The MCP Security Checklist: 12 Controls for Agentic AI Workflows
An MCP server security checklist earns its keep only if it governs the full agent-to-tool execution path, and public scan data shows most documented weaknesses sit downstream of where a session-only gateway stops looking. Maturity models that certify a server as protected once the session is authenticated and the gateway validates traffic miss tool-call authorization, chained execution, and output handling, which is where the real attack surface concentrates. For platform teams building agentic workflows, the risk is that agents chain tool calls, move data across systems, and act autonomously where a perimeter-only control never intercepts them.
This is a security decision guide, not a claim that MCP is already universal. The Model Context Protocol is the emerging open standard that connects AI agents to tools and data, and it is one common tool-execution pattern rather than the whole agent access-control problem. It sits inside a larger shift from humans using AI, to humans delegating work to agents, to agents that reason, retrieve, and act on their own. What follows is a threat taxonomy, a staged maturity model, twelve controls across the execution path, a mapping to OWASP, CSA, and MITRE ATLAS, a deployment sequence, and where a session-only model runs out of coverage.
Last updated: July 2026.
The MCP Threat Landscape Behind the Checklist
Most documented MCP weaknesses sit downstream of the network edge, in tool-call handling and execution, which is exactly where a session-only control loses visibility. A scan of 9,695 public MCP servers found 5,832 with some form of security weakness, and after filtering, 2,259 were confirmed vulnerable with 4,982 documented issues (TrendAI Security via CyberPress, 2026). The volume alone justifies why the checklist has to reach past authentication.
The threats cluster into four categories, and each maps to a control later in this guide. API and transport security covers exposed, unauthenticated endpoints: a public scan observed more than 12,520 internet-accessible MCP services, most without authentication (Censys, 2026). Prompt injection and untrusted input covers tool poisoning and indirect injection, where hidden instructions in tool metadata, documents, or tool results redirect the agent. Supply chain covers malicious or swapped MCP servers, including the rug-pull pattern the Cloud Security Alliance describes, where a vetted connector is replaced with a hostile payload after approval. Session and lifecycle management covers token handling, scope drift, and the gap between an authenticated session and the many tool calls that follow it.
Session management is the category a gateway model tends to under-serve. Authenticating a connection once does not address token rotation, revocation of a compromised agent credential mid-workflow, or the scope drift that lets a benign session widen its reach call by call. Treat the session as the entry point to the risk, not the boundary of it.
A Maturity Model for MCP and Agentic AI Security
A maturity model for MCP security graduates from edge authentication to interaction-layer governance of every tool call, because certifying a server as protected at the session handshake leaves tool-call authorization, chained execution, and output handling uncontrolled. Use the four levels below to assess current posture and sequence investment, rather than treating a single gateway deployment as done.
The Cloud Security Alliance reports that 82% of organizations have unknown AI agents operating in their environment, which places most teams at Level 0 or 1 until discovery is solved (Cloud Security Alliance, 2026). The levels are cumulative: each depends on the one below it holding.
| Level | Posture | What is in place | What is still exposed |
|---|---|---|---|
| 0. Blind | No AI or agent inventory | Nothing agent-specific | Shadow servers, unknown agents, all downstream risk |
| 1. Discovered | Continuous inventory | Discovery of agents, servers, accounts, tool paths | Authorization, injection, exfiltration, output handling |
| 2. Authenticated | Edge control | OAuth 2.1 connections, session validation, gateway in place | Tool-call authorization, chained execution, output handling |
| 3. Governed | Interaction-layer control | Per-call authorization, inline inspection, data policy on I/O | Cross-org agent-to-agent trust, emerging attack classes |
| 4. Evidenced | Provable governance | Interaction records, framework mapping, monitoring, coaching | Residual novel risk, tuned continuously |
The certification trap sits at Level 2. A maturity model that stops there marks a server protected while tool-call authorization, chained execution, and output handling stay uncontrolled. The twelve controls below carry a team from Level 1 through Level 4.
Twelve Controls Across the Agent-to-Tool Execution Path
These twelve controls span discovery, authentication, authorization, untrusted input and output, data movement, isolation, monitoring, and evidence, ordered along the execution path an agent actually takes. Each follows the same shape: what it is, why it matters, and where Aurascape fits. For deeper architecture context, see the overview of agentic AI security architecture.
