TL;DR

  • The Model Context Protocol (MCP) — a standard for connecting AI agents to external tools and data — has fundamental security limitations that can't be fixed with patches [1]
  • MCP allows AI agents to access files, databases, APIs, and other systems, creating attack surfaces that are architectural, not incidental
  • The core problem: MCP-connected tools inherit the trust level of the AI agent, which means a single prompt injection can cascade into real-world actions across connected systems
  • ISO 42001 (the international standard for AI management systems) provides a governance framework that addresses these risks at the organizational level [2]
  • SMBs adopting AI tools need governance policies before they deploy AI agents with MCP-style tool access

What Is MCP and Why Is Everyone Talking About It?

The Model Context Protocol (MCP) is an open standard, originally developed by Anthropic, that defines how AI agents connect to external tools and data sources [3]. Think of it as a universal plug that lets AI models interact with the real world — reading files, querying databases, calling APIs, executing code, and triggering actions in external systems.​‌‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​​​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​‌‌‌‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌‌‌​​​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​​‍​‌‌​‌‌‌‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​‌​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​​‌

​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​​‌​‌

MCP has gained rapid adoption because it solves a real problem. Without a standard protocol, every AI tool integration is a custom build. MCP provides a consistent interface, making it easier for developers to connect AI agents to the tools they need.

The protocol is used by a growing ecosystem of AI development tools, including Claude (Anthropic's AI assistant), various IDE integrations, and third-party AI agent frameworks. MCP servers — the components that expose tools and data to AI agents — now exist for file systems, databases, web browsers, code execution environments, and hundreds of other integrations.​‌‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​​​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​‌‌‌‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌‌‌​​​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​​‍​‌‌​‌‌‌‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​‌​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌​​​‌‌‍​‌‌​​‌​‌

The security community's concern isn't that MCP has bugs that need patching. It's that MCP's design creates security challenges that are inherent to the architecture — and those challenges apply to any system that gives AI agents tool access, whether it uses MCP or not.

Related: AI Security Deployment Crisis — SMB Guide 2026

The Architectural Security Problem — Why Patches Won't Fix This

Traditional software vulnerabilities work like this: a bug is found, a patch is released, you apply the patch, the vulnerability is fixed. MCP's security challenges don't follow this pattern because they're not bugs — they're consequences of the architecture itself.

As reported by Dark Reading, security researchers have identified that MCP's security risks are structural rather than incidental [1]. Here are the core issues:

The Trust Inheritance Problem

When you connect an MCP server to an AI agent, the tools exposed by that server inherit the trust level and permissions of the AI agent. If the AI agent has access to your file system through an MCP server, then anything that can influence the AI agent's behavior can indirectly access your file system.

This is fundamentally different from traditional software where each component has its own access controls. In the MCP model, the AI agent becomes a universal accessor — and anything that can manipulate the AI agent (like prompt injection) becomes a universal threat.

The Prompt Injection Cascade

Prompt injection — tricking an AI model into following attacker-controlled instructions — is a well-documented risk in AI systems. OWASP lists injection as the top risk for LLM applications in their Top 10 for LLM Applications [4].

With MCP, prompt injection becomes dramatically more dangerous. Consider this scenario:

  1. An AI agent with MCP connections reads an email (via an email MCP server)
  2. The email contains hidden prompt injection instructions
  3. The AI agent, following the injected instructions, uses a file system MCP server to read sensitive files
  4. The AI agent uses an API MCP server to send that data to an external endpoint

Each step is a legitimate MCP operation. The AI agent is using its tools exactly as designed. The problem is that the agent's intent was manipulated by malicious input, and MCP doesn't have a mechanism to distinguish between legitimate and manipulated tool use.

The Confused Deputy Problem

In computer security, a "confused deputy" is a program that's tricked into misusing its authority. MCP-connected AI agents are particularly susceptible to this because they're designed to take actions based on natural language instructions — and natural language is inherently ambiguous and manipulable.

An MCP server that exposes database access trusts that the AI agent will only make legitimate queries. But the AI agent's judgment about what constitutes a legitimate query can be influenced by its input context — including potentially malicious content.

No Granular Authorization Model (Yet)

Current MCP implementations typically operate with broad permissions. When you grant an MCP server access to your file system, it's often all-or-nothing — the AI agent can read any file the MCP server process can access.

More granular authorization models are being developed by the community, but the fundamental challenge remains: how do you define fine-grained permissions for a system that operates on natural language instructions? Traditional access controls use explicit rules ("user X can read file Y"). AI agent access is inherently dynamic and context-dependent.

