MCP Security Risks and How to Mitigate Them
The Model Context Protocol (MCP) lets AI applications discover and call external tools at runtime, which means every connected MCP server becomes a new trust boundary that can read files, call APIs, and move data out of the organization. The MCP security risks that follow (shadow servers no one approved, over-permissioned tools, leaked credentials, and ungoverned usage on employee machines) are governance and visibility problems before they are code problems, and that is exactly where a control plane plus an endpoint layer can mitigate them. Bifrost, the open-source MCP gateway built in Go by Maxim AI, governs MCP and model traffic centrally, while Bifrost Edge extends that same governance to every machine where employees run AI tools. This post covers the MCP security risks that an AI gateway and an endpoint governance layer can realistically mitigate, and how to apply those controls.
What Are MCP Security Risks
MCP security risks are the vulnerabilities introduced when AI applications connect to external tool servers over the Model Context Protocol. Because an agent discovers and invokes tools at runtime from any server it can reach, each server can expose sensitive data, perform actions on a user's behalf, or inject untrusted content into the model's context. The most consequential risks for enterprises are about which servers and tools are allowed, who can use them, and whether anyone has visibility into either.
The industry has started to formalize these categories. The OWASP MCP Top 10 catalogs the most critical MCP failure modes, including shadow MCP servers, tool poisoning, token mismanagement, and excessive permissions. The NSA's MCP security design considerations describe what organizations need to control when agents call external servers, and the official MCP security best practices outline protocol-level guidance. Not every risk in these frameworks is solvable at the infrastructure layer; this post focuses on the ones that an AI gateway like Bifrost and an endpoint governance layer can address.
Why MCP Expands the Enterprise Attack Surface
Before MCP, an agent had a small, fixed set of tools compiled into the application. With MCP, the agent pulls tools from servers at runtime, and most organizations have no record of which servers are in use. An employee can wire a third-party MCP server into Claude Desktop or Cursor in minutes, and that server may store OAuth tokens, execute system commands, and read local files with no policy layer in between.
Two structural gaps make this worse:
- A gateway only governs the traffic configured to flow through it. If a developer points a coding agent at an MCP server directly, that traffic never reaches a control plane, so no allow-list, budget, or guardrail applies.
- Endpoint AI is largely invisible to security teams. Desktop apps, browser AI, and coding agents connect to MCP servers on the laptop, outside the data center, where traditional monitoring does not reach. This ungoverned usage is what teams call shadow AI.
Bifrost addresses both gaps with one model: the AI gateway is the control plane where policy is defined and enforced, and Bifrost Edge carries that same policy out to every machine. The combination is what makes the following MCP security risks mitigable rather than theoretical.
The MCP Security Risks a Gateway and Endpoint Layer Can Mitigate
The table below maps each addressable MCP security risk to the control that mitigates it. The AI gateway handles centralized governance; Bifrost Edge enforces that policy on the endpoint.
| MCP security risk | How an AI gateway plus endpoint governance mitigates it |
|---|---|
| Shadow MCP servers (unapproved servers wired into AI apps) | Edge inventories every MCP server across the fleet and enforces allow or deny on each device |
| Excessive tool permissions | Tool filtering is deny-by-default per virtual key; tool groups expose only curated subsets |
| Untrusted servers reaching the model | Only sanctioned servers are connected centrally; denied servers are blocked on the endpoint |
| Credential and secrets leakage in prompts | Guardrails scan prompts and responses for secrets and PII before data leaves the machine |
| Scattered MCP credentials and token mismanagement | The gateway centralizes MCP auth so tokens are not stored per app on laptops |
| Prompt injection and tool-poisoning content | Content-safety guardrails inspect prompts and responses; the same profiles apply to endpoint AI |
| No audit trail of MCP usage | Gateway audit logs capture every governed request; Edge brings endpoint AI under the same logging |
The sections that follow detail how the control plane and the endpoint layer each contribute to these mitigations.
How the Bifrost AI Gateway Governs MCP Traffic
The Bifrost AI gateway is the control plane for MCP security. Acting as an MCP gateway, it sits between AI applications and the tool servers they call, centralizing connection, authentication, and policy so that sanctioned MCP traffic is governed in one place. This is where every control below is defined and enforced.
Limit which tools an agent can call
Over-permissioned tool access is one of the most cited MCP risks, and the gateway addresses it with a deny-by-default model. With MCP tool filtering, a virtual key with no MCP configuration exposes no tools at all; you explicitly allow-list the clients and tools each key may use. For larger organizations, MCP tool groups bundle curated tool subsets and attach them to virtual keys, teams, users, or providers, so an agent only ever sees the union of tools it is entitled to at request time.
Centralize MCP credentials and authentication
Token mismanagement, hard-coded keys, and long-lived secrets scattered across local app configs are a recurring source of MCP compromise. Bifrost centralizes MCP authentication with support for static headers, OAuth 2.0, per-user headers, and per-user OAuth. Credentials live with the gateway and are bound to the caller's identity, rather than being copied into each app on each laptop, which removes a large class of credential-exposure risk.
