LETTERMCP
All posts

5 Core MCP Security Tenets for 2026

MCP Is Infrastructure Now. Secure It Like Infrastructure.

Model Context Protocol is the connective tissue of enterprise AI, and it is largely unsecured. Agents call tools, query databases, trigger workflows, and handle sensitive data through it at machine speed. MCP-enabled deployments in enterprise environments grew faster in 2025 than any comparable API standard in the prior decade. That scale created an attack surface that did not exist two years ago.

2026 is the inflection point. Regulatory frameworks around AI system interfaces are tightening. Adversarial techniques targeting agentic tool integrations are maturing. Supply chain attacks on third-party MCP servers are live threats. The organizations that treat MCP security as a first-class engineering concern now will not be managing breach disclosures in 2027.

Why This Requires Priority Treatment

Enterprise AI agents now touch payroll systems, customer records, code repositories, and external APIs through MCP. A single misconfigured MCP server is a direct path to business-critical data. Several high-profile near-misses in 2025 traced back to unsecured MCP deployments, most of which had no audit trail.

Regulators have formed opinions. The EU AI Act's technical implementation requirements and NIST's AI Risk Management Framework updates both converge on the same conclusion: AI interfaces touching sensitive data require the same rigor as any other enterprise API. That is the direction of enforcement.

The threat actors are already working the problem. Prompt injection through MCP tool responses and credential harvesting via over-permissioned agents are documented attack vectors. The sophistication of those attacks is rising faster than most defensive programs are evolving.

Third-party MCP servers compound the exposure. Organizations pull MCP plugins from public repositories without security review as routine practice. Each unvetted dependency is a potential supply chain entry point. The npm ecosystem's history with malicious packages is a direct preview of what MCP registries face at scale.

Five Tenets of a Defensible MCP Posture

Zero Trust Authentication

Every MCP server and client must verify identity continuously. No implicit trust based on network location, prior session state, or internal IP range.

Deploy mutual TLS for all MCP connections with short-lived credentials rotated automatically. This eliminates long-lived token risk without requiring manual rotation workflows. Integrate identity providers with OAuth 2.0 flows at the MCP authentication layer so every connection carries a verified identity claim. Enforce re-authentication on sensitive tool invocations. A session authenticated ten minutes ago is not authorization for what the agent is doing now. The operational cost of continuous verification is measurable and bounded; a breach traced to assumed trust costs neither.

Least Privilege Access Control

Tools and agents get only the minimum permissions required for their specific function. No broad grants, no over-permissioning justified by development convenience.

Define granular permission schemas per tool and per agent role. An agent reading calendar data has no business with database write access. Automate token scoping at the MCP gateway level so scoped, revocable access tokens are issued per interaction rather than per session. Build automatic permission expiry into the pipeline so permissions granted during development cannot survive into production without explicit re-approval. Development environments routinely carry elevated permissions because speed matters during build cycles, but those permissions are an unacceptable production risk. Enforcing least privilege at the pipeline level removes the decision from individual developers, which is the only way to enforce it consistently.

Input and Output Validation

Strict sanitization applies to all data passing through MCP tool calls, in both directions. Input validation alone is half a defense, and attackers know which half is missing.

Enforce schema validation and type enforcement on all MCP tool parameters so malformed inputs are rejected before execution. Apply output filtering rules to prevent sensitive data leakage; an agent returning a tool response is a potential exfiltration channel for PII or credentials embedded in that response. Sandbox tool execution environments to contain blast radius before a malicious payload reaches the broader system. Prompt injection attacks work by manipulating tool inputs or poisoning tool outputs, and both vectors are live. Organizations that validate inputs and skip output filtering have closed one door and left the other unlocked.

Comprehensive Audit Logging and Observability

Full traceability of every MCP call, tool invocation, and data access is the floor. Real-time alerting on anomalous behavior is the minimum above that floor.

Build a centralized logging pipeline capturing structured MCP event data; unstructured logs are forensically useless and will not satisfy a compliance audit. Integrate with SIEM tooling to correlate MCP activity with the broader security event landscape, as lateral movement across MCP servers appears in correlated data, not in isolated logs reviewed after the fact. Deploy anomaly detection tuned specifically to MCP usage patterns, since generic network anomaly detection does not understand MCP semantics and will miss MCP-specific abuse. Insufficient logging granularity is the single most common reason MCP security incidents resist investigation. Organizations that cannot reconstruct a complete MCP interaction chain from their logs also cannot do forensics, cannot satisfy regulators, cannot identify the scope of a breach with any confidence, and cannot demonstrate compliance to auditors.

Secure MCP Server Supply Chain

Third-party MCP servers are not trustworthy because they are popular, well-reviewed, or open-source. Every dependency is a trust decision that someone in the organization is making, explicitly or by default.

Maintain an approved registry of vetted MCP servers; anything outside that registry does not run in production. Require cryptographic signing and integrity verification before deployment, so an unsigned server is rejected rather than risk-accepted by whoever happens to be deploying it. Automate dependency audits and patch management workflows, since manual reviews on a quarterly cadence are too slow for a threat landscape that moves week to week.

Where Organizations Consistently Fail

Treating MCP security as a one-time setup is the fastest path to a breach. Threat actors update their techniques on a timeline that does not align with annual security reviews.

Over-permissioning during development and failing to clean it up before production is endemic. The fix is structural: enforce least privilege at the pipeline level, not at the developer's discretion.

Sharing credentials across multiple MCP servers is standard practice in under-resourced deployments. A single compromised server with shared credentials enables lateral movement across the entire MCP estate. Per-server credentials are basic hygiene.

Siloing MCP security from the broader organizational security posture means MCP incidents generate signals that never reach the SIEM. Cross-system attack patterns are invisible when MCP monitoring operates in isolation.

What 2026 Requires

Industry working groups are finalizing formalized MCP security standards. Organizations implementing these five tenets now will meet those standards without a retrofit project. Organizations that wait will be retrofitting under regulatory pressure on a compressed timeline.

Automated red-teaming tools targeting MCP attack surfaces are already in use by well-resourced adversaries. Defensive security teams need equivalent tooling within 18 months to run meaningful exercises against their own deployments. Purpose-built MCP security infrastructure is entering the market because DIY implementation across all five tenets requires substantial engineering investment that most security teams cannot absorb.

Implement the five tenets now. Then build the monitoring to verify they're working. That's the job.