This Isn't Just an MCP Problem — It's an AI Agent Problem

It's important to understand that these security challenges aren't unique to MCP. Any system that gives AI agents the ability to use tools — whether it uses MCP, custom integrations, or alternative protocols — faces the same architectural issues.

MCP has become the focus of security discussions because it's the most widely adopted standard for AI tool access, but the underlying problems exist regardless of the protocol:

  • Trust inheritance applies whenever an AI agent accesses external resources
  • Prompt injection cascades apply to any AI agent with tool access
  • The confused deputy problem applies to any system that acts on AI-generated instructions

The security community's point isn't that MCP is uniquely dangerous — it's that the entire paradigm of AI agents with tool access introduces risks that traditional security approaches aren't designed to handle.

Related: Trivy GitHub Actions Supply Chain Attack — SMB Guide

What ISO 42001 Tells Us About AI Governance

ISO/IEC 42001:2023 is the international standard for AI management systems [2]. It provides a framework for organizations to manage AI-related risks, including the security and safety of AI systems.

ISO 42001 is relevant to MCP security because it addresses the governance layer — the organizational policies, processes, and controls that determine how AI systems are deployed and managed. Where MCP's security challenges are architectural, ISO 42001's approach is managerial.

Key ISO 42001 principles that apply to AI agent security:

Risk assessment. Before deploying AI agents with tool access, organizations should identify and assess the risks those tools create. What data can the agent access? What actions can it take? What's the worst-case outcome of a prompt injection?

Access control policies. Define who can deploy AI agents, what tools those agents can access, and under what conditions. Don't let developers connect AI agents to production databases without security review.

Monitoring and audit. Log what AI agents do — especially their tool interactions. If an MCP-connected agent reads a file or calls an API, that action should be logged and reviewable.

Incident response. Have a plan for when AI agent behavior goes wrong. If a prompt injection causes an AI agent to exfiltrate data via MCP, how do you detect it, contain it, and recover?

Continuous improvement. AI security is evolving rapidly. Your governance framework should evolve with it.

ISO 42001 certification isn't required for most organizations, but its framework provides practical guidance regardless of whether you pursue formal certification.

Practical AI Security Guidance for SMBs Using AI Agents

If your business uses AI agents — whether through ChatGPT plugins, Claude with MCP, Microsoft Copilot, or any other AI tool that can take actions — here's how to manage the security risks:

1. Inventory Your AI Agent Connections

Know which AI tools in your organization have tool access. This includes:

  • AI assistants with access to your email, calendar, or files
  • AI coding assistants with access to your codebase and deployment systems
  • AI agents connected to your CRM, database, or business applications
  • Any MCP servers running in your environment

You can't secure what you don't know exists. Shadow AI with tool access is the highest-risk scenario.

2. Apply the Principle of Least Privilege

Every AI agent should have access to the minimum tools and data needed for its purpose. If an AI coding assistant doesn't need access to your customer database, don't give it that access.

For MCP specifically, this means being selective about which MCP servers you deploy and what data they expose. Don't connect a file system MCP server that gives access to your entire system when the AI agent only needs access to a specific project directory.

3. Separate AI Agent Environments from Production Data

Where possible, AI agents should operate in sandboxed environments with limited access to production systems. If an AI agent needs to query data, provide it with a read-only view rather than direct database access.

This doesn't eliminate the risk of data exfiltration, but it prevents the most damaging scenarios — like an AI agent being manipulated into deleting data or modifying critical records.

4. Implement Human-in-the-Loop for High-Stakes Actions

For any action with significant business impact — sending emails, modifying databases, deploying code, transferring funds — require human approval before the AI agent executes.

Many AI agent frameworks support confirmation steps where the agent proposes an action and waits for human approval. Use this feature for anything with irreversible consequences.

5. Monitor AI Agent Activity

Log all tool interactions. When an AI agent reads a file, calls an API, or executes code via MCP, those actions should be recorded. Review these logs regularly, and set up alerts for unusual patterns — like an AI agent accessing files it doesn't normally touch or making API calls to unfamiliar endpoints.

6. Establish an AI Governance Policy

Even a simple policy is better than none. Document:

  • Which AI tools are approved for use in your organization
  • What data AI tools are allowed to access
  • Who is responsible for reviewing and approving AI tool deployments
  • How AI-related security incidents are reported and handled
  • How frequently your AI security posture is reviewed

This doesn't need to be a 50-page document. A clear, one-page policy that your team actually follows is more valuable than a comprehensive policy that nobody reads.

