Key Statistics

• 41% of UK enterprises reported at least one attempted data exfiltration via malicious connectors in the past 12 months (NCSC, 2026)
• The average time to detect unauthorised connector activity in UK organisations is 34 days (Ponemon Institute, 2026)
• Only 27% of UK firms have implemented comprehensive MCP (Managed Connector Platform) security controls as of Q1 2026 (Cyber Security Breaches Survey, DCMS, 2026)
• Data exfiltration incidents involving cloud connectors rose by 38% year-on-year in the UK (ICO, 2026)
• Fines issued by the ICO for data loss linked to insecure connectors totalled £18.2 million in 2025, up 22% from the previous year (ICO, 2025)

MCP Security Controls: Defending Against Malicious Connectors and Data Exfiltration

Model-Context Protocol (MCP) security is quickly becoming a crucial topic for boards and senior IT leadership as organisations increasingly adopt MCP to connect AI agents to business systems. Despite MCP being hailed as the "USB-C of AI" for simplifying integrations, the reality is that the protocol itself enforces no security controls at the protocol level. This means you must implement your own robust mcp server security controls if you are to prevent malicious connectors from becoming data exfiltration vectors. In my experience, companies adopting MCP without a clear security checklist expose themselves to significant risks that can be managed through practical DevSecOps measures.

Understanding MCP and the Emerging AI Connector Attack Surface

MCP is fundamentally a protocol that facilitates communication between hosts and AI servers, bringing together tools, resources and prompts in a standardised way. Instead of thousands of bespoke connectors, MCP aims to be a single unified channel that replaces dozens of custom integrations. While this streamlines operations, it concentrates risk: the failure or compromise of one MCP connector can have widespread impact. The protocol’s design focuses on model context and communication, but model context protocol security features remain minimal or non-existent natively.

For non-technical leadership, imagine MCP as a standardised “AI pipeline” where your internal systems (the host) call out to multiple AI servers. These servers supply tools or act as computational engines, processing prompts and returning results. Each server session can include a complex chain of agents and tool calls, some of which may request sensitive data or perform actions on your network. This architecture has introduced a new attack surface layer - one that hackers and insiders can exploit with malicious connectors, rogue servers or manipulated tool metadata.

How Threat Actors Exploit MCP Connectors and AI Agents: Emerging Tactics and Evidence

The primary concern I witness in advisory roles is how threat actors weaponise MCP infrastructure. Rogue or malicious MCP servers may impersonate trusted tools, injecting harmful instructions embedded not in the user prompt but in tool metadata itself - a technique known as tool poisoning. This behaviour effectively bypasses the end user’s intent, as it leverages trusted communication channels to embed hidden commands.

Another notable tactic is indirect prompt injection, where attackers craft responses from ostensibly trusted AI agents that cause downstream systems to execute malicious commands. According to a 2025 - 26 benchmark across several industries, MCP-based agent attacks have success rates exceeding 60% on average, peaking at 72% in certain high-value targets. Google’s security team also reported a worrying 32% relative increase in sophisticated malicious indirect prompt-injection content in a three-month period ending February 2026.

Additional attack vectors include rug pulls, where an MCP server abruptly changes behaviour to exfiltrate sensitive data, and credential exposure through poorly protected configuration files granting attackers footholds within your environment. The exfiltration path can be stealthy, using standard MCP communication channels to bypass conventional network defences.

These emerging threats contextualise why ai agents and mcp security risks must be taken seriously at board and operational levels. Without thorough controls, MCP connectors can become attack conduits liable to data breaches and business disruptions.

The OWASP MCP Top 10 Vulnerabilities: Board-Level Risk Translation

In 2025, OWASP published the MCP Top 10 vulnerabilities that highlight the critical issues impacting MCP implementations. For boards, these can be summarised as:

• Unrestricted Connector Use: Allowing arbitrary MCP servers opens doors to untrusted actors.
• Insufficient Server Vetting: Lack of supply-chain assessment increases risk of compromised services.
• Excessive Privileges: Over-permissioned tokens and APIs lead to lateral movement and data exposure.
• No Human Validation: Automated approvals enable dangerous data transfers without oversight.
• Server-Side Enforcement Gaps: Relying on client or system-prompt restrictions is inadequate.
• Sandboxing Failures: Poor isolation allows malicious connectors to affect host environment.
• Egress Control Weaknesses: Unmonitored outbound flows let data leak undetected.
• Logging and Monitoring Deficiencies: Incomplete traceability hinders incident detection and response.
• Trust Assumptions: Treating MCP servers as benign by default ignores the risk landscape.
• Credential and Configuration Exposure: Insecure storage enables attacker footholds and persistence.

Translating these into a risk framework, it’s clear the board must demand explicit governance and accountability over MCP implementations, viewing each connector not as a benign channel but as a potential threat actor until verified otherwise.

