5 Security Risks of Ungoverned MCP Server Access

Connecting an AI agent directly to MCP servers without a governance layer exposes every tool, credential, and downstream system to whatever instructions reach the model. Bifrost, the open-source MCP gateway built in Go by Maxim AI, sits between agents and the tools they call, enforcing access control, content validation, and audit logging on every tool invocation. This post examines five concrete security risks of ungoverned MCP server access and how a governed gateway closes each one.

What Ungoverned MCP Server Access Means

Ungoverned MCP server access is any setup where an AI agent connects directly to one or more Model Context Protocol servers with no intermediate control plane to filter tools, validate inputs and outputs, authenticate consumers, or record what was executed. The Model Context Protocol is an open standard, introduced by Anthropic in late 2024, that lets AI models discover and execute external tools at runtime across filesystems, databases, internal APIs, and web services.

The convenience of MCP is also its risk surface. When an agent talks to MCP servers directly, three properties tend to collide: privileged access to real systems, untrusted input from documents and tool responses, and an outbound channel that can move data. The five risks below all stem from that collision.

• Tool poisoning through hidden instructions in tool metadata
• Indirect prompt injection carried in tool responses
• Over-privileged access with no least-privilege enforcement
• Credential and secret leakage through tool calls
• No audit trail for who executed which tool and when

Risk 1: Tool Poisoning Through Hidden Instructions in Tool Metadata

Tool poisoning is an attack where a malicious or compromised MCP server embeds instructions inside tool names, descriptions, or JSON schema fields. Those descriptions are read by the model as trusted context, but they are usually invisible to the human operator. Security firm Invariant Labs documented tool poisoning attacks as a specialized form of indirect prompt injection, and OWASP now tracks MCP tool poisoning as a distinct attack class with a trust gap between connect-time review and runtime execution.

In an ungoverned setup, every tool from every connected server is exposed to the model with no filtering, so a single poisoned description can redirect the agent toward exfiltration or unauthorized actions. With Bifrost, MCP tool filtering is deny-by-default: a consumer sees no tools until a virtual key explicitly allow-lists specific clients and tools. Teams expose only the tools each agent needs rather than the full catalog, which limits how far a poisoned tool can reach. The MCP gateway model also centralizes the tool inventory, so a security team reviews one governed surface instead of every agent's ad hoc connections.

Risk 2: Indirect Prompt Injection Carried in Tool Responses

Indirect prompt injection happens when malicious instructions arrive inside content the agent processes, such as a support ticket, a web page, or the response body of a tool call. The model cannot reliably distinguish a legitimate instruction from injected text, because every byte in the context window carries the same authority. Microsoft's security team has detailed how indirect prompt injection and tool poisoning apply to MCP workloads, and real incidents have followed the same pattern: a mid-2025 attack on a coding agent with privileged database access used injected SQL in support tickets to read and leak integration tokens.

The fix has to live where every request and response can be inspected, not inside each application. Bifrost runs content guardrails at the gateway layer, validating both inputs and the arguments and results of MCP tool calls in real time. The same rules that screen LLM prompts also screen tool inputs and outputs, with prompt injection defense, PII detection, and content moderation available through native and provider-backed checks. When a guardrail fires, Bifrost can block the request, redact the offending content, or log the event, giving teams one enforcement point for the whole agent fleet rather than per-service filters that drift apart over time.

Risk 3: Over-Privileged Access With No Least-Privilege Enforcement

Over-privileged access is the most common configuration error in MCP deployments: an agent is handed broad credentials and the entire tool catalog because scoping each consumer individually is tedious without a control plane. The result is that a prototyping agent and a production customer-facing agent can call the same destructive tools. Bifrost treats least privilege as the default rather than an afterthought.

Virtual keys are the primary governance entity, and each one carries its own allow-list of MCP clients and tools, allowed models, budgets, and rate limits. Bifrost enforces the tool allow-list at both inference time and tool execution time, so a key issued for a low-risk task cannot quietly invoke a high-risk tool. At enterprise scale, governance controls extend to role-based access control and tool groups, named collections of tools attached to specific keys, teams, customers, or users and resolved per request. The model only ever sees the tools that consumer is permitted to use.