The table below maps a typical MCP workflow as a left-to-right path: an agent requests a tool call, the call is authorized and signed, the server returns a result, and the result feeds the next call. It is not one of the twelve numbered controls. Each layer maps to a control outcome and to the checklist items that enforce it.
| Layer | Control outcome | Aurascape control point | Items |
|---|---|---|---|
| Discovery | Nothing runs unseen | Proactive local discovery across network, endpoint, and API planes | 1, 6 |
| Identity and authentication | Only known agents connect | Governs post-authentication behavior; complements IAM/IGA | 2, 11 |
| Tool-call authorization | Only approved calls execute | Zero-Bypass MCP Gateway signs approved calls, blocks unsigned ones | 3, 10 |
| Interaction-layer inspection | Untrusted content cannot act | Inline decode and data classification; allow, coach, warn, block, redact | 4, 5, 7, 8, 12 |
| Supply chain and approval | No server trusted by default | Approval gate before connection; re-review on change | 6 |
| Audit and evidence | Every action is traceable | Interaction records for governed workflows, RBAC-governed | 9 |
1. MCP Server Discovery and Continuous Inventory
MCP server discovery means finding every MCP server, agent, and account in use, including shadow deployments no one registered. Manual registration always lags real usage, and a single unapproved server can expose data before anyone files a ticket. The Cloud Security Alliance reports that 82% of organizations have unknown AI agents in their environment (Cloud Security Alliance, 2026).
Aurascape runs proactive local discovery of AI apps, accounts, and agents across the network, endpoint, and API planes, and surfaces shadow MCP servers so policy applies before an unapproved server causes harm (Aurascape, 2026). Continuous discovery routes unapproved servers into review before they become trusted execution paths.
2. Authentication Standards for MCP Connections
Strong authentication means every MCP connection uses a modern authorization flow, such as OAuth 2.1 with Proof Key for Code Exchange (PKCE) and scopes issued at the tool level, not a static shared secret. The MCP authorization specification builds on OAuth 2.1, so treat that as the baseline. Weak defaults are common: a public scan found more than 12,520 internet-accessible MCP services, most observed without authentication (Censys, 2026). Unauthenticated tool endpoints let any reachable agent attempt tool execution.
Identity issuance and token administration belong to your IAM/IGA platform (Okta, Microsoft Entra, SailPoint). Aurascape complements those systems and does not enroll, own, or issue agent identities. It discovers the agents and governs what an already-authenticated agent does with its credentials, which is where session-level identity controls stop.
3. Tool-Level Call Authorization and Approval Gates
Tool-level authorization means checking each individual tool call against policy and routing high-risk actions through an explicit approval gate. Authenticating an agent once is not enough. An authenticated agent can turn a harmless read into a risky write inside the same workflow, so the per-call check carries the load.
The Zero-Bypass MCP Gateway cryptographically signs approved tool calls and blocks unsigned ones, governing the tool-execution channel inline rather than observing it (Aurascape, 2026). Aurascape leads with local agent discovery and policy, then applies the Gateway so high-risk calls fail closed until approved.
4. Tool Poisoning Defense
Tool poisoning is malicious instruction hidden inside a tool description or metadata that the agent reads and follows. The agent treats tool metadata as trusted context, so a poisoned description redirects the workflow without touching the prompt. OWASP ranks Prompt Injection (LLM01) and Excessive Agency (LLM06) among the top risks in the OWASP Top 10 for Large Language Model Applications (OWASP, 2025). These rankings are attributed to OWASP, not asserted in Aurascape’s voice.
Aurascape decodes the agent exchange, including MCP traffic, and inspects the tool call at the interaction layer (Aurascape, 2026). When a poisoned instruction tries to trigger an unapproved action, Aurascape blocks the call before it executes.
5. Indirect Prompt Injection from Untrusted Data
Indirect prompt injection means untrusted content pulled into agent context, such as a web page, a document, or a tool result, carries hidden instructions the agent then acts on. Agentic workflows constantly ingest external data, so one injected instruction can hijack a multi-step task. EchoLeak (CVE-2025-32711), a zero-click indirect prompt injection in Microsoft 365 Copilot, showed the pattern in a shipping product (NVD, 2025).
Aurascape carries conversation-level context across the exchange, so it evaluates an instruction injected from an untrusted source at the point where it would trigger a tool call. Aura Labs research on the Manus agent documented a class of zero-click indirect-injection flaws, each rated 9.8 out of 10, responsibly disclosed and fixed before publication (Aurascape, 2026).
6. Supply Chain Vetting for MCP Onboarding
Supply chain vetting means every MCP server passes a structured approval workflow before an agent connects. Approval assigns an owner, records the server’s approved-tool scope, and triggers re-review whenever metadata or the underlying package changes. A community MCP server that passes initial review can be swapped for a malicious payload afterward, a pattern the Cloud Security Alliance calls a rug-pull, and a compromised connector inherits the agent’s full reach.
