· 7 min read · Cybersecurity
How MCP connects AI agents to tools and data, and the controls that keep those connections safe and auditable.
What MCP Is
The Model Context Protocol is an open standard, introduced by Anthropic in late 2024, that lets an AI application connect to external tools and data in a consistent way. An MCP client, which is the AI application, talks to one or more MCP servers, each of which exposes tools it can call and resources it can read. Instead of a custom integration for every data source, a team implements the protocol once and any compatible client can use it. That convenience is why adoption has spread quickly, and it is also why the security of the connection now deserves the same attention as the model.
The Security Questions MCP Raises
Authentication and Authorisation of Servers
An MCP server can expose powerful capabilities, so the client needs to know which servers it is allowed to talk to and prove its identity to them. Treat an MCP server as you would any other privileged service, with authenticated connections and authorisation on the actions it offers.
Least-Privilege Tool Scopes
Give an agent only the tools the task requires, and scope each tool to the narrowest data and actions it needs. A read-only tool should not be able to write. A tool that reads one dataset should not reach another. Narrow scopes limit the blast radius when something goes wrong.
Prompt Injection Through Tool Content
Content that comes back from a tool or resource can carry instructions that try to steer the agent. This is prompt injection delivered through data rather than through the user prompt. Treat tool output as untrusted input, and do not let it silently expand what the agent is allowed to do.
Supply Chain of MCP Servers
An MCP server is software written by someone. Before you connect one, ask who maintains it, what permissions it requests, and whether its behaviour can be reviewed. A malicious or careless server sits inside the trust boundary of the agent, so it belongs in your third-party risk process.
Audit Logging of Tool Calls
Record which tools were called, with what arguments, and what came back. A log of tool calls is the evidence you need to investigate an incident and to show a reviewer how an agent reached an action.
Mapping MCP Controls to Frameworks
These controls are not new inventions. Authentication and least privilege map to the access-control families of NIST SP 800-53. The agentic risk patterns line up with the OWASP work on agentic and large language model security. Anchoring MCP controls to frameworks an auditor already recognises turns a new protocol into governed infrastructure rather than an unmanaged surface.
Bidda and MCP
Bidda publishes a set of read-only compliance tools through an MCP server, so an agent can query a source-verified obligation, pull a crosswalk, or check for a change in a source instrument, all in the same protocol its other tools use. Because the tools are read-only intelligence, they add capability to an agent without adding write access to your systems.
Frequently Asked Questions
What is the Model Context Protocol?The Model Context Protocol, or MCP, is an open standard introduced by Anthropic in late 2024 that lets an AI application connect to external tools and data through MCP servers in a consistent way, instead of building a custom integration for each source.
What are the main MCP security risks?The main risks are unauthenticated or over-privileged servers, tool scopes that are broader than the task needs, prompt injection delivered through tool content, an unreviewed supply chain of third-party servers, and missing audit logs of tool calls.
How do I govern what an AI agent can access through MCP?Authenticate and authorise every MCP server, give each tool least-privilege scope, treat tool output as untrusted input, put third-party servers through your supply-chain review, and log every tool call. These controls map to NIST SP 800-53 access-control families and the OWASP agentic risk guidance.