Why Ungoverned MCP Connections Are a Risk and How a Gateway Fixes It
Ungoverned MCP connections are Model Context Protocol server connections that AI applications make without passing through a central policy layer. When a coding agent or desktop app connects directly to an MCP server, that server can read files, query databases, and call APIs with no authentication controls, no access limits, and no audit trail in between. Bifrost, the open-source AI gateway built in Go by Maxim AI, is the control plane that fixes this by making every MCP tool call flow through a single governed entry point, and Bifrost Edge extends that governance to connections made on employee machines.
What makes an MCP connection ungoverned
An MCP connection is ungoverned when the AI application talks to a tool server directly, without a gateway enforcing policy on the request. The Model Context Protocol is an open standard for letting models discover and execute external tools, and its value comes from the actions those tools can take. That same capability is the risk: a tool that can write to the file system or call an internal API is only as safe as the controls around it, and a direct connection has none.
Three properties of MCP make ungoverned connections particularly risky:
- Tools take actions, not just return text. An MCP tool can execute commands, move data, and modify state, so a compromised or misconfigured server has real-world impact.
- Tool definitions can change after approval. Researchers have documented "rug pull" attacks where an MCP server modifies its tool definitions between sessions, presenting different capabilities than what was first approved.
- Connections are made at the edge. Users wire servers into apps like Claude Code and Cursor on their own machines, far from any central review.
The risks of ungoverned MCP connections
Ungoverned MCP connections introduce security, compliance, and cost exposure that scales with every new tool a team adds. The documented vulnerability record is already substantial: CVE-2025-49596 allowed arbitrary command execution through unauthenticated MCP Inspector instances at CVSS 9.4, and the NSA's MCP security guidance treats tool connections as a first-class attack surface.
The specific risks break down as follows:
- Data exfiltration: A malicious or over-permissioned tool can move sensitive data to an external service with no policy to stop it.
- Prompt injection to tool execution: Prompt injection is the top risk in the OWASP Top 10 for LLM Applications, and when a model with tool access is injected, the attacker can trigger real actions.
- No revocation path: When a server is found to be unsafe, there is no central switch to disable it everywhere it was configured.
- Compliance gaps: Tool calls that touch regulated data leave no audit trail, which breaks SOC 2, GDPR, and HIPAA reporting.
- Uncontrolled cost: Agentic tool loops can consume large volumes of tokens with no budget enforcement.
How a gateway fixes ungoverned MCP connections
An AI gateway fixes ungoverned MCP connections by inserting a single governed control point between AI applications and the tool servers they call. Bifrost acts as both an MCP client and an MCP server, so every tool call is authenticated, filtered, logged, and routed through one policy layer instead of hundreds of direct connections. This is the core of using Bifrost as an MCP gateway: centralized tool connections, authentication, and governance across every connected server.
The gateway applies control at four points:
- Authentication: Bifrost supports OAuth 2.0 with automatic token refresh and PKCE, replacing long-lived secrets with scoped, revocable credentials.
- Access control: Virtual keys define which consumers can reach which tools, and MCP tool filtering controls the exact set of tools available per key.
- Guardrails: Content safety runs on tool traffic through configurable guardrails, including secrets detection and PII redaction, before data leaves the request path.
- Auditability: Every tool call is recorded in immutable audit logs for compliance reporting.
Access control with virtual keys and tool groups
Bifrost governs tool access through virtual keys as the primary entity. Administrators assign each key a scoped set of permissions, budgets, and rate limits, and can attach curated MCP tool groups, or virtual MCP servers, to specific keys, teams, or users. Policy is enforced at request time, so a consumer only ever sees the tools it is authorized to call.
Turning internal APIs into governed tools
Many teams want to expose existing internal systems to AI agents without building new infrastructure. Bifrost supports MCP with federated auth, which turns existing enterprise APIs into governed MCP tools without glue code, keeping those systems behind the same authentication and access controls as every other tool.
Extending governance to the endpoint with Bifrost Edge
A gateway governs the connections that route through it, but users can still wire MCP servers directly into apps on their laptops. Bifrost Edge is the layer that closes that last gap. Edge runs on each machine, discovers the MCP servers configured inside AI apps, and enforces the gateway's policies on the device so direct connections cannot bypass governance.
Edge adds three controls at the endpoint:
- Discovery: Edge inventories MCP servers configured inside AI apps and reports which servers exist, on which machines, and across how many devices.
- Enforcement: Per-server allow/deny decisions are enforced on the device, so a denied server cannot be used even if it was configured before the policy existed.
- Fleet rollout: Edge deploys through existing device management platforms such as Jamf, Intune, Kandji, Workspace ONE, and JumpCloud with a managed configuration pointing each machine at the organization's Bifrost.
The same governance controls configured in the gateway are what Edge enforces on the endpoint. Bifrost Edge is currently in alpha, and teams register to be onboarded.
Why enterprises standardize MCP governance on Bifrost
Bifrost is built for enterprises and large teams that need MCP governance to hold up under scale, compliance, and security requirements. Consolidating tool connections on the gateway also reduces cost: Bifrost documented a 92% reduction in token costs at scale when centralizing MCP access control and cost governance. For regulated deployments, Bifrost Enterprise supports air-gapped environments, VPC isolation, and on-prem infrastructure, so tool traffic and audit trails stay inside controlled boundaries.
Bifrost adds only 11 microseconds of overhead per request at 5,000 requests per second in sustained benchmarks, so routing MCP traffic through the gateway does not become a latency bottleneck. Because Bifrost runs as both an MCP client and an MCP server, existing apps continue to call their tools normally while the gateway applies policy transparently, which keeps adoption low-friction as teams add more agents and tools. Governance, cost control, and performance run on the same control point.
Start governing MCP connections with Bifrost
Ungoverned MCP connections put action-capable tools on the network with no authentication, access control, or audit trail, and the risk grows with every server a team adds. Bifrost fixes this at the gateway by routing every tool call through a single governed entry point, and Bifrost Edge extends that governance to the machines where connections are actually made. To see how Bifrost eliminates the risk of ungoverned MCP connections across your organization, book a demo with the Bifrost team.