Model Context Protocol (MCP) provides new ways for AI tools to connect with your business workflows and data. However, MCP environments are relatively new, and their rate of adoption is outpacing security guardrails.
Organizations are still scrambling to understand how to manage the avalanche of risk introduced by AI, MCPs, and cloud-native processes. As adoption continues, so will the risks associated with permissions, identity, visibility, trust in tools you use and connect to, and abuse across systems.
Read on to learn about the top MCP security trends to understand where this ecosystem is going and how to secure your AI-powered workflows.
Researchers from Microsoft discovered that only 2% of permissions assigned to human and workload identities were used in 2023. So, nearly all permissions being assigned were unnecessary and can dramatically increase your attack surface. This is important because each extra permission gives attackers more opportunity for an agent, connector or hijacked identity to access something malicious actors shouldn’t. (Microsoft)
Organizations experienced an average of nine cloud security incidents a year, and 89% said incidents increased year over year. (Microsoft)
Microsoft also highlights the struggles with identity management, especially in cloud environments. Microsoft says there are over 600 million identity attacks per day and over 99% are password attacks. Since MCP uses credentials to move laterally between systems and servers, stolen or compromised identities are some of the easiest ways for an attacker to gain access. (Microsoft)
Network architecture is changing, too. AlgoSec reports a 47% increase in SD-WAN adoption. That kind of sprawl can make it harder to apply consistent controls across all MCP hosts, clients, and servers. (AlgoSec)
Traditional cloud and identity risks are simply being wrapped in new packaging as MCP-native attack paths. Attackers are operating rogue MCP servers that pose as trusted services such as Slack, duping assistants into sending confidential information to accounts they control. Server authenticity is suddenly a primary security concern. (Microsoft)
Attack chains present another risk. Attackers have used MCP connectors to download a malicious document with covert commands instructing the AI to retrieve sensitive files from the client machine using another MCP connector. That combo attack can evade traditional security defenses because transferring data between connectors mimics normal activity. (Microsoft)
Rather than introducing one new risk category, MCP bundles several familiar security risks into a single protocol layer. OWASP’s draft MCP Top 10 risks include mishandled tokens, privilege escalations, poisoned tools, supply chain attacks, command injection, defeating intent flows, lack of authentication, weak auditing, shadow MCP servers, and context injection. (OWASP)
Attack surface sprawl also comes into play because MCP environments have three planes of operation: hosts, clients, and servers. This makes for an elegant framework, but also creates three distinct attack surfaces teams must secure simultaneously. Miss one and the other layers may absorb that risk. (Checkmarx)
MCP server trust is particularly difficult because servers involve both data and executable code. This reality creates unique opportunities for prompt injection attacks and malicious behavior because the agent operates on outside commands in real time. (Red Hat)
That concern around legitimacy extends to the software supply chain itself. MCP agents can be “injected” with malicious tools if a seemingly benign MCP server changes instructions post-installation or post-update. Again, that means trust should be established continuously, not at a single point in deployment. (Red Hat)
Teams should understand that risk levels vary among MCP deployments. MCP servers fall into three risk categories: malicious (will cause harm), suspicious (pose potential risks despite good intentions), and vulnerable (have security flaws that could be exploited). (Backslash)
AI instructions can rebound on organizations if it blindly trusts external data or allows outside inputs to alter the tool’s reasoning. In short, security guardrails themselves can create weak links if they aren’t tightly configured. (Backslash)
Exposed API keys and over-permissive identities are some of the most common security issues in AI workloads. (Orca)
There are now well over 16,000 MCP servers. That’s a sign of fast adoption but also of a rapidly expanding security footprint. The bigger this ecosystem gets, the less realistic it is for you to rely on ad hoc trust. (Astrix)
That same report discovered that over half (53%) of MCP servers utilized static API keys or personal access tokens. These sorts of keys tend to have lengthy lifespans and are rarely rotated. This is obviously a red flag regardless of where these agents are running, but it’s particularly dangerous when you consider how much access they have to sensitive areas of your enterprise. (Astrix)
Passing credentials through environment variables is far from uncommon, but Astrix’s research showed that API keys were being handled this way 79% of the time. Variables are convenient because they make deployments easier, but they also tend to lead to secrets being more easily exposed or mishandled. (Astrix)
On the plus side, Astrix did find that 88% of servers required some sort of credential to connect. At least we know most MCP server operators are coming to terms with the idea that authentication should be required by default. However, just having basic credentials in place isn’t the same as practicing good credentials hygiene. (Astrix)