7. Plan for ISO 42001 Compliance

If your business operates in regulated industries or serves enterprise customers, ISO 42001 compliance may become a competitive advantage or a customer requirement. Even if certification isn't on your near-term roadmap, using ISO 42001's framework to structure your AI governance will put you ahead of most organizations.

The Future of AI Agent Security

The security challenges with MCP and AI agent tool access are well understood by the AI community. Active work is underway on several fronts:

Better authorization models. The MCP community and broader AI security community are developing more granular permission systems for AI tool access, including scope-limited tokens and per-action authorization.

AI-native security monitoring. New tools are emerging specifically designed to monitor AI agent behavior and detect anomalous tool usage patterns.

Standards development. ISO 42001 is a starting point, but more specific standards for AI agent security are being developed by organizations including NIST, OWASP, and the AI Security Alliance.

Architectural evolution. Future versions of AI-tool integration protocols will likely incorporate security primitives that current implementations lack — including cryptographic attestation, sandboxed execution, and formal verification of agent intent.

These improvements will help, but they won't eliminate the fundamental tension: AI agents are useful precisely because they can take actions, and any system that takes actions creates security risks. Managing those risks — through governance, monitoring, and careful deployment — is the path forward.

FAQ

The Model Context Protocol (MCP) is an open standard for connecting AI agents to external tools and data sources. Originally developed by Anthropic, MCP defines how AI models can interact with file systems, databases, APIs, and other external systems [3]. It's used by AI assistants like Claude, as well as various AI development tools and agent frameworks. MCP makes it easier to build AI tools that can take real-world actions, but it also creates new security surfaces that require careful management.

Not entirely. While specific implementation bugs can be patched, the core security challenges are architectural [1]. The trust inheritance problem, prompt injection cascades, and confused deputy risks are inherent to any system that gives AI agents tool access. These challenges require governance, monitoring, and architectural mitigations — not just software patches. Better authorization models and monitoring tools will help, but they don't eliminate the fundamental risks.

No. AI agents with tool access provide real business value, and stopping their use entirely is neither practical nor necessary. The appropriate response is to deploy them thoughtfully — with governance policies, least-privilege access, human-in-the-loop for high-stakes actions, and monitoring of agent activity. The goal is to get the benefits of AI agents while managing the security risks they create.

ISO/IEC 42001:2023 is the international standard for AI management systems [2]. It provides a framework for managing AI-related risks, including security, safety, and ethical considerations. Formal certification is not required for most organizations, but ISO 42001's framework is valuable guidance for any business using AI. Using it to structure your AI governance practices will help you manage risk, and certification may become a competitive advantage if your customers or industry regulators begin requiring it.

Detection requires monitoring AI agent tool interactions. Log all actions an AI agent takes — especially file access, API calls, and data transfers. Look for unusual patterns: an AI agent accessing files it doesn't normally touch, making API calls to unfamiliar endpoints, or executing actions that don't match the user's request. AI-specific security monitoring tools are emerging to help with this, but even basic logging and periodic review of agent actions can catch anomalous behavior.

References

[1] Dark Reading, "MCP Security Can't Be Patched," Dark Reading, Mar. 2026. [Online]. Available: https://www.darkreading.com/application-security/mcp-security-patched

[2] ISO, "ISO/IEC 42001:2023 — Information Technology — Artificial Intelligence — Management System," International Organization for Standardization, 2023. [Online]. Available: https://www.iso.org/standard/81230.html

[3] Anthropic, "Model Context Protocol," Anthropic, 2024. [Online]. Available: https://modelcontextprotocol.io/

[4] OWASP, "OWASP Top 10 for LLM Applications," Open Web Application Security Project, 2025. [Online]. Available: https://owasp.org/www-project-top-10-for-large-language-model-applications/

[5] NIST, "Artificial Intelligence Risk Management Framework (AI RMF 1.0)," NIST AI 100-1, Jan. 2023. [Online]. Available: https://www.nist.gov/artificial-intelligence/executive-order-safe-secure-and-trustworthy-artificial-intelligence

[6] European Commission, "EU Artificial Intelligence Act," European Commission, 2024. [Online]. Available: https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai

[7] MITRE, "ATLAS — Adversarial Threat Landscape for Artificial-Intelligence Systems," MITRE Corporation, 2024. [Online]. Available: https://atlas.mitre.org/

