Even the NSA Is Warning About the Protocol Connecting AI Agents to Your Stack
1MCP's Design Creates the Risk
In May 2026, the National Security Agency's Artificial Intelligence Security Center published security guidance dedicated to the Model Context Protocol (MCP), the open standard that connects AI agents to the apps and data they act on.
MCP's rapid proliferation has outpaced the development of its security model.
NSA Artificial Intelligence Security Center
Although MCP now runs in production across finance, legal and software development, the NSA locates the risk in the protocol's design rather than in any single bug. MCP inverts the usual client-server pattern: its servers can query and sometimes act for the connected client. That inversion, the NSA says, "creates new and largely not well-traced attack paths." The agency found that many implementations skip authentication entirely and that the protocol has no built-in way to exchange Role-Based Access Control (RBAC) permissions. Agents trust each other's output without verification. Long-lived context can blend across separate tasks.
2Approved Access Can Escalate Without Review
The NSA states its most serious concern plainly:
A previously benign and approved AI service could later access sensitive resources on demand, without triggering any review.
NSA Artificial Intelligence Security Center
The NSA points to real cases. A GitHub MCP integration granted blanket read and write access across private and public repositories. A separate flaw (tracked as CVE-2025-49596) allowed remote code execution in software used to test MCP servers. The NSA concludes these are not problems to patch at the endpoint level. Securing MCP means "treating the agentic environment as a continuum."
3The NSA's Answer Is Runtime-Scoped Access
The NSA's own recommendations point the same way. It tells organizations to draw trust boundaries between agents, plugins, models and users, to put MCP agent processes under least privilege and to deny any access path they do not need, explicitly and at runtime. Dynamic tool discovery, it adds, should require authorization checks rather than implicit trust.
MCP's security never caught up with its adoption. Because the protocol provides little protection of its own, the safeguards fall to whoever runs it. Several of the NSA's recommendations converge on the same idea: keep every agent's access tightly scoped and re-checked as it changes.
Source: NSA Artificial Intelligence Security Center, "Model Context Protocol (MCP): Security Design Considerations for AI-Driven Automation", Cybersecurity Information Sheet, May 2026.