AuthZ Agent of Chaos: MCP

There’s a lot of excitement around agentic AI open protocols such as Model Context Protocol (MCP) and Agent2Agent (A2A), and for good reason. Agents capable of acting on a broader set of resources and capabilities deliver undeniable benefits to organizations seeking an easier way to connect AI to data sources. The global adoption of these protocols could truly represent an inflection point for human-computer interactions. This article however will focus on MCP with a follow-up on A2A in the coming weeks.

TL;DR - OAuth alone will not solve all security concerns. Without the proper security considerations, these protocols could erode nearly all security boundaries that rely on identity.  

There are existing efforts towards crafting an RFC for MCP server authorization, but the open nature of MCP’s design specification requires organizations to take proactive ownership of their security. Specifically, MCP could introduce vulnerabilities that compound traditional attack vectors with novel, AI-specific vectors. MCP utilizes agents that operate within a decentralized authorization landscape. As a result, these agents inherit the trust boundaries and security perimeters of the user without attribution, creating what I’ve characterized as an "AuthZ agent of chaos." 

While many great technical papers are emerging on the topic, I thought I would summarize some of my observations and overall security concerns.

Permission Management Challenges

The permission management architecture within MCP inherits the full scope of a user’s OAuth permission scope. Current implementations frequently employ a one-time authorization model wherein initial permission grants persist throughout interaction sessions. Claude Desktop, for instance, applies initial permission responses to all subsequent interactions with a particular tool, creating an exploitable security boundary that transforms temporary access grants into persistent access approvals. The lack of a secure default and forcing a choice between approval fatigue and persistent access will result in the the user opting for the latter as the only viable option. These design patterns point to fundamental identity and attribution weaknesses that will require substantial protocol evolution to adequately address. Authorization boundaries and transitive identity have dissolved entity security boundaries, creating fundamental challenges for auth systems that depend on stable identity constructs.

Inter-tool Attack Surface

Security research has recently demonstrated indirect prompt injection is possible through embedding malicious commands in seemingly innocuous documents it is possible to orchestrate complex multi-tool attack chains without triggering additional permission prompts. The attack pattern illustrates how the aggregate nature of tool access and permissions creates exponentially more complex attack surfaces that traditional security models fail to adequately capture or contain. We can observe scenarios where permission amplification cascades that emerge unpredictably from the interaction between ostensibly separate agent-mediated authorization domains. In enterprise AI systems, which allow shared workspaces, MCP permits data to traverse the LLM as the control plane, effectively bypassing the primary data access restrictions. 

Embracing MCP Responsibly

Ultimately, securing MCP for your organization and the broader agentic tool ecosystem requires augmenting traditional role-based access models focused primarily on assumed human identity paradigms. Instead, organizations must develop adaptive governance frameworks that can accommodate the inherent complexity of agent-mediated computational ecosystems. This necessitates a fundamental reconceptualization of security, away from deterministic control models, toward composite identity and probabilistic threat frameworks capable of evaluating the properties of autonomous system interactions. 

The future of MCP security lies not in constraining its capabilities. As an industry, we must prioritize developing governance models that can harness MCP’s transformative potential while mitigating the novel risks it introduces to our ecosystems. I remain bullish on the benefits of AI and long-term the lessons learned in the failure conditions in early use cases will prove valuable for strengthening the safety and security of our platforms.

What can you do:

• Develop guidelines and policies for the use of MCP within your organization.
• Ensure agent actions can be audited, logged, and accurately attributed. This will likely require a composite identity framework. 
• Use key management systems to securely store MCP server secrets.
• Audit and repossess unused access entitlements across your enterprise. 
• Explore resources for how to improve and adopt MCP responsibly.