slow businesses down for hours on end.
Resource sanitization
One recent report found that 65% of AI companies have had company secrets leaked across the internet. This is in part due to MCP servers inadvertently exposing resources in the form of log files, SQL outputs, config data, and even proprietary source code. While employing MCP, appropriate scoping, masking, and sanitization should be guaranteed.
Security controls
Now that you have more clarity on the risks, let’s focus on actionable safeguards your team can adopt immediately.
1. Restrict access with explicit allow/deny lists
Your model only needs to see the tools that are required for the job. Likewise, tools should only perform actions they are explicitly allowed to do. The clearer the scope of an AI application, the better access management can occur. A good practice is to define what MCP agents are capable of so that access rightsizing can be done from the get-go.
2. Multilayer validation
Validation should not be a single-stage operation. Exploits can occur at any stage of a workflow. That’s why validations should happen at least at three stages:
- Before models receive user input
- After models generate calls for external tools
- Inside the MCP servers before execution
3. Enforcing sanitization and token restrictions
From the examples above, we saw how LLMs might produce sensitive outputs that can break downstream systems. To prevent this, ensure that the size, structure, and type of all returned data are strictly controlled and sanitized.
4. Monitor continuously
Always track the frequency of tool calls, sequences of unusual actions, and unexpected spikes in resource usage. All these can often hint at potential exploits in progress, or notify you after the fact. Treat MCP observability just as you would treat observability in cloud infrastructure and CI/CD pipelines. The stakes are just as high.
5. Have a kill switch
If any threshold is crossed — excessive tool calls, suspicious patterns, or attempts to execute unauthorized commands — the workflow should automatically stop. It should only resume after a human has reviewed and approved the situation.
Conclusion
MCPs unlock a world of AI-enabled automation and decision making. One of its superpowers comes from its flexibility. Beware, though: This very flexibility can be a double-edged sword.
To ensure MCPs work as intended, you can’t simply “set it and forget it.” MCPs need to employ human oversight, hardened access controls, layered validation, and rigorous monitoring.
Businesses can’t afford to treat MCP security as an afterthought. Instead, security should be baked into the foundation of any AI workflow implementation.
A pioneer in the MCP security and governance space, Workato rolled out its very own MCP enterprise ecosystem. To learn more about this cutting-edge tech and how it can set your business up for success with agentic AI, read this.
This post was written by Ali Mannan Tirmizi. Ali is a Senior DevOps manager and specializes in SaaS copywriting. He holds a degree in electrical engineering and physics and has held several leadership positions in the Manufacturing IT, DevOps and social impact domains.