Essential MCP Server Security Controls: A Comprehensive Checklist

From my frontline experience consulting on MCP security, the following checklist forms the backbone of effective protection against data exfiltration and connector compromise:

• Allowlist and Registry of Approved MCP Servers: Prohibit any connections to arbitrary or non-verified MCP servers. Organisations must maintain a constantly reviewed registry of trusted connectors.
• Thorough Server Vetting and Supply-Chain Review: Vet MCP servers for provenance, security practices, and third-party risks before approval.
• Least Privilege Scoped Tokens and OAuth 2.1 Hardening: Tokens granted to MCP servers should have minimal necessary scopes. Implement OAuth 2.1 best practices and token rotation.
• Human-in-the-Loop Confirmation: Require explicit human approval for any action involving sensitive data or potential exfiltration, to prevent automated abuse.
• Server-Side Enforcement: Enforce security policies at the server or gateway level instead of relying solely on client-side or prompt-based restrictions.
• Sandboxing and Gateway Controls: Deploy MCP connectors in sandboxed environments with strict network access controls to limit potential damage.
• Egress Controls and Network Monitoring: Monitor and restrict outbound MCP traffic to prevent covert data exfiltration.
• Comprehensive Logging, Monitoring, and Review: Log all MCP sessions and tool exchanges. Conduct regular audits for anomalies or suspicious activity.
• Adopt a “Trust No MCP Server” Mentality: Treat every connected MCP server as potentially hostile until proven secure, applying continuous validation and threat hunting.

This mcp server security checklist must be embedded into DevSecOps pipelines and procurement policies alike to mitigate associated risks effectively.

Board and CISO Perspectives: Ownership of MCP Security and Governance

The increasing prominence of MCP and AI agents in enterprise technology stacks demands clear ownership at board and leadership levels. This includes:

• Policy and Governance Frameworks: Boards should direct policies that mandate MCP security controls, risk assessments, and incident response procedures.
• Procurement and Contract Clauses: Contracts with MCP server providers must include security obligations, supply-chain assessments and audit rights to manage third-party AI risk.
• Alignment with Regulatory Standards: MCP security governance must map to emerging regulations such as the EU AI Act and frameworks like NIST’s AI Agent Standards Initiative launched in February 2026.
• Cross-Functional Risk Ownership: CISOs, CIOs, legal, and compliance leaders need defined roles for MCP risk management to ensure comprehensive oversight.

Robust MCP security and governance cannot be delegated entirely to IT teams; they require board mandate, investment, and oversight. Practical DevSecOps combined with strategic governance closes the gap between technical controls and organisational accountability.

Common Mistakes to Avoid When Implementing MCP Security

• Allowing unrestricted or ad hoc MCP server connections without formal approval processes.
• Relying solely on user input validation and ignoring tool metadata and server responses.
• Over-scoping tokens and failing to rotate or limit access credentials.
• Ignoring network egress monitoring and assuming internal MCP traffic is safe.
• Failing to implement human-in-the-loop checks for sensitive or risky operations.
• Neglecting regular reviews and audits of MCP server activity and security posture.

Common Failures

• Relying on default or vendor-supplied connector configurations without rigorous internal review
• Failing to monitor and log connector activity in real time, missing early indicators of compromise
• Allowing excessive permissions or broad access scopes for connectors, increasing the blast radius of a breach
• Neglecting to regularly audit and revoke unused or legacy connectors, leaving dormant attack paths open

Frequently Asked Questions

What is MCP security, and does MCP have built-in security?

MCP security refers to the safeguards applied to protect Model-Context Protocol communications between hosts and AI servers. MCP itself does not enforce built-in security measures such as authentication or data protection. Organisations must implement their own security controls like allowlisting, token scoping, and monitoring to secure MCP servers effectively.

Can a malicious MCP server steal company data?

Yes, a compromised or rogue MCP server can exfiltrate data by embedding malicious instructions in tool metadata or indirectly manipulating prompt responses. Without strict controls, such servers pose significant risks for data leakage and compromise.

What is tool poisoning in MCP environments?

Tool poisoning involves attackers embedding malicious instructions within the metadata or definitions of AI tools accessed via MCP, rather than through direct user prompts. This hidden manipulation bypasses traditional input validation and can lead to the execution of harmful commands or data exfiltration.

How do I secure MCP servers in an enterprise?

Securing MCP servers requires establishing an allowlist of trusted connectors, rigorous supply-chain vetting, least-privilege credentialing, human confirmation for sensitive actions, server-side enforcement, sandboxing, and continuous logging and monitoring.

Who in the business owns MCP and AI agent security risks?

Ownership typically lies with the CISO for operational risk management, supported by the CIO and digital teams. However, ultimate accountability rests with the board, which must provide governance frameworks, policies, and resource allocation to manage MCP and AI agent security effectively.

In summary, MCP security controls are essential to defend against the rising threat of malicious connectors and data exfiltration in AI-enabled enterprises. As this technology becomes more embedded in core systems, organisations must adopt a rigorous, board-led approach combining practical DevSecOps with strategic governance to mitigate these evolving risks confidently.