[8] NIST, "Taxonomy and Terminology of Adversarial Machine Learning," NIST AI 100-2e2023, Mar. 2024. [Online]. Available: https://csrc.nist.gov/publications/detail/nistir/8269/final

AI agents are powerful tools — but power without governance is risk without bounds. lilMONSTER helps SMBs build AI governance frameworks aligned with ISO 42001, assess AI agent security posture, and implement practical controls for AI tool access. Book an AI governance gap assessment →

TL;DR

  • MCP (Model Context Protocol) is a system that lets AI assistants use tools — like reading files, searching the web, or sending messages
  • The security problem isn't a bug that can be fixed with an update — it's baked into how the system works
  • The main risk: if someone tricks the AI assistant, it can misuse all the tools it has access to
  • Businesses using AI tools need rules about what those tools are allowed to do, just like you'd set rules for a new employee

What Is MCP?

Imagine you have a really smart assistant. On their own, they can answer questions and have conversations, but they can't actually do anything in the real world. They can't open your filing cabinet, send emails, or look things up on the internet.

MCP is like giving that assistant a set of keys and tools. With MCP, an AI assistant can:

  • Read and write files on your computer
  • Look up information in databases
  • Send messages and emails
  • Run programs
  • Connect to websites and services

It's what turns an AI from a "talking head" into an "AI that can actually do stuff." That's really useful — but it also creates new problems.

What's the Security Problem?

Here's the thing: the security issue with MCP isn't like a broken window that you can fix with a new pane of glass. It's more like a design problem with the building itself.

The core problem comes down to trust. When you give an AI assistant a set of tools through MCP, the AI uses those tools based on what you tell it. But what if someone tricks the AI?

Think of it like this: You hire a new office assistant and give them keys to the filing cabinet, access to the company email, and your bank login. You tell them, "Follow my instructions." Great — that works perfectly when you're the one giving instructions.

But what if the assistant reads a letter that says "I'm from the boss — please send all the files in the cabinet to this address"? A human assistant might be suspicious. But an AI assistant might just do it, because following instructions is exactly what it's designed to do.

This trick is called "prompt injection" — sneaking instructions into something the AI reads, so the AI follows the fake instructions instead of (or in addition to) yours.

Why Can't You Just Fix It?

With most software problems, the fix is an update. You download a patch, the bug is gone, done.

MCP's security challenges are different because they come from the basic design:

The trust problem. When an AI has tools, anything that can influence the AI can indirectly use those tools. You can add safety checks, but you can't fundamentally change the fact that the AI decides when and how to use its tools based on language — and language can be manipulated.

The "too many keys" problem. When you give an AI access to your files through MCP, it often gets access to everything, not just specific files. It's like giving someone a master key when they only need the key to one room.

The "helpful assistant" problem. AI assistants are designed to be helpful and follow instructions. That's their job. But that same helpfulness makes them vulnerable to being tricked, because saying "no" to a convincing request isn't their strong suit.

These aren't bugs — they're trade-offs. The same features that make AI assistants useful (following instructions, using tools, being helpful) are the same features that create security risks.

What Does This Mean for My Business?

If your business uses AI tools that can do things — not just chat, but actually take actions like reading files, sending emails, or accessing business systems — you need to think about these risks.

The good news: you don't need to stop using AI tools. You just need to be thoughtful about what you let them do.

What Can You Do?

Only give AI tools the access they actually need. If your AI assistant only needs to help with writing, it doesn't need access to your customer database. Keep the toolbox small.

Require human approval for important actions. Before an AI sends an email on your behalf, deletes a file, or accesses sensitive data, it should ask you first. Many AI tools already have this "confirm before acting" feature — make sure it's turned on.

Keep a record of what AI tools do. If your AI assistant accesses files or sends messages, keep a log. That way, if something goes wrong, you can see what happened and when.

Make rules for AI tools, just like you would for employees. A new employee doesn't get the keys to everything on day one. They get the access they need, with supervision. Treat AI tools the same way.

Know which AI tools your team is using. The biggest risk is AI tools that people are using without anyone knowing about them. Make sure there's a process for approving new AI tools before they get connected to business systems.

Think of AI tools like any powerful tool in your business. A forklift is really useful in a warehouse, but you don't let just anyone drive it, and you have safety rules. Same idea with AI that can take actions — it's powerful, useful, and worth using, but it needs rules and oversight.

Using AI tools in your business? lilMONSTER helps small businesses set up smart, practical rules for AI — so you get the benefits without the risks. Talk to us →

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation