When AI Quietly Enters the Enterprise

It rarely starts with a breach.

It starts with a convenience.

A team deploys an internal AI assistant to triage emails, open tickets, and pull records. The agent connects to email, Jira, and a database. Everything works. Productivity improves. No alarms trigger.

Then one weekend, an email arrives that looks like routine troubleshooting context. Embedded inside are patterns that subtly alter the agent’s behavior. By Monday morning, engineers notice unexpected database activity and dozens of anomalous tickets.

Nothing was “exploited.”
No vulnerability was scanned.
No firewall was bypassed.

The AI agent simply followed instructions through legitimate tool calls.

This is the security reality introduced by the Model Context Protocol (MCP). It fundamentally changes how AI systems interact with enterprise infrastructure and, in doing so, reshapes the AI agent attack surface.

What Is the Model Context Protocol (MCP)?

Model Context Protocol (MCP) is an open specification introduced by Anthropic to standardize how AI agents connect to tools, systems, and data sources.

In practical terms, MCP defines how a model-hosting runtime can:

• Discover tools
• Access resources
• Invoke actions
• Receive structured results

All through a consistent, machine-readable interface.

MCP’s Core Components

1. MCP Host (Client)
The agent runtime. It manages the language model and issues tool requests.

2. MCP Servers
External services that expose:

• Tools (e.g., createTicket, queryDatabase, sendEmail)
• Resources (documents, logs, rows, metadata)

Each server represents a real system the agent can influence.

3. Transport Layer (JSON-RPC)
A standardized communication layer using:

• Standard I/O (stdio)
• HTTP
• WebSockets

This simplicity is deliberate and powerful.

Why This Chapter Matters

MCP is not a developer convenience feature. It is becoming a new infrastructure layer beneath enterprise AI.

For security teams, that means:

• New execution paths
• New permission boundaries
• New lateral movement opportunities
• New forms of exploitation that bypass traditional controls

Agentic AI security is no longer about “what the model says.” It is about what the model can do.

MCP as a New AI Agent Attack Surface

Every MCP tool invocation is an action against a real system.

A minimal example:

{

  "jsonrpc": "2.0",

  "id": 1,

  "method": "jira.createTicket",

  "params": {

    "title": "Error 500 in customer workflow",

    "description": "Agent detected repeated failures."

  }

}

From a security perspective, this is equivalent to:

• An API call
• Executed by a non-human identity
• Driven by probabilistic reasoning
• Influenced by untrusted input

This is tool-based LLM exploitation: manipulating an agent’s decision-making so it misuses legitimate capabilities.

The USB-C Analogy: Why MCP Concentrates Risk

Think of MCP like USB-C for AI systems.

USB-C:

• Powers devices
• Transfers data
• Connects peripherals
• Enables networking

One port. Many privileges.

MCP does the same for AI agents:

• One protocol
• Many tools
• Many systems
• Shared trust boundaries

The benefits are obvious. The risks are systemic.

If:

• One MCP server is compromised
• One tool is over-permissioned
• One prompt injection succeeds

The agent becomes a conduit into everything it can reach.

Threat Model Overview

Trust Assumptions MCP Breaks

Traditional security models assume:

• Clear human intent
• Stable API clients
• Explicit workflows

MCP introduces:

• Non-deterministic decision paths
• Dynamic tool chaining
• Instruction-following systems that cannot distinguish “context” from “commands”

Key Threat Classes

• Prompt injection in MCP resources
• Over-privileged tool exposure
• Malicious or compromised MCP servers
• Unmonitored agent execution paths
• Implicit trust between tools
  

Attacker Techniques in Practice

1. Instruction Injection via Resources

Logs, emails, documents, and tickets become delivery mechanisms. The agent consumes them as context, not code—but reacts as if they were instructions.

2. Tool Chaining for Escalation

A read-only action leads to:

• Ticket creation
• Metadata access
• Config changes
• Database queries

All without explicit approval.

3. Lateral Movement Through Standardization

Once an attacker understands MCP, every connected system looks the same. The learning curve collapses.

Defender Controls and Security Patterns

Log MCP Like You Log APIs

• Tool name
• Parameters
• Calling agent
• Target system
• Result

MCP tool calls are security-relevant events.

Enforce Least Privilege at the Tool Level

Avoid:

• “admin” tools
• Broad query access
• Write permissions by default

Prefer:

• Narrow scopes
• Read-only patterns
• Explicit approvals for state changes

Treat MCP Servers as Privileged Software

• Audit third-party servers
• Isolate them in sandboxes
• Version and review tool schemas

Common Failure Modes

• Treating MCP as middleware instead of control plane
• Assuming prompt injection only applies to chat UIs
• Over-indexing on model alignment instead of execution control
• Deploying agents directly into production systems
• Failing to assign ownership for agent actions

Practical MCP Security Checklist

Copy-paste friendly:

• Inventory all MCP servers and tools
• Define allowed actions per agent
• Enforce least-privilege tool scopes
• Log every MCP invocation
• Monitor abnormal tool usage patterns
• Sandbox untrusted servers
• Separate staging and production agents
• Treat agent actions as automated users
• Assign incident ownership for agent failures

Key Takeaways

• MCP standardizes how AI agents act on real systems
• Standardization compresses the attack surface
• Tool calls are the new execution primitive
• Prompt injection extends beyond chat into operations
• MCP must be governed like any privileged subsystem

MCP is a foundational technology for agentic systems. Understanding how it works—and how it fails—is no longer optional for security teams.If you’re deploying MCP or agentic systems in production, this chapter is part of a larger framework covered in MCP Security: Defending the New AI Attack Surface. Reach out for early access or deeper discussion.