Navigating MCP security: Key considerations and mitigation strategies for the enterprise

TL;DR: 

MCP operates in a dynamic environment, introducing unique security and governance risks. 

Enterprises must be mindful of potential vulnerabilities like token theft, agent manipulation, command execution exploits, and data governance gaps. 

Implementing defenses requires governance policies, RBAC standards, I/O validation, human-in-the-loop workflows, and periodic security audits. 

Fractal recommends seven mitigation strategies for secure enterprise-wide adoption of MCP. 

Introduction 

AI Agents are here, and they are already changing how work gets done. These smart assistants can make decisions without needing human supervision and can make workflows faster, more efficient, and potentially totally automated. The Model Context Protocol (MCP) accepted broadly in early 2025 introduces a common way for AI agents to access tools, services, and enterprise resources. 

Understanding the Model Context Protocol (MCP) 

Before diving into specific threats, it’s important to understand how MCP changes the way systems interact, especially compared with traditional APIs. Traditional APIs follow fixed programming rules to connect to external services. 

Illustration of traditional app and service communication approach

MCP, however, provides a standard method for AI agents to find, use, and exchange data with external tools and services. With MCP, you give an AI agent the ability to choose and use tools based on how it interprets user instructions. 

Threat landscape 

MCP introduces new types of security risks that need targeted protection. Below are the key risk areas enterprises should focus on: 

Compromising the core connection 

MCP depends on secure connections between agents, servers, and external services, usually managed with authentication tokens. If attackers steal OAuth tokens stored on an MCP server, they can spin up a malicious MCP server using those credentials. This allows complete access to connected services, the ability to perform actions as the legitimate user. 

Manipulating the Agent’s actions 

The AI Agent presents a unique attack surface, as attackers can influence its behavior using prompt engineering techniques. A few common threats include tool poisoning, tool shadowing, indirect prompt injections, and retrieval-agent deception attacks. 

Exploiting Tool Execution 

Weak controls at the execution-layer can lead to serious risks, including privilege escalation, data exfiltration, and infrastructure compromise. 

Data Exposure and Governance Challenges 

MCP implementations introduce new layers of complexity in data governance, primarily due to the dynamic, context-rich nature of how models access and act on data. Credential theft, excessive permission scope, data aggregation, unmonitored access, and audit gaps are some of the common risks. 

Supply Chain Vulnerabilities 

Setting up and sharing MCP server components creates a window of vulnerability. If not secured, this allows attackers to insert malicious payloads or break into enterprise systems before runtime. 

Mitigation Strategies 

To tackle the unique security challenges of MCP, a multi-layered approach is essential. Here are some strategies: 

Establishing secure communication channels and architecture 

Enforce TLS for all MCP communications, use strong cipher suites and validate certificates. Additionally, allow only specific, approved LLMs to interact with tools. Enterprises should also implement strict firewall and web application firewall (WAF) rules, and segment MCP servers from internal systems. Finally, integrate with a security information and event management (SIEM) system to monitor and respond to threats. 

Robust identity, authentication, and authorization 

Use proven protocols such as OAuth 2.0 or 2.1 and OpenID Connect to manage authentication and authorization securely. It is also critical to validate the identity of the real user behind each agent request. Role-based access control (RBAC) and access control lists (ACLs) should be enforced to manage permissions effectively. 

Hardening tool interactions 

All parameters should be validated against predefined schemas to ensure input integrity. File paths and system commands must be sanitized to prevent injection attacks and unauthorized access. At the protocol level, enterprises should use annotations to mark actions as “readOnly” or “destructive". 

Implementing operational safeguards and visibility 

To protect against misuse and ensure accountability, prompt users for confirmation before executing sensitive operations. Display tool inputs clearly before triggering any server-side actions, especially those that are irreversible. In addition, set up alerts for suspicious activities and develop incident response procedures tailored to threats specific to the MCP. 

Ensuring supply chain integrity 

Organizations should rely only on trusted implementations of the MCP to reduce the risk of compromise. Create allowlists for authorized MCP servers to restrict interactions to approved environments. Additionally, enforce strict controls within the deployment pipeline to prevent unauthorized changes. 

Recommendations for secure MCP adoption 

Fractal’s extensive experience across industries and direct involvement in MCP deployments gives us a unique advantage. To support secure enterprise-wide adoption of this transformative protocol, we recommend the following seven actions: 

1. Establish an enterprise-grade MCP governance policy: Define how MCP can be used safely and responsibly across business units. 

2. Harden identity and access as a strategic foundation: Invest in fine-grained OAuth implementations, rigorous scope management, and token lifecycle policies. 

3. Mandate input/output validation as code hygiene: Embed validation at every layer of the MCP stack through shared libraries, automated checks, and coding standards to detect vulnerabilities early. 

4. Embed oversight through mandatory human-in-the-loop workflows: Mandate human-in-the-loop verification for workflows carrying financial, security, or reputational risk. 

5. Build observability into the core: Ensure MCP observability is a native layer from day one, logging every tool invocation, agent decision, and external system interaction. 

6. Institutionalize periodic security reviews: Conduct periodic reviews to reassess access scopes, check for privilege creep, and verify security assumptions. 

7. Enable and empower technical teams through training: Design role-specific training programs to ensure developers, security teams, and business teams understand and follow best practices. 

Conclusion 

The Model Context Protocol (MCP) is a transformative technology for enabling enterprise-class agentic applications. However, it also brings new and complex security risks that require proactive management. To successfully implement MCP, organizations must think about MCP security from day one, not try to add it later. 

For a deeper dive into MCP security considerations and mitigation strategies, read our comprehensive whitepaper on this topic. It provides detailed insights and actionable recommendations to help your organization navigate the complexities of MCP adoption securely and effectively.