The National Security Agency’s Artificial Intelligence Security Center warned that Model Context Protocol has become a de facto standard for connecting AI-driven services, but said adoption has outpaced the protocol’s security model.
The guidance is aimed at organizations using MCP in business, finance, legal and software development systems, including deployments that may query personally identifiable information.
MCP is the integration standard Anthropic introduced to connect AI assistants with content repositories, business tools and development environments.
Anthropic later donated MCP to the Agentic AI Foundation, a Linux Foundation directed fund co-founded by Anthropic, Block and OpenAI. In its announcement, Anthropic said MCP had been adopted across products including ChatGPT, Cursor, Gemini, Microsoft Copilot and Visual Studio Code.
Protocol design shifts the security burden to implementation
The protocol gives AI applications a standard way to share context, expose tools and build workflows across external systems. Its latest specification also says MCP can create “arbitrary data access and code execution paths” and that the protocol itself cannot enforce consent, privacy and tool-safety principles at the protocol level, leaving implementation choices to hosts, clients and servers.
The NSA places much of that risk in implementation. The agency’s Cybersecurity Information Sheet details weak access controls, open-ended serialization, poor approval workflows, token lifecycle gaps, misconfigurations, inconsistent implementation behavior, limited audit logging and denial-of-service patterns.
It also says MCP reverses a familiar interaction pattern by allowing servers to query or execute actions for connected clients, creating attack paths that are harder to trace.
Security researchers demonstrate real-world abuse paths
Security researchers have already demonstrated how those paths can be abused. Invariant Labs showed a GitHub MCP scenario in which a malicious public issue could steer an agent into pulling private repository data into context and publishing it through a public pull request.
In a separate WhatsApp MCP demonstration, the same research group showed how a malicious MCP server connected alongside a trusted WhatsApp MCP server could manipulate tool descriptions and exfiltrate message history.
The toolchain risk is not limited to prompt injection. A GitHub security advisory for MCP Inspector, a developer tool for testing MCP servers, disclosed CVE-2025-49596 in June 2025. The advisory rated the flaw critical, assigned it a 9.4 CVSS score and said versions below 0.14.1 were vulnerable to remote code execution because of missing authentication between the Inspector client and proxy.
NSA outlines strict mitigation steps for enterprise teams
For enterprise security teams, the NSA’s recommendations turn MCP rollout into an inventory, access-control and monitoring project. The agency recommends choosing supported MCP projects, applying code audits to MCP servers, and defining trust boundaries.
It also recommends validating parameters, sandboxing tool execution, signing and verifying messages, filtering chained outputs, logging all tool and model invocations, and scanning networks for open or unauthorized MCP servers.
Tech giants introduce proprietary guardrails as governance evolves
Major enterprise platforms are already treating MCP as a governed integration surface. Google Cloud says its remote MCP servers include IAM controls, fine-grained authorization, audit logging and Model Armor to help mitigate prompt injection, sensitive data disclosure and tool poisoning.
Microsoft says MCP tools and resources from a connected server become available inside Copilot Studio, while GitHub says organizations and enterprises can enable or disable MCP access for Copilot users through policy.
The unresolved question for buyers is how much MCP security remains product-specific rather than protocol-guaranteed. The MCP authorization specification says authorization is optional for implementations, while the NSA concludes that MCP’s current security posture remains uneven and dependent on implementation discipline.
Anthropic says MCP’s governance model remains unchanged under the Agentic AI Foundation, making future specification changes a key point to watch as enterprises connect agents to more sensitive systems.