The Security Gaps Still Holding MCP Back from Enterprise Adoption

By Amber Wolff, Content Manager

The Model Context Protocol (MCP) is emerging as a powerful way to extend AI systems with external tools, data sources and workflows. It offers a clean, flexible way to connect models with the real world — and that makes it a big deal for developers and product teams.

However, as interest grows, one concern keeps coming up: MCP is not yet enterprise-ready when it comes to security.

Why Security Is a Problem for MCPs

Anthropic’s MCP enables unprecedented connectivity, which has driven its widespread and rapid adoption. But this connectivity represents a double-edged sword.

Multiple recently discovered CVEs indicate that MCP is emerging as a new attack surface. And much like the issue of unsecured S3 buckets plaguing AWS less than a decade ago, a shocking number of MCP servers have been found to be exposed to the internet: Security vendor Trend Micro found nearly 500 such instances, while Knostic AI itself discovered more than three times as many.

Unfortunately, the security risks associated are enormous. Research by API security testing firm Pynt found that a single MCP plugin introduces a 9% probability of vulnerability exploit. With just three interconnected servers, you’re more likely than not to experience an exploitation. And with ten MCP plugins, Pynt found, it is a near-certainty, with a 92% probability of exploitation.

Worse, unlike the case of traditional security vulnerabilities, which can often be fixed by simply deploying a patch, MCP typically operates beneath the application layer — which makes issues difficult to detect and address.

What MCP Lacks

While MCP shows enormous promise, the current ecosystem lacks several critical safeguards that large organizations require. Today, MCP implementations often operate with:

• No standard authentication or authorization model
• Weak sandboxing around external tool execution
• High exposure to prompt injection attacks
• Limited policy enforcement, scoped only to individual users or sessions
• Minimal monitoring and auditing frameworks

These gaps don’t just present theoretical risk — they create real pathways for privilege escalation, data leakage, unintended tool execution and compliance violations.

What Needs to Change

To safely deploy MCP in enterprise or regulated environments, we need stronger foundations. That means building in:

1. Strong Authentication & Fine-Grained Access Control

Tools and data should only be callable by authorized identities, and permissions should be scoped, enforced and revocable.

2. Sandboxing & Execution Isolation

Any external tool invoked by an AI model should run in a carefully contained environment — not directly on a production network or filesystem.

3. Prompt Injection & Input Validation Defenses

Models need guardrails against being manipulated into invoking tools in unintended ways.

4. Auditing, Monitoring & Compliance Logging

Enterprises must be able to track who accessed what, when, how — and why.

5. Rate Limiting & DoS Protection

Tool endpoints should be resilient to runaway prompts or recursive tool calls.

6. Secure Transport (TLS/SSL)

Every MCP connection must be encrypted, full stop.

7. Data Minimization by Default

The model should see only the data required for a given task — nothing more.

The Bottom Line

MCP unlocks powerful new capabilities. But without robust access controls, execution isolation, monitoring and injection-resistant interfaces, it also introduces meaningful risk.

The next wave of MCP adoption — especially in large companies — will depend on closing these security gaps.

Those who solve this well won’t just make MCP safer. They’ll shape how AI systems interact with the real world at scale.