AI Tool Integrations Expose New Attack Surface: Inside MCP Security Risks

Model Context Protocol (MCP), the emerging standard that lets AI assistants connect to external tools and data sources, is rapidly becoming a fixture in enterprise environments — and security researchers are raising alarms about its attack surface. As organisations rush to wire AI copilots into internal APIs, databases, and SaaS platforms, the authentication and authorisation controls around MCP servers are often an afterthought.

What is MCP and why does it matter?

MCP is an open protocol, championed by Anthropic, that standardises how large language model (LLM) applications connect to external tools. Think of it as a universal adapter: a single MCP server can expose file-system access, database queries, or API calls to any compatible AI client. The convenience is real — but so is the blast radius if something goes wrong.

Key attack patterns researchers have identified

• Prompt injection via tool output — an attacker who controls data returned by an MCP-connected source (a CRM record, a document, a web page) can embed instructions that hijack the AI agent’s next action.
• Over-privileged MCP servers — servers are often configured with broad permissions during development and never scoped down. A read-only AI assistant that can also call write APIs is a lateral-movement path.
• Token exfiltration — if an MCP server proxies OAuth tokens to the AI client, a prompt-injection payload can instruct the agent to leak those tokens in a follow-up API call.
• Confused deputy attacks — the AI agent acts on behalf of the user but with its own (often broader) service identity, letting unprivileged users trigger privileged actions indirectly.

What security teams should do now

Red teams should add MCP-connected AI tools to their scope explicitly. The key controls are: enforce least-privilege on every MCP server; validate and sanitise all tool output before it re-enters the AI context; use separate service accounts per MCP server with audit logging; and test for prompt injection across every tool that ingests user-controlled data.

The OWASP LLM Top 10 lists prompt injection and insecure tool use as the top two risks for AI applications — MCP amplifies both. If your organisation has deployed an AI copilot in the last twelve months, assume it has an MCP-shaped hole in your threat model until you check.