Aurascape discovers new and long-tail tools and gates agent access until a server is approved, turning onboarding into an explicit decision rather than a silent default (Aurascape, 2026). Its patented proactive discovery crawls the web and interrogates new tools before first employee use.
7. Input and Output Validation as Untrusted by Default
Untrusted-by-default validation means treating every value flowing into or out of an MCP server as potentially hostile until inspected. On input, validate the tool result against its declared schema, enforce type and size constraints, check source trust, and reject malformed or unexpected structures. On output, a tool result can carry an injected instruction or sensitive content that should never reach the user or the next tool. A validation rule without inline enforcement gives teams advice, not control.
Aurascape applies real-time data classification to inbound and outbound content and enforces five context-aware policy actions: allow, coach, warn, block, and redact (Aurascape, 2026). Detection and action happen at the same layer.
8. Data Exfiltration Through Chained Tool Calls
Exfiltration control means watching for sensitive data moving laterally as an agent chains one tool call into the next. A permitted destination can still carry an impermissible interaction, and chained calls let data leave through a path no single rule anticipated. The Cloud Security Alliance found 65% of organizations had agent-related incidents and 61% reported data exposure (Cloud Security Alliance, 2026).
Aurascape decodes the workflow across chained calls and applies data classification inline. When a sequence reads a record and then tries to write it to an unapproved tool, Aurascape blocks or redacts it before the write completes. Sensitive data stays protected, and the workflow keeps running.
9. Audit Logging and End-to-End Traceability
End-to-end traceability means recording every hop in a multi-step agent execution path and linking it back to an accountable human. Incident response and compliance need to answer which agent, which account, which tool, and which policy decision. Relying on each MCP server to log its own activity leaves gaps between hops.
Aurascape captures interaction records for governed workflows, governed by role-based access control (RBAC) for privacy. This evidence covers the agent, the account, the data involved, and the policy decision at each step, independent of any individual server’s log. It complements, and does not replace, the human-sponsor traceability your IAM/IGA maintains.
10. Execution Isolation and Least Privilege per Tool Call
Least privilege per tool call means an agent receives only the tool-level scope a given step requires, with no standing broad access that persists across calls. In practice that means scoped, short-lived credentials per call, constrained execution so one tool cannot reach beyond its declared purpose, and boundaries that stop one tool result from silently broadening the next call. Broad standing scopes turn a single injection into a wide blast radius.
Aurascape governs the tool-execution channel inline and enforces policy per call, so it blocks an agent operating outside its approved per-call scope at that call rather than trusting it for the whole session.
11. Agent Identity as a Privileged Class
Agent identity governance means treating agents as a privileged, non-human identity class that needs its own ownership, policy, and review cycle. Most identity stacks were built for humans. The Cloud Security Alliance found 92% of organizations say legacy IAM cannot manage AI and non-human-identity risk, and 78% have no documented agent-identity policies (Cloud Security Alliance, 2026).
Aurascape is not the identity system of record. Enrollment, ownership, and entitlement administration happen through your IAM/IGA. Aurascape adds discovery of the agents, inline governance of what they do with their credentials, and the audit evidence that proves it.
12. Behavioral Monitoring at the Protocol Layer
Protocol-layer monitoring means watching the decoded MCP exchange for anomalies, not just network metadata. A workflow that looks normal at the packet level can be abnormal at the interaction level. Concrete protocol-layer signals include an unexpected tool sequence such as a write following a benign read, scope drift where a call reaches beyond its approved purpose, unusual call frequency suggesting enumeration, and a tool result that changes the agent’s stated objective mid-task. A gateway that validates only the session leaves later tool calls to downstream controls.
Aurascape decodes AI exchanges and carries conversation-level context into policy decisions, so it evaluates anomalous tool-call sequences before execution (Aurascape, 2026). Policy gets a decision point at the moment a tool call is about to execute.
Working these twelve controls in sequence gives teams a practical operating model: discover, authenticate, authorize, inspect, enforce, and record.
Mapping Controls to OWASP, CSA, and MITRE ATLAS
Each control below aligns to a recognized taxonomy, so security teams can justify the investment to compliance and risk leadership rather than defending a standalone checklist. Exact control-ID mappings for the newest agentic-AI matrices are still stabilizing across bodies, so treat the framework columns as directional alignment and verify specific IDs against the current published version before external use.
