The NSA just made the case for a policy layer in front of MCP
The NSA published 17 pages on MCP security. We map every recommendation to where enforcement actually happens: the call path between agent and tool.
// TAG
Security
45 posts
MCP Authentication: Securing How Agents and Servers Connect
MCP ships no auth model of its own. Here is how MCP authentication actually works, where it breaks across a fleet, and how to fix it at the gateway.
MCP Authorization: Scoping What Agents Are Allowed to Do
Authentication proves who is calling. MCP authorization decides what they can do. Here is how to add per-tool, per-argument limits to AI agents.
MCP OAuth: Connecting Agents to Protected Servers
MCP's OAuth flow lets agents reach protected servers without static keys. Here is how MCP OAuth works, where it gets messy across a fleet, and how to manage it.
MCP Gateway: What It Is and Why Agent Fleets Need One
An MCP gateway sits in front of every MCP server and evaluates each tool call before it runs. Here is what it does, how it works, and when you need one.
AI Agent Containment Starts at the Environment Layer
Anthropic showed model defences can't stand alone: Claude leaked secrets 24 of 25 times under injection. Why AI agent containment belongs at the environment layer.
Stop Your GitHub MCP Agent From Force-Pushing to main
Branch-level Deny if rules and protected-repo allowlists for the GitHub MCP server. Stop autonomous agents force-pushing to main or deleting your repos.
Blocking Outbound Exfiltration Through MCP Fetch and HTTP Tools
Stop autonomous agents POSTing your data to attacker domains. PolicyLayer's URL allowlists turn MCP fetch and HTTP tools into deterministic one-way readers.
Cap LLM Token Spend on MCP Agents: Cost-Scaled Limits Beyond Call Counts
Stop autonomous agents from burning through your inference budget. PolicyLayer's cost-scaled limits cap LLM tokens, not just tool calls, on every MCP server.
Namespace-Scope Your Kubernetes MCP Server From Production
Lock your AI agent's kubectl access to dev and staging namespaces. PolicyLayer adds a second wall on top of Kubernetes RBAC and audits every blocked call.
Rotate MCP Credentials Across 30 Developers in One Click
Stop chasing 30 developers to update MCP configs on every key rotation. Centralised credentials behind the gateway, labelled Grant tokens, one update.
Sandbox Your Shell-Exec MCP Server With Command Allowlists
Stop your agent running rm -rf through a third-party shell-exec MCP server. PolicyLayer Require and Deny if rules give you a two-layer command allowlist.
Slack MCP Channel Allowlists: Stopping Agents Posting to #general
Lock your Slack MCP server to specific channels and strip destructive tools from the MCP handshake. Practical Require, Deny if, and Hide policy walkthrough.
Tool-Result Injection: The MCP Attack System Prompts Miss
A concrete walkthrough of indirect prompt injection delivered via MCP tool responses. The attack, the model's reasoning, and the policy that stops it.
System Prompts vs. Transport Firewalls: Why System Prompts Do Not Equal Security
Discover why system prompts fail as a security boundary for AI agents, and how transport-level MCP proxies provide deterministic guardrails.
How to Safely Connect Claude Code to High-Risk Upstream MCP Servers
Learn how to use PolicyLayer's hosted proxy gateway to secure Claude Code tool usage, inspect JSON-RPC arguments, and set up policy boundaries on upstream MCP servers.
Anthropic's MCP Playbook Is for Builders. Defenders Need the Next Layer.
Anthropic published the production playbook for MCP: 300M SDK downloads, thin tools over 2,500 endpoints, OAuth vaults. The playbook stops at the tool call. Argument-level policy is what comes next.
MCP Governance Is Table Stakes. What Comes Next?
Cloudflare's enterprise MCP launch solves discovery, access, and shadow-MCP prevention. That's the baseline. The harder question — what agents are allowed to do once they're inside — needs a different primitive.
Microsoft's Agent Governance Toolkit: 9 Packages, MCP-Blind
Microsoft's open-source toolkit: nine packages for agent policy, identity, and compliance. Review of what works — and the MCP-shaped hole teams must bridge themselves.
How to Safely Run AI Agents With Tool Access in Production
A 10-point checklist for deploying AI agents that call APIs, move money, and modify databases. Covers deny-by-default, spend limits, rate limiting, and approval workflows.
What Is MCP Policy Enforcement (And Why Every Agent Needs It)
MCP policy enforcement intercepts every AI agent tool call and evaluates it against deterministic rules before execution. Here's how it works and how to set it up.
Why Prompt Guardrails Fail for AI Agent Safety (And What Works Instead)
System prompts can't enforce spending limits or prevent destructive operations. Here's why prompt guardrails fail for tool-calling AI agents and what works instead.
X Just Shipped an MCP Server. It Exposes 131 Tools With Zero Access Control.
X released an official MCP server with 131 tools — including posting, DMs, follows, and deletes. Here's why that's a problem and how to enforce policies on it.
We Scanned Popular Open Source MCP Configs. Here's What We Found.
Cloudflare, Stripe, Supabase, Sentry, Firebase — we ran PolicyLayer's scan against real .mcp.json files from well-known repos. Most expose destructive tools with zero policy enforcement.
30 MCP CVEs in 60 Days. Most Fixes Are Solving the Wrong Problem.
Security researchers filed 30+ CVEs against MCP servers in early 2026. Patching individual servers doesn't fix the structural gap. The real fix is a policy layer that works across all of them.
The Academic Case for Deterministic AI Agent Enforcement
A new research paper argues that LLMs cannot self-enforce security constraints. Intercept implements every recommendation — as open-source software you can deploy today.
Your Coding Agent Can Delete Any File on Disk
The filesystem MCP server gives AI agents unrestricted read and write access. Here's how to rate limit file operations and prevent destructive mistakes.
Your AI Agent Has Push Access to Every Repo
The GitHub MCP server exposes 83 tools — including file deletion, repo creation, and PR merges. Here's how to enforce policies before your agent ships something it shouldn't.
What Happens When Your AI Agent Goes Rogue
What happens when your AI agent goes rogue? Six failure modes — runaway loops, spending spirals, destructive ops — and the deterministic policies that stop them.
Why AI Agent Policies Must Be Deterministic, Not Probabilistic
LLMs can't reliably self-enforce safety rules. Deterministic policy enforcement outside the model catches what prompts miss — here's the architecture.
MCP Security: Why Prompt Guardrails Aren't Enough
Prompt guardrails for MCP agents are bypassable and unauditable. Why deterministic policy enforcement at the transport layer is the real security primitive.
How to Add Spending Controls to Any MCP Agent
MCP servers are giving AI agents access to wallets, bridges, and DeFi. Here's how to enforce spending limits on any MCP-powered agent in under five minutes.
Why Your Agent Shouldn't Know About Its Spending Limits
Policy enforcement belongs in your tools, not your agent. Here's why the integration point matters for security.
Will AI Ever Be Good Enough to Not Need Spending Limits?
As AI agents improve, will they become reliable enough to handle money without guardrails? We argue that deterministic policy layers will always be necessary—and that's a feature, not a bug.
Non-Custodial Security: Why We Don't Want Your Keys
PolicyLayer enforces spending policies without ever touching your private keys. Learn how non-custodial architecture enables compliance without custody risk.
AI Agent Kill Switch: Halt Fleet Spending in Seconds
Step-by-step pattern for halting all AI agent spending in seconds — useful when a bug, prompt injection, or compromise hits a fleet of 100