Catch secrets and sensitive data before they leave
Prompts sent to MCP tools can carry API keys, access tokens, and personal data out of the organization. The guardrails system applies content controls to traffic in flight: secrets detection uses Gitleaks-backed rules to flag leaked credentials in requests and responses, and a custom-regex PII template catches emails, phone numbers, and similar identifiers. Guardrails also include content-safety providers (AWS Bedrock Guardrails, Azure Content Safety, Google Model Armor, and others) that add a defense-in-depth layer against prompt injection and tool-poisoning content. Treat these as risk reduction rather than a complete fix, since injection at the semantic level is an evolving threat.
Keep an audit trail of every governed request
Many MCP incidents go undetected because no one has a record of what tools were called or what data was sent. Bifrost produces immutable audit logs that support SOC 2, GDPR, HIPAA, and ISO 27001 requirements, giving security teams a traceable history of MCP and model activity. For regulated industries and strict deployment requirements, the Bifrost Enterprise feature set pairs this with RBAC, SSO, and in-VPC options.
How Bifrost Edge Extends MCP Governance to the Endpoint
A gateway can only govern the traffic that reaches it, and shadow MCP servers are precisely the traffic that does not. Bifrost Edge closes that gap by extending the governance you define in the gateway to every machine, so the AI people actually use is brought under the same policy automatically. Bifrost Edge is currently in alpha.
Discover and control shadow MCP servers
Edge reads the MCP configuration of supported AI apps on each machine and builds a live, fleet-wide inventory of which servers are configured, where, and across how many devices. MCP governance in Edge then lets administrators make per-server allow or deny decisions that are enforced on the device itself: a denied server cannot be used, even by an app that had it configured before the policy existed. Discovery covers the major AI apps that support MCP today, including Claude Code, Claude Desktop, Gemini CLI, OpenCode, Codex, and Cursor.
Apply the same guardrails everywhere
Because Edge routes endpoint AI traffic through the gateway, every guardrail you already configured applies automatically to desktop apps, browser AI, and coding agents. The endpoint security layer enforces secrets detection, PII redaction, and content safety on the laptop, before a prompt reaches a model and before a response returns, with no extra setup on the device. The policy engine stays in the gateway; Edge simply brings more traffic under the same protection.
Roll out across the fleet without per-app setup
Edge is built for fleet-wide deployment through existing device management platforms, including Jamf, Microsoft Intune, Kandji, Omnissa Workspace ONE, and JumpCloud. A managed configuration points each machine at the organization's Bifrost, the user signs in once through SSO, and governance turns on for all supported AI traffic. There are no base URLs to change and no SDKs to swap, which is what makes endpoint MCP governance practical at scale.
Implementing MCP Security with Bifrost
A practical rollout sequences the gateway controls first, then the endpoint layer:
- Route sanctioned MCP traffic through the gateway. Connect approved MCP servers to Bifrost and set up virtual keys as the governance entity for budgets, rate limits, and tool access.
- Apply deny-by-default tool policy. Use tool filtering and tool groups so each key, team, or user sees only the tools it needs.
- Turn on guardrails. Enable secrets detection and PII rules, and add a content-safety provider for prompt-injection defense in depth.
- Enable audit logging. Capture every governed MCP and model request for compliance and incident response.
- Extend to the endpoint with Edge. Deploy Bifrost Edge via MDM to inventory shadow MCP servers, enforce per-server decisions on each device, and apply the same guardrails to endpoint AI.
For teams optimizing MCP at scale, the MCP gateway resource guide covers the gateway capabilities in more detail.
Frequently Asked Questions About MCP Security
What is a shadow MCP server?
A shadow MCP server is an MCP server that a user has connected to an AI app without security review or central approval. It operates outside formal governance, often with permissive configuration, and is invisible to security teams until something discovers it. Bifrost Edge inventories these servers across the fleet and enforces allow or deny decisions on each device.
Can an AI gateway stop prompt injection in MCP tools?
A gateway reduces prompt-injection and tool-poisoning risk by inspecting prompts and responses with content-safety guardrails and by limiting which tools an agent can call, but it is not a complete fix on its own. Semantic-level injection is an evolving threat, so guardrails should be one layer in a defense-in-depth strategy alongside least-privilege tool access and auditing.
How do you control which MCP tools an agent can use?
Bifrost uses a deny-by-default model: a virtual key exposes no MCP tools until you explicitly allow-list them, and tool groups let you attach curated tool subsets to keys, teams, and users. Only the tools an identity is entitled to are exposed to the model at request time.
Does this cover AI tools running on employee laptops?
Yes. The Bifrost AI gateway governs configured traffic, and Bifrost Edge extends that governance to desktop apps, browser AI, and coding agents on each machine. Edge is in alpha and deploys fleet-wide through MDM platforms.
Securing MCP Across Your Stack with Bifrost
MCP security risks are governance problems at their core: unapproved servers, over-broad tool access, leaked credentials, and ungoverned endpoint usage. The Bifrost AI gateway mitigates them centrally through deny-by-default tool policy, centralized MCP authentication, guardrails, and audit logging, while Bifrost Edge extends that control to every machine so shadow MCP servers are discovered and governed at the source. To see how the gateway and endpoint layer work together on your stack, book a demo with the Bifrost team.
