Model Context Protocol (MCP) is the right idea at the right time. Anthropic designed it as a standard interface for connecting AI models to business data — a USB-C for AI integrations, as the community has taken to calling it. The problem is that every useful connection is also a potential attack vector. Before you deploy, here is what the attack surface looks like and how to control it.
Why MCP changes your security model
A traditional AI deployment — a model that reads training data and generates responses — has a small, predictable attack surface. MCP-connected AI is different. Your agents now have real-time read and write access to your databases, APIs, and internal workflows. That access is valuable. It's also every connection is a potential entry point.
| Aspect | Traditional AI | MCP-Connected AI |
|---|---|---|
| Data access | Training data only | Live business data across the stack |
| Attack surface | Small, predictable | Every connection is an entry point |
| Permission failures | Contained | Leak across organizations or systems |
In 2025, security researchers found that Asana's MCP server had a vulnerability that could expose user data between organizations based on permission edge cases. Permission systems designed for human users do not automatically work correctly when an AI is making requests programmatically, at machine speed, following logic a human wouldn't.
The top risks
Prompt injection (CVSS 8.5). Malicious content in a tool's response hijacks the agent's next action. An agent that reads from an email inbox, a database, or a web page is reading potentially attacker-controlled content. If that content contains instructions that override the system prompt, the agent may follow them. This is not theoretical — it's documented in production deployments. Defense: treat all tool outputs as untrusted. Validate and sanitize before feeding back into context.
Tool poisoning (CVSS 7.8). A compromised or misconfigured MCP server returns crafted outputs designed to cause the agent to call other tools with malicious parameters. The agent doesn't know the tool response has been tampered with — it acts on what it receives. Defense: validate tool response schemas strictly. Don't allow tool output to directly parameterize subsequent tool calls without validation.
Over-permissioning. The path of least resistance when configuring MCP is broad permissions. Broad permissions mean a compromised agent can affect systems it shouldn't be able to touch. Defense: start with minimal access. Grant permissions for specific resources and specific operations. Revoke what isn't needed.
No visibility. If you can't see what your agent is doing, you can't detect an incident. MCP servers should log every connection, every request, every data access. Without comprehensive logging, you're operating blind. Defense: log everything. Set up anomaly detection on access patterns. Know what "normal" looks like so you can spot deviation.
A four-pillar security framework
Pillar 1: Zero-trust architecture. Every AI system authenticates for each request. Not session-level — request-level. Verify AI identity before each connection. Validate permissions for every request. Isolate MCP servers in secure network zones. Do not assume that because an agent authenticated successfully once, it should have ongoing access.
Pillar 2: Multi-layer defense. Network level: firewalls and isolation. Transport level: TLS for all data in motion. Application level: hardened MCP servers with input validation. Data level: encryption at rest and in transit. Monitoring level: real-time threat detection. No single layer is sufficient alone.
Pillar 3: Least privilege access control.
| AI System | Permitted | Restricted |
|---|---|---|
| Customer service AI | Read profiles, update order status | Access payments, modify accounts |
| Business intelligence AI | Aggregated data, create reports | Individual records, modify data |
| Content AI | Knowledge base, draft materials | Customer PII, publish without approval |
Pillar 4: Continuous monitoring. Monitor connection patterns and authentication attempts. Monitor data access frequency and scope. Alert on anomalous behavior — deviations from normal patterns. Log failed access attempts. Define what a security incident looks like before one happens, so your response is a plan execution rather than an improvisation.
At Eloquentix
Security review is not a checklist item at the end of a project. Our senior engineers conduct threat modeling during architecture design — before a line of integration code is written. When a client deploys AI agents with MCP access to production data, we treat that as the same class of risk as any other privileged API integration: design for failure, validate at every boundary, monitor continuously.
If your team is deploying MCP-connected AI and wants the security surface reviewed: ai@eloquentix.com → Or see what a codebase audit covers →