Authors

Ryan J. Fitzpatrick

What is MCP?

Model Context Protocol (MCP) is a set of standards that govern how AI systems communicate with one another and with external tools and data sources. Originally released by Anthropic in November 2024, MCP has since become widely adopted across AI tools in multiple industries. In practical terms, MCP allows AI tools to connect to internal or external services, to share information and perform tasks, such as retrieving documents, querying databases, or triggering actions in other software.

New NSA guidance

On May 20, 2026, the National Security Agency published guidance titled "Model Context Protocol (MCP): Security Design Considerations for AI-Driven Automation." The NSA warns that MCP's rapid adoption has outpaced the development of appropriate security safeguards, leaving organizations exposed to risks that the protocol's designers and implementers did not fully anticipate. The report identifies real-world security concerns and offers practical recommendations for organizations using MCP in sensitive or business-critical environments. 

Security risks

The NSA's guidance mentions several security risks:

  • Uncontrolled automated actions: AI systems using MCP can independently decide to use new tools or take new actions.
  • Lack of input screening: MCP allows data to pass between systems without sufficient checks on what that data contains, opening the door for malicious content, such as hidden commands, to slip through undetected.
  • Context poisoning: AI systems can produce outputs that, if blindly accepted by other connected systems, may be misinterpreted as instructions rather than information, enabling manipulation or unauthorized extraction of data across connected processes.
  • Lack of identity and access controls: Many MCP implementations allow systems to access or process data without verifying who is requesting access or whether that user has appropriate permissions.
  • Data leakage: Information shared within an MCP environment can be inadvertently exposed to multiple connected services, increasing the likelihood that confidential data ends up where it should not.
  • Lack of human approval steps: Some MCP implementations do not require human sign-off before taking actions, and even where approvals exist, changes to the system's capabilities or data access can often occur without triggering any review.  
  • Credential reuse risk: MCP systems often lack proper expiration or revocation controls for authentication tokens, meaning a stolen or intercepted credential could be reused by an unauthorized party to gain access and potentially impersonate legitimate users.
  • Susceptibility to overload attacks: MCP systems can be overwhelmed by floods of requests, whether malicious or simply overly complex, causing them to crash or become unavailable (i.e. denial-of-service attacks)

NSA recommendations

The NSA offers the following recommendations for organizations deploying MCP:

  • Go beyond the official documentation: Organizations should not rely solely on the security suggestions included in MCP's own documentation, but must adopt additional, deliberate safeguards tailored to their environment.
  • Use reliable, actively maintained MCP tools: Organizations should verify that they are using well-maintained, reputable versions of MCP tools from trusted providers and repositories.
  • Subject MCP tools to your most rigorous review processes: If your organization has existing procedures for vetting new software (i.e. code audits), those same procedures, at their highest level of scrutiny, should be applied to any MCP tools before deployment.
  • Separate systems and data by trust level: Organizations should draw clear boundaries between different components of an MCP environment, separating components into separate zones with appropriate levels of access to data sources. Tools handling public information should be kept separate from tools that interact with sensitive, confidential, or regulated data.
  • Grant only the minimum access necessary: If an MCP tool does not need access to sensitive files, internal networks, or other resources, then access should be explicitly blocked.
  • Keep data processing local where possible: When handling private or sensitive data, organizations should run MCP tools locally, rather than relying on external services, to reduce the risk of data exposure.
  • Screen all inputs before processing: Every request made within an MCP system should be checked against predefined rules to ensure it is properly formed, within expected limits, and free of potentially harmful content. It is important to include such validations where the output of one model becomes the input of another model in an AI system.
  • Treat all automated actions as high-risk: Any action taken by an MCP tool, whether retrieving data, running a query, or connecting to an outside service, should be confined within strict permission boundaries and isolated from other processes.
  • Maintain comprehensive activity logs: All actions taken by MCP tools should be logged in detail, including what tool was requested, by whom, and what resulted. Such logs should be integrated into the organization's existing security monitoring systems.

Organizations utilizing external tools with their AI systems should check out the full report from the NSA.

It is essential that MCP operations are brought in line with established secure computing practices without stifling the flexibility and power that make it attractive in the first place.

Read more

Subscribe

Related insights

Our insights