Model Context Protocol Servers: Friend or Foe?

July 07, 2026

As AI adoption accelerates across the enterprise, new integration layers are emerging just as quickly. One of the most talked-about is the Model Context Protocol (MCP), a flexible standard that connects AI models to tools, data and services. From a security lens, MCP presents a classic dilemma: Is this architecture a force multiplier for security or a new attack surface waiting to be exploited? The answer, as with most emerging technologies, is both.

 

 

The “Foe” Side: Why MCP Feels Risky

At its core, MCP introduces a powerful yet potentially dangerous pattern: remote procedure calls driving AI decisioning and execution. The concern is simple: MCP servers themselves lack a built-in security model. That should trigger immediate red flags.

 

  • Expanded attack surface – Misconfigured MCP servers resemble exposed web services with broad reach and impact
  • Data exfiltration risk – Weak controls can allow sensitive data to leave the environment undetected 
  • Token and tool interception – The integration layer can be a target for credential and session hijacking 
  • Supply chain exposure – Unverified tools introduce risk similar to insecure third-party dependencies 
  • Opaque decisioning – AI-driven workflows may execute actions without transparent oversight if not properly governed

 

In other words, MCP defaults to foe when implemented without controls. This is not hypothetical. It mirrors the early days of other technologies we know, like APIs, cloud services and SaaS, where speed outpaced security.

 

 

The Turning Point: Implementation Determines the Outcome

Here’s the critical insight: MCP security is entirely dependent on how it is implemented. This is where the friend vs. foe paradigm shifts.

 

Without guardrails → Foe
With intentional design → Friend

 

For CISOs and security managers, MCP represents a familiar challenge:

  • It is not inherently insecure
  • It is inherently under-secured by default

 

 

The “Friend” Side: Turning MCP into a Control Point

With the right architecture, MCP can evolve from a liability into a central enforcement layer for AI interactions. Think of it not just as an integration mechanism, but as an opportunity to embed Zero Trust, identity and policy enforcement directly into AI workflows.

 

Here’s how the transformation happens:

 

1. Control the Inputs and Outputs

AI is only as safe as the data it processes.

  • Validate prompts and outputs
  • Detect secrets, credentials and personally identifiable information (PII)
  • Isolate content execution

Without this, MCP remains a foe via prompt abuse and data leakage. With it, it becomes a friend enforcing data governance at runtime.

 

 

2. Establish a Trusted MCP Registry

Uncontrolled service discovery is dangerous.

 

A trusted registry ensures:

  • Identity and provenance verification
  • Classification of servers by risk (internal, partner, experimental)
  • Runtime validation via hashes, versions and integrity checks 

 

This is the difference between:

  • Foe: Unknown services dynamically introduced
  • Friend: A curated, continuously validated ecosystem

 

 

3. Enforce Cryptographic Trust Across Layers

Security must exist at every interaction boundary:

  • Demonstrating Proof-of-Posession (DPoP) to bind tokens to applications
  • mTLS for transport security
  • Workload identity in cloud environments
  • Full logging of sessions and data access 

This converts MCP from a permissive RPC mechanism into a trusted execution fabric.

 

 

4. Use Short-Lived, Scoped Identity

Identity is your strongest control surface.

  • Issue short-lived OAuth tokens
  • Scope permissions tightly per tool
  • Limit token reuse window

Without this → tokens become a foe via persistence risk
With this → identity becomes a friend, enforcing least privilege

 

 

5. Insert an API Gateway for Governance

MCP servers do not enforce security by design, but API gateways do. Platforms like Azure APIM, Kong or Apigee provide:

  • Policy enforcement
  • Visibility into interactions
  • Rate limiting and access control 

From a security architecture standpoint, this is non-negotiable.

 

 

6. Apply Traditional AppSec Discipline

Despite being ‘AI-native,’ MCP servers still require classic controls:

  • Container isolation
  • Restricted OS access
  • Disabled debugging interfaces
  • Strong input validation 

This reinforces an important principle: AI systems do not replace AppSec, they amplify the need for it.

 

 

7. Adopt Zero Trust Fully

Every MCP server should be treated as untrusted:

  • Continuous authentication and verification
  • No dynamic loading from unknown sources
  • Strict registry governance 

This is where MCP becomes a friend aligned to Zero Trust architecture, rather than a blind trust layer.

 

 

8. Detect the Unexpected

MCP-driven workloads should be predictable. Monitor for anomalies:

  • Unusual API patterns
  • Unexpected data volumes
  • Abnormal tool chaining
  • Suspicious geolocation or encoding behavior

Detection is what turns inevitable risk into manageable risk.

 

 

Final Perspective: Friend or Foe?

Let’s be clear: MCP is neither inherently dangerous nor inherently secure.

 

It is a force multiplier.

  • Poorly implemented → multiplies risk (foe)
  • Intentionally secured → multiplies control (friend)

 

This should feel familiar. We have seen this pattern before:

  • Web apps
  • APIs
  • Cloud platforms

Each started as a perceived threat and became foundational once security caught up.

 

 

The Bottom Line

MCP becomes a “friend” when it is treated as part of the control plane — not just a connectivity layer. 

 

Yes, the controls may feel extensive. But they are not new; they are the same principles we have applied to every high-risk integration. And in this case, the payoff is significant:

  • Secure AI orchestration
  • Centralized enforcement
  • Visibility into AI-driven actions
  • Reduced operational risk

 

Discover how Optiv helps organizations strengthen MCP deployments and reduce the risk of real‑world exploitation.

Brian Golumbeck
Director, Strategy and Risk Management | Optiv
Brian Golumbeck is a Practice Director within Optiv Risk Management and Transformation Advisory Services Practice. He has a history of leading challenging projects and building dynamic high impact teams. Mr. Golumbeck’s 25+ years working in Information Technology, include 20+ years as an information security professional. Brian is a Certified Information Systems Security Professional (CISSP), Certified in Risk and Information Systems Controls (CRISC), Certified Information Security Manager (CISM), Certificate of Cloud Security Knowledge (CCSK), EXIN/ITSMf ITIL Foundations, and Lean Six Sigma – Greenbelt.

About Optiv Security: Secure greatness.® 
Optiv is the world’s largest pure-play cybersecurity company. With unmatched technology partnerships and deep technical expertise, Optiv securely enables the AI era for more than 6,000 clients. From financial services and health care, to government, energy and retail, organizations trust Optiv to advise, deploy and operate cybersecurity programs that reduce risk and deliver real results. Learn why Optiv is the most trusted brand in cyber at optiv.com.