OWASP anchors the injection and agency risks, the Cloud Security Alliance anchors the agent-identity and supply-chain risks, and MITRE ATLAS catalogs the adversary techniques these controls counter. ATLAS is a knowledge base of real-world adversary tactics and techniques against AI systems, including MCP and agent-execution case studies; pull current technique counts from atlas.mitre.org at review.
| Control theme | OWASP alignment | CSA / MITRE alignment | Verification |
|---|---|---|---|
| Tool poisoning, indirect injection (4, 5) | Prompt Injection LLM01 | MITRE ATLAS injection techniques | Confirm current IDs |
| Excessive agency, per-call authorization (3, 10) | Excessive Agency LLM06 | CSA agentic control guidance | Confirm current IDs |
| Sensitive output, exfiltration (7, 8) | Sensitive Information Disclosure LLM02 | CSA data-exposure findings | Confirm current IDs |
| Agent identity, discovery (1, 11) | Agency and identity risks | CSA agentic IAM guidance | Confirm current IDs |
| Supply chain vetting (6) | Supply-chain risk | CSA rug-pull pattern | Confirm current IDs |
The value is not the specific ID in each cell. It is that every control on the checklist ties to a body a risk committee already recognizes, which turns a security proposal into a compliance-aligned one.
A Deployment Sequence for MCP Security
Work the checklist in order: discovery and supply-chain vetting first, because enforcement depends on the identity and authorization work below. The sequence moves a team up the maturity levels, from discovered, to authenticated, to governed, to evidenced.
- Start with a complete inventory of agents, MCP servers, accounts, and tool paths.
- Require OAuth 2.1 with PKCE and tool-level scopes through your IAM/IGA, and define token rotation and revocation workflows for compromised agent credentials.
- Vet and approve each MCP server before any agent connects; assign an owner and set a re-review trigger on metadata or package changes.
- Authorize individual tool calls with per-call scope and gate high-risk actions for explicit approval.
- Inspect all inputs and outputs inline; treat every MCP result as untrusted until classified.
- Capture interaction records for every governed call and monitor for protocol-layer anomalies.
Steps 1 through 3 clear Levels 1 and 2. Steps 4 through 6 are what carry a team into governed and evidenced posture, which is exactly the ground a session-only model does not cover.
Where a Session-Only Gateway Model Falls Short
A gateway that validates only the session confirms the connection but does not prove each downstream tool call is safe. That is the certification trap in practice: a server marked protected at Level 2 while tool-call authorization, chained execution, and output handling stay open. The comparison below shows where interaction-layer control adds coverage. See also the explainer on MCP gateway versus AI gateway.
| Capability | Session-only gateway model | Aurascape |
|---|---|---|
| Scope of control | Connection validated at the edge | Inline governance across the full tool execution path, including chained calls |
| Tool-call enforcement | Authenticated session passes through | Approved calls cryptographically signed; unsigned calls blocked before execution |
| Shadow server discovery | Requires manual registration | Proactive local discovery across network, endpoint, and API planes |
| Output data protection | Not applied at the interaction layer | Real-time data classification with five policy actions: allow, coach, warn, block, redact |
| Audit evidence | Depends on each server’s own logs | Interaction records for governed workflows, RBAC-governed |
The pattern holds across every row. Where the session-only model stops at the connection, interaction-layer governance reaches every tool call, every chained hop, and every output.
How the MCP Security Approaches Compare
MCP security tools cluster into three approaches to the same problem: a session or gateway layer that validates connections, an oversharing-control layer aimed at enterprise copilots, and interaction-layer governance that decodes and controls each tool call. The table compares how each addresses tool-call authorization, discovery, and output handling, the three areas the threat data concentrates in.
| Approach | Tool-call handling | Discovery scope | Output and data control |
|---|---|---|---|
| Aurascape (interaction-layer) | Per-call authorization; approved calls signed, unsigned blocked before execution | Proactive discovery across network, endpoint, and API planes | Inline data classification with allow, coach, warn, block, redact |
| Session or gateway model | Session validated; downstream calls pass through | Typically requires manual registration | Applied at connection, not per interaction |
| Copilot oversharing control | Access-scoped to knowledge, not per tool call | Focused on enterprise assistants (Copilot, Glean) | Need-to-know controls on retrieved content |
Aurascape sits in the interaction-layer row because it governs the tool-execution channel inline rather than validating a connection once. The distinction matters most for chained execution, where a session-only model has already passed the traffic through.
