How do I secure Model Context Protocol (MCP) tool servers used by AI agents?
Securing Model Context Protocol (MCP) tool servers involves implementing robust controls at various layers, focusing on identity, authorization, and continuous monitoring to mitigate risks associated with their privileged access and dynamic nature.
MCP servers are privileged endpoints that expose tool capabilities to agents, and as such, they must authenticate calling agents and enforce their own authorization. The MCP ecosystem currently lacks a mature trust model for third-party tool catalogs, making it a serious risk to treat any third-party MCP server as high-trust without scrutiny.
Here are concrete controls for securing MCP tool servers:
- Implement strong identity and access governance (NIST AI RMF: Govern, OWASP LLM Top 10: LLM01-Prompt Injection, LLM07-Insecure Output Handling): Every agent must have a clear identity, and the system must track all identity relationships, understanding how they compose and detecting when an agent's effective permissions exceed its intended scope. This includes continuous agent posture management to inventory agents, map their tool and data access relationships, and surface over-permissioned agents as their access changes.
- Enforce authorization for MCP tool invocations (NIST AI RMF: Govern, OWASP LLM Top 10: LLM04-Insecure Plugin Design): Place a Trust Guardian in front of MCP tool invocations to evaluate against declared intent and a deterministic policy floor before any tool executes. Use fine-grained policies, such as Cedar and OPA, to control which agents can invoke which MCP servers, regardless of whether the server itself enforces access controls. This is particularly important for "Shadow MCP" on developer laptops.
- Manage connection lifecycle and credentials securely (NIST AI RMF: Protect, OWASP LLM Top 10: LLM04-Insecure Plugin Design): For systems like Claude Code, MCP clients are instantiated at session start and passed directly into the QueryEngine constructor, with connections living in
src/services/mcp/and tied to the session lifecycle. For Hermes, MCP servers are declared in~/.hermes/config.yamland support either stdio or HTTP transport, with optional sampling configuration. Secrets should be retrieved just-in-time from an enterprise secrets manager using workload identity. - Apply network policy and log to SIEM (NIST AI RMF: Protect, Detect): Network policy should apply to agent workloads as it does to other services, and logs should flow to the enterprise SIEM.
- Inventory and monitor MCP servers (NIST AI RMF: Detect, OWASP LLM Top 10: LLM09-Excessive Agency): Maintain an inventory of all MCP servers, including those discovered through tools like TraceForce, to understand which agents are running, their authorized scope, and the credentials they use. This inventory is a precondition for applying controls like MCP allowlisting and output inspection.
- Address prompt injection risks (OWASP LLM Top 10: LLM01-Prompt Injection): Tool descriptions returned by the MCP server become part of the agent’s context and can themselves be vectors for prompt injection. Response data is also a vector.
- Chapter 13: MCP Integration — Connecting Agents to the World (Claude Code vs. Hermes Agent)
- Designing Agentic AI Systems with the ORCHIDEAS Framework
- Why Static Authorization Is Failing in the Age of AI Agents
- What a Secure Harness for Agentic AI Actually Is
- How to Discover Shadow AI Agents in Your Enterprise
How does your AI agent score?
Get a free, instant AI agent security readiness snapshot — mapped to NIST, OWASP & ISO — then unlock the full report with a prioritized, cited fix-list.
This AI-generated answer is for guidance only — not a certification, audit, or penetration test. Grounded in the NIST AI RMF, OWASP LLM Top 10, and ISO/IEC 42001 control text; verify applicability to your environment.