Security Questionnaire ToolsReview MCP server identity, tool permissions, OAuth scopes, prompt injection, tool poisoning, logs, and evidence before customer questionnaires or AI vendor reviews.
MCP server security is reviewable only when each server has an owner, scoped access, trusted package source, policy enforcement, logs, and a way to revoke or disable risky tool calls.
Use these rows for customer security questionnaires, AI governance reviews, and vendor-risk evidence packs.
| Area | Review question | Acceptable answer | Evidence | Red flag |
|---|---|---|---|---|
| Server inventory | Which MCP servers are approved for production, who owns them, and which environments can they reach? | Each server has owner, version, transport, data boundary, package source, environment, and last review date. | Inventory export, architecture note, repository/package link, owner approval. | Teams cannot list active MCP servers or who can change them. |
| Authentication | How does the MCP server authenticate users, clients, agents, or workloads? | Remote access requires explicit identity, short-lived credentials, and revocation. Local STDIO launch is limited to approved clients. | Auth config, IdP policy, token lifetime, revocation runbook. | Shared static tokens, anonymous endpoints, or undocumented local launch paths. |
| Authorization | Which tools, resources, and actions can each agent or user call? | Tool access is least privilege, mapped to role, data type, action, approval rule, and denied operations. | Tool permission matrix, OAuth scope map, policy config. | One broad scope grants read/write/admin access across systems. |
| Prompt injection | How do you treat tool output, retrieved content, and external documents as untrusted? | The server and gateway prevent retrieved instructions from overriding policy before sensitive follow-up calls. | Prompt injection policy, test cases, blocked-call logs. | The system assumes tool output is safe because it came from an approved connector. |
| Tool poisoning | How are tool names, descriptions, schemas, and package updates reviewed? | Changes are reviewed before production and suspicious tool descriptions are blocked or reverted. | Change log, package provenance, schema review, approval ticket. | A dependency update can silently change tool behavior or instructions. |
| Audit logging | Can you reconstruct who called which MCP tool, with what authorization, and what happened? | Logs capture caller, server, tool, decision, data boundary, approval, denial, token use, and emergency disablement. | Audit log sample, SIEM query, retention policy, incident runbook. | Logs only show generic agent activity, not individual tool calls. |
Translate server controls into reusable questionnaire answers and customer-safe evidence before rollout.
Short answers for MCP server security reviews.
MCP server security best practices include server inventory, explicit authentication, least-privilege tool permissions, prompt injection controls, tool schema review, audit logs, token revocation, and human approval for high-impact actions.
Customers usually ask about AI agent access, OAuth scopes, data boundaries, audit logs, approval workflows, subprocessors, and how unsafe tool calls are prevented.
A gateway is not always required, but it helps centralize policy enforcement, credential injection, audit logging, rate limits, deny rules, and emergency shutdown for sensitive tools.
Attach server inventory, OAuth scope map, approval policy, gateway configuration, audit log sample, package provenance, incident runbook, and owner review date.
Send the formats you receive, your current answer-library setup, and whether you need portal support. We will use those signals to prioritize the next comparison updates.