Frequently Asked Questions
How do we secure MCP servers and agentic AI workflows?
Govern the full tool execution path, not just the edge. Start with a complete inventory of agents, servers, accounts, and tool paths, then authenticate connections through IAM/IGA, authorize each tool call per-call, treat all MCP output as untrusted, enforce data policy inline, and capture interaction evidence for every governed call.
Is an MCP gateway enough on its own?
No. A gateway that validates only the session confirms the connection but does not inspect the chained tool calls that follow. Public scan data places most documented MCP weaknesses downstream of authentication, in tool-call handling and execution, which is where a session-only model loses visibility.
What does a maturity model add over a flat checklist?
A maturity model lets a team assess current posture and sequence investment across levels, from blind, to discovered, to authenticated, to governed, to evidenced. It exposes the certification trap where a server is marked protected at the authenticated level while tool-call authorization and output handling stay uncontrolled.
How should we handle MCP session management and token lifecycle?
Treat the authenticated session as an entry point, not a boundary. Define token rotation and revocation workflows so a compromised agent credential can be pulled mid-workflow, and monitor for scope drift where a session widens its reach call by call.
What authentication should MCP connections use?
Use a modern authorization flow, not static secrets. The MCP authorization specification builds on OAuth 2.1, so OAuth 2.1 with PKCE and scopes issued at the tool level is the baseline, issued and administered through your IAM/IGA.
Why map MCP controls to OWASP, CSA, and MITRE ATLAS?
Framework mapping turns a standalone checklist into a compliance-aligned one a risk committee already recognizes. OWASP anchors injection and agency risks, CSA anchors agent-identity and supply-chain risks, and MITRE ATLAS catalogs the adversary techniques the controls counter.
What is tool poisoning?
Tool poisoning is malicious instruction embedded in a tool’s description or metadata that the agent reads as trusted context and acts on. Defending against it means inspecting tool metadata and the resulting call, then blocking unapproved actions before they execute.
Does Aurascape replace our IAM or issue agent identities?
No. Aurascape complements IAM and IGA systems such as Okta, Microsoft Entra, and SailPoint, which enroll, own, and issue agent identities and tokens. Aurascape discovers agents and governs what an already-authenticated agent does with its credentials, which is where session-level identity controls stop.
How does Aurascape stop data exfiltration through chained tool calls?
Aurascape decodes the workflow across chained calls and applies real-time data classification inline. When a sequence tries to move sensitive data to an unapproved tool, Aurascape blocks the call or redacts the data before the write completes.
How Aurascape Governs Every Tool Call at the Interaction Layer
A maturity model that stops at session authentication and gateway validation is the exact gap this guide traces, and Aurascape is built to close it by governing the tool-execution channel inline rather than certifying a connection once. It runs proactive local discovery of agents, MCP servers, and accounts across network, endpoint, and API planes, then applies per-call authorization through the Zero-Bypass MCP Gateway, which cryptographically signs approved tool calls and blocks unsigned ones before they reach any external system.
The platform decodes the agent exchange across the intelligence channel and the tool-execution channel, carries conversation-level context into each policy decision, and applies real-time data classification with five actions: allow, coach, warn, block, and redact. That covers the downstream weaknesses the threat data concentrates in, tool poisoning, indirect injection, chained exfiltration, and output handling, and it produces RBAC-governed interaction records that give incident response and compliance a full account of which agent, which account, which tool, and which policy decision at every hop.
Aurascape sits alongside your existing IAM, IGA, and SSE stack rather than replacing it, so agent-identity issuance stays with Okta, Microsoft Entra, or SailPoint while Aurascape governs what an authenticated agent actually does. In one Fortune 100 insurance deployment, using Aurascape as an adoption accelerant tripled AI agent integrations with no unauthorized data access while protecting more than 20,000 users (Aurascape, 2026).
Aurascape closes the gap a session-only gateway model leaves open, governing tool-call authorization, chained execution, and output handling inline where a maturity model that stops at authentication marks a server protected. Book a tailored demo to see how it discovers shadow MCP servers, signs approved tool calls, and produces audit-ready evidence for every governed action.
See how Aurascape secures your agentic AI workflows end to end →
Aurascape Solutions
- Discover and monitor AI Get a clear picture of all AI activity.
- Safeguard AI use Secure data and compliancy in AI usage.
- Secure Agentic AI Secure how your teams use AI and build AI agents.
- Copilot readiness Prepare for and monitor AI Copilot use.
- Coding assistant guardrails Accelerate development, safely.
- Frictionless AI security Keep users and admins moving.