But as the OAuth statistics show, most server operators don’t know how to implement that authentication in a secure way. Just 8.5% of servers use OAuth, which is generally more secure than basic credentialing methods. MCP servers may be requiring credentials these days, but many of them are using outdated practices when it comes to managing those credentials. (Astrix)
Trend Micro researchers took a different approach to auditing the security of MCP servers, scanning for servers that could be reached without authentication or encryption. They found 492 exposed servers. For any of those servers that are also misconfigured to grant admin privileges on your systems, that exposure amounts to a clear path straight to your data. (Trend Micro)
Of those 492 servers, Trend Micro found that 74% were hosted using major cloud providers. This isn’t just the risky side-effect of DIY hobbyist server deployments. Insecurely exposed MCP servers are present in mainstream cloud services as well. (Trend Micro)
Having more tools may seem safe on paper, but actually creates response time and visibility problems. (CheckMarx)
Companies that reported having 11 or more data security tools experienced roughly 202 security incidents a year, compared to 139 incidents faced by companies using 10 or fewer. (Microsoft)
This lack of visibility is quantifiable in the research. Twenty-one percent of decision-makers stated that having comprehensive, consolidated visibility into all of their siloed tools was their biggest security challenge. (Microsoft)
Sixty-six percent of cybersecurity professionals aren’t confident about their ability to detect and respond to cloud threats in real time. (Fortinet)
Threat actors are using AI and automation to scan for misconfigurations, map permission paths, and identify exposed data. (Fortinet)
More enterprises are using AI agents than ever before—and that has consequences for security. AI-related access configurations, like agents with too much access to files, increased from 12% to 39% from 2024 to 2026. (Gammatek)
Microsoft’s 2026 Data Security Index found that 32% of organizations’ data security incidents now involve generative AI tools. (Microsoft)
Microsoft also reports that 47% of organizations are already implementing controls specifically for generative AI workloads. That’s promising, but it’s still less than 50%. (Microsoft)
Teams are also seeing tools for AI governance become available natively in larger platform ecosystems. Microsoft has announced integrations that allow users to specify AI risk thresholds, conduct guided assessments, and gather artifacts for audits with a focus on agent security and regulatory compliance. (Microsoft)
This also affects organizations that have restricted or banned AI. End users are likely to use their own tools at work, exposing private data to AI agents beyond your approved security controls. (Reddit)
MCP is not a bolt-on solution. It’s a link of identities, servers, utilities, and access permissions that should be protected together. That’s why thinking about MCP security requires a layered approach. It’s better to layer visibility, governance, and protection than rely on any single control. (Salt Security)
Implementing a zero-trust access strategy is considered one of the strongest defenses against threats to MCP security. (Yahoo! Finance)
In a protocol that is built around relationships and delegation, auth flow hardening is just as important as endpoint hardening. If your MCP servers are depending on external consent flows, ensure you have per-client consent enforcement, manipulation-resistant consent screens, and strict redirect URL validation during OAuth. (CyCognito)
When you’re managing AI interactions, they should have their own set of rules. Building AI-aware access fabrics. Controls like SWG, CASB, ZTNA and DLP are being equipped to detect AI sessions, analyze prompts, enforce data handling rules and redirect traffic to only trusted models or providers. (ISACA)
Data Loss Prevention (DLP) rules are also evolving with MCP. Rather than deploy DLP as a means to simply block access, organizations are implementing a continuous, risk-based approach that learns how your employees use data and reacts accordingly, based on the situation. Since some of these MCP activities can resemble malicious behavior, this shift can help teams work without facing repeat interruptions. (Cyberhaven)
The best way to find attack paths across multiple clouds is to use CNAPP. Instead of looking just for what’s exposed, this approach considers which tools chain together. (Microsoft)
Businesses are beating AI attacks with AI. Detection tools use natural language processing (NLP) to detect tone and intent instead of keyword-spotting or blacklists. (Convergence Networks)
Education is still relevant, however. The humans that AI-powered phishing and deepfake attacks target can always bypass policy if they’re not careful. Technical controls like security training are still important. (Reddit)
To improve MCP security, design user-consent interfaces that resist manipulation. Anti-framing or anti-CSRF headers are the best way to implement this. (Cy Cognito)
It’s impossible to secure what you can’t detect. Maintain an up-to-date inventory of your automated systems, then apply a layered security approach that enforces visibility, governance, and protection. (Salt Security)
Centralize your logs. Because MCPs allow servers to run sensitive commands, having them send logs to a central destination will help teams investigate incidents. Consider this basic security hygiene, now more important than ever with AI acting on your behalf. (Red Hat)
URL redirects are a common risk, but you can prevent them by requiring URL validation during OAuth. For the call to succeed, the URL has to match the one pre-registered in your system. (Cy Cognito)