Risk 4: Credential and Secret Leakage Through Tool Calls

Credential leakage occurs when API keys, tokens, or other secrets pass through prompts, tool arguments, or tool responses and end up in logs, model context, or an attacker's hands. Ungoverned MCP access widens this risk in two ways: provider credentials are often embedded directly in each agent, and there is no inspection layer to catch a secret as it transits a tool call.

Bifrost addresses both. Provider keys stay inside the gateway and never reach client services, and they rotate independently of the virtual keys that reference them, which keeps secrets out of application code and environment variables. On the inspection side, secrets detection is a built-in, Gitleaks-backed guardrail that catches leaked API keys, tokens, private keys, and credentials in prompts and completions before they propagate. For regulated environments, in-VPC and on-premises deployment keeps request bodies, detection events, and credentials inside the customer network perimeter, and native vault integrations manage secrets through HashiCorp Vault, AWS Secrets Manager, Google Secret Manager, and Azure Key Vault.

Risk 5: No Audit Trail for Tool Execution

A missing audit trail means an organization cannot answer basic questions after an incident: which agent called which tool, with what arguments, and what came back. Ungoverned MCP setups scatter this evidence across application logs, if it is captured at all, which makes both incident response and compliance review difficult. The MCP specification itself recommends a human in the loop with the ability to deny tool invocations, and that oversight is only credible when every action is recorded.

With the MCP gateway as the single path between agents and tools, every tool execution becomes a first-class log entry in Bifrost: the tool name, the originating MCP server, the arguments passed, the result returned, the latency, the virtual key that triggered it, and the parent LLM request. Teams filter by virtual key to see what a specific consumer ran, or by tool to see how often a server is hit. For compliance, immutable audit logs align with SOC 2, GDPR, HIPAA, and ISO 27001 evidence requirements and export to external SIEM systems and data lakes for long-term retention.

How Bifrost Governs MCP Server Access End to End

Bifrost acts as both an MCP client, connecting to external tool servers, and an MCP server, exposing a single governed endpoint to agents and clients like Claude Desktop. Routing every tool call through one control plane is what makes the five mitigations above consistent rather than per-application. By default, Bifrost does not auto-execute tool calls; the model returns tool suggestions, and execution requires a separate, explicit call, preserving human oversight for sensitive operations. Teams that want autonomy can opt into Agent Mode with a configured auto-approval list, keeping the boundary explicit.

The same gateway also controls cost and context. For agents wired to many servers, Code Mode has the model write short Python to orchestrate tools in a sandbox instead of loading every tool definition into context, reducing input token usage by up to 92.8% and shrinking the attack surface that poisoned tool descriptions can exploit. Bifrost adds only 11 microseconds of overhead at 5,000 requests per second in sustained benchmarks, so governance does not become a latency bottleneck. The token-cost and access-control breakdown covers how filtering, logging, and Code Mode work together at scale.

Frequently Asked Questions About MCP Server Security

What is the biggest security risk of MCP servers?

The most cited risk is prompt injection, including tool poisoning, where instructions hidden in tool descriptions or tool responses are treated as trusted input by the model. It is dangerous because it combines with privileged access and an outbound channel, which is the pattern behind most documented MCP incidents.

Does an MCP gateway prevent prompt injection?

A gateway does not make a model immune to prompt injection, but it adds runtime controls that direct exposure lacks: input and output guardrails on every tool call, deny-by-default tool filtering, and audit logging. These reduce both the likelihood of a successful attack and the blast radius if one occurs.

How do you enforce least privilege for AI agents using MCP?

Scope each consumer with its own credentials and tool allow-list rather than sharing broad access. In Bifrost, virtual keys carry a per-consumer allow-list of MCP clients and tools that is enforced at both inference and execution time, so an agent can only invoke the tools it has been granted.

Getting Started With Bifrost

Ungoverned MCP server access concentrates privileged tools, untrusted input, and data egress into one unguarded path. A governed gateway separates those concerns: deny-by-default tool filtering, content guardrails on inputs and outputs, secrets detection, and immutable audit logs, all running in front of every connected MCP server. Bifrost delivers this control plane as an open-source AI gateway with enterprise governance, and you can explore the full set of capabilities in the Bifrost resources hub. To see how Bifrost secures MCP server access across your agent fleet, book a demo with the Bifrost team.