MCP security best practices checklist

Review MCP servers before production rollout, customer security questionnaires, or AI agent governance reviews. Score identity, tool permissions, STDIO isolation, secrets, prompt injection, architecture, and registry risk.

Open checklist Score your setup Add to answer library

Production review lens18 point score

Authentication and identityLeast-privilege tool accessSTDIO process isolationPrompt and tool poisoning controlsArchitecture and gateway reviewRegistry and package provenance

Why this belongs in security reviews

MCP is not a security questionnaire tool, but it is becoming part of the same buyer trust conversation.

Customer AI reviews

Enterprise customers increasingly ask how vendors govern AI agents, tool calls, data access, and audit trails.

Agent-to-tool access

MCP connects agents to useful tools, which means tool permissions and execution boundaries need review.

Evidence reuse

A completed MCP security checklist can become a reusable answer-library artifact for future questionnaires.

Vendor comparison

Security teams may need to compare MCP scanners, gateways, identity controls, and agent governance vendors.

Production MCP security checklist

Use this as a first-pass triage before deeper AppSec, GRC, or platform engineering review.

Area	Check	Risk if missing	Fix window
Inventory	List every MCP server, client, config file, transport mode, owner, and environment.	Unknown agent tooling becomes an unmanaged security review surface.	Today
Authentication	Require explicit authentication for remote MCP access and disable anonymous endpoints.	Unauthenticated access lets external users call tools or inspect metadata.	Today
Authorization	Map each tool to least-privilege scopes, allowed users, data boundaries, and approval rules.	A useful tool can become an over-scoped action surface for agents.	Today
STDIO isolation	Treat STDIO configs as command execution surfaces and isolate launched processes from the host OS.	Command execution and config manipulation can survive product-level patches.	Today
Secrets	Keep API keys and tokens out of tool descriptions, prompts, logs, config repos, and agent memory.	Agents can leak or overuse credentials that were never meant to be exposed to tool calls.	This week
Prompt injection	Assume tool output and retrieved content may contain malicious instructions.	External content can steer the agent toward unsafe calls or data exfiltration.	This week
Tool poisoning	Review tool names, descriptions, metadata, and schema changes before they reach production agents.	A poisoned tool description can change what the agent believes the tool should do.	This week
Registry supply chain	Install MCP servers from verified sources, pin versions, and review package provenance.	Third-party MCP packages can become a software supply-chain entry point.	This week
Monitoring	Log tool calls, denied actions, config changes, token use, and unusual data access patterns.	Without audit trails, teams cannot answer customer or incident-response questions.	Ongoing

Simple scoring model

Give each checklist item 0, 1, or 2 points. The goal is fast triage, not certification.

0-7: High risk

Do not use this MCP setup for production customer data.

8-13: Review needed

Limit access, fix identity and isolation gaps, then retest.

14-18: Production candidate

Controls are mostly in place. Keep monitoring drift and tool changes.

0 pointsThe control is missing, unknown, or only assumed to exist.

1 pointThe control exists, but ownership, evidence, or monitoring is incomplete.

2 pointsThe control is implemented, owned, documented, and reviewable.

Evidence to keepConfig inventory, access policy, approval logs, sandbox design, package provenance, and incident runbook.

MCP security architecture

Use this control map before production rollout, enterprise review, or customer AI security questionnaires.

MCP clientTrack which agent, desktop app, IDE, or workflow can call each MCP server, and keep the owner visible for customer review.

MCP serverDocument transport mode, runtime isolation, deployment environment, version, and whether it can touch customer data.

Auth providerPrefer explicit identity, short-lived credentials, scoped tokens, and revocation paths over shared static secrets.

Tool registryReview package provenance, tool descriptions, schema changes, and update cadence before production use.

Gateway or proxyUse policy enforcement, traffic inspection, rate limits, and deny rules when tools cross sensitive boundaries.

Logging and SIEMCapture tool calls, denied actions, token use, config changes, data access patterns, and reviewer decisions.

Secrets storeKeep keys out of prompts, tool metadata, logs, local config files, and agent memory.

Human approval layerRequire review for high-impact actions such as data export, write operations, admin changes, and external sharing.

Common MCP security risks and issues

These are the risks most likely to turn into customer review questions, internal exceptions, or audit follow-ups.

Token theftLong-lived or over-scoped credentials can leak through logs, prompts, tool output, or compromised packages.

Prompt injectionExternal content can instruct the agent to ignore policy, call unsafe tools, or reveal private data.

Tool poisoningA changed tool name, description, schema, or package can alter what the agent believes the tool should do.

Remote code executionSTDIO and local command launch patterns can turn configuration into an execution surface.

Secret leakageKeys embedded in config repos, tool descriptions, or test logs can become customer-review findings.

Over-scoped toolsBroad file, database, ticketing, or cloud permissions make a single agent path too powerful.

Registry supply chainUnverified MCP servers and dependency drift can introduce hidden behavior after initial approval.

Missing audit logsWithout event trails, teams cannot answer customer questions about agent actions or incident response.

When to use an MCP security scanner or gateway

Scanners and gateways help, but they do not replace ownership, approval, and evidence records.

Use a scanner forPackage provenance, unsafe config patterns, exposed endpoints, known vulnerable servers, suspicious tool descriptions, and CI checks.

Use a gateway forCentral policy enforcement, tool allowlists, request filtering, rate limits, audit capture, and emergency disablement.

Keep human review forBusiness impact, customer-data scope, compensating controls, exception approval, and answer-library evidence quality.

Record as evidenceScanner output, policy config, owner approval, last review date, incident runbook, and a short explanation of known limitations.

Evidence and source trail

These sources explain why MCP security moved from niche protocol detail to practical review topic.

MCP STDIO execution risk

External source

Open

VentureBeat reported on OX Security research around MCP STDIO execution behavior and exposed server risk.

MCP Security checklist

External source

Open

The MCP Security project tracks hardening categories including provenance, runtime isolation, secrets, logging, and policy controls.

Agent identity and NHI

External source

Open

IBM Think coverage highlights why agentic systems create new identity, token, and non-human identity questions.

Agent skills supply chain

External source

Open

TechRadar covered agent skills as an enterprise supply-chain governance problem.

MCP security FAQ

Short answers for teams adding MCP review questions to security questionnaires.

What is MCP security?

MCP security is the set of controls used to safely connect AI agents to tools, data sources, local processes, and remote services through the Model Context Protocol.

Why does MCP security matter for security questionnaires?

Customers may ask how AI agents access data, execute tools, store credentials, log actions, and prevent prompt injection. MCP deployments can become part of that review surface.

Is a checklist enough to secure MCP servers?

No. A checklist helps triage gaps, but teams still need implementation controls such as authentication, least privilege, sandboxing, secret management, monitoring, and change review.

What is MCP security architecture?

MCP security architecture is the control map around clients, servers, identity, gateways, tool registries, secrets, logs, and human approval paths used to make agent tool access reviewable.

What MCP security risks should teams document?

Teams should document token theft, prompt injection, tool poisoning, remote code execution, secret leakage, over-scoped tools, supply-chain risk, and missing audit logs.

Should teams build an MCP scanner first?

Not always. For early validation, a scored checklist is cheaper and can reveal which risks buyers care about before investing in a scanner.

Need a shortlist for your workflow?

Send the formats you receive, your current answer-library setup, and whether you need portal support. We will use those signals to prioritize the next comparison updates.

Request a shortlist