Practice restrictive access control. Enforce TLS, audit infrastructure-as-code templates and containers for embedded secrets, and limit permissions as much as possible. Read-only is often better than write or edit permissions. (Trend Micro)
Incidents such as agents acting outside of intended permissions or leaking sensitive data are symptoms of poor agent governance. As many as 80% of organizations surveyed report AI agents are demonstrating risky or accidental behavior. Agents traversing across systems lack guardrails and clear boundaries and monitoring. (McKinsey)
Businesses need trusted, governable data infrastructure in place for AI agents to use as training data. Agents will access data, copy it between systems and environments, making visibility into lineage, usage, and permissions a necessity. Uncertain data governance and controls lead to inaccurate output, compliance failures, and reduced confidence in agent decisions. (Cisco)
Agentic AI moves security away from static access controls and toward runtime governance of agent behavior. Agents can now take action autonomously on behalf of your organization across different systems. That’s something organizations need to monitor in real time, observe, and stop at runtime. (Forbes)
Only 41% of organizations say their employees can see AI governance policies applied to their workflows. This disconnect between governance strategy and day-to-day business creates an environment where employees can abuse AI or unwittingly create risk and policy violations. Making policies visible and understandable while integrating them into workflows closes that gap. (AICDi)
Enterprises will spend over $15 billion on AI governance platforms by 2028 as pressure from regulation and risk increases. With a rapidly expanding global landscape of AI regulations and legislation, organizations have been forced to adopt more formalized approaches to governance, risk management, and compliance for AI. Many organizations have come to realize that unmitigated AI risk can result in legal liability, monetary loss, and reputational harm. (Gartner)
The Cybersecurity and Infrastructure Security Agency recommends a “secure by design” framework. Build security into your systems rather than trying to patch it on at the end. Secure by design elements include least-privilege access, immutable audit logs, escalation points, and observability to monitor and explain agent behavior. (CISA)
The National Institute of Standards and Technology (NIST) recently announced the AI Agent Standards Initiative to create standards for secure and interoperable agentic AI software as it scales. The standards would create consensus around identity, security, and how agents communicate across systems. (NIST)
Agentic workflows are transforming systems integration, data movement, and risk exposure. But openness also breeds opportunity. Permissions sprawl, tool chaining, prompt injection, and identity abuse are just a few examples of the complex security challenges organizations face with MCP. And they’re not isolated problems. Security controls can’t keep up with how these issues overlap and multiply across systems.
That’s why securing MCP isn’t as simple as adding a new tool to your stack. It starts with understanding how your AI actually behaves under real-world conditions, and more importantly, where it breaks down.
The Mindgard Platform is built for that very purpose. Instead of relying on static analyses and assumptions, Mindgard’s Offensive Security solution employs an attacker-first mentality to AI security. From mapping out your attack surface to continuously red-teaming models, agents, and AI-powered applications, our platform discovers how they can be abused before malicious actors do.
But we don’t stop at visibility. Using runtime detection and policy enforcement, Mindgard automatically blocks threats like prompt injection, data exfiltration, and tool abuse in real time. Integrating directly into CI/CD pipelines and any existing security tools, teams gain the ability to continuously test and validate AI security at every stage of the lifecycle.
Schedule a demo today to learn how Mindgard helps you discover real AI attack paths, validate your defenses, and secure MCP workflows before they can be exploited.
API security focuses on data-in-transit, whereas MCP security encompasses data-in-transit and the interactions between AI models, clients, servers, and tools happening in real-time. This means your teams need to consider authorization, prompts, tool actions, identity management, and activities across different systems simultaneously.
The least privilege model helps contain damage if a server, client, or tool gets compromised by restricting access only to the resources needed to perform its function. This means less opportunity for unintended data exposure or lateral movement.
Establishing trust with an MCP server starts by understanding who developed it, how it approaches authentication and authorization, what permissions it requires, and if it logs activities. You should also consider their update process and evaluate potential dependency vulnerabilities. Additionally, you can confirm the server behaves how it claims.
Mindgard, the leading provider of AI security solutions, helps enterprises discover, assess, and defend their AI systems. Spun out from over a decade of AI security research at Lancaster University and headquartered in Boston and London, Mindgard combines AI red teaming with offensive security expertise and AI research to identify exploitable vulnerabilities in AI models, agents, and applications before attackers do.
