MCP Security
MCP security is about controlling what AI tools can read, write, and execute.
Simple idea: AI tool access must be permissioned, logged, and limited.
Why It Matters
An AI assistant connected to tools can be powerful, but also risky. If permissions are too broad, it may:
- Read private files.
- Leak sensitive data.
- Modify the wrong document.
- Call the wrong API.
- Take actions without approval.
- Expose customer or company data.
Security Principles
| Principle | Meaning |
|---|---|
| Least privilege | Give only the access needed |
| Human approval | Require approval for risky writes or external actions |
| Audit logs | Record every tool call |
| Data boundaries | Separate public, internal, confidential, and customer data |
| Tool allowlist | Only expose trusted tools |
| Input validation | Do not trust model-generated arguments blindly |
| Output filtering | Avoid returning secrets or private data unnecessarily |
Risky Tool Types
- File deletion.
- Database writes.
- Email sending.
- Payment or billing actions.
- Customer-data exports.
- Production deployment actions.
- Admin-permission changes.
Safe Defaults
- Read-only tools first.
- Approval for writes.
- No destructive actions by default.
- Clear user-visible logs.
- Per-vault or per-folder access.
- Per-environment separation between dev and production.
CookieYes Example
An AI assistant that reviews consent setup should be able to read configuration and scanner output, but should require approval before changing live consent rules.
Mozilor Example
An e-commerce agent can draft a refund or inventory action, but should require approval before issuing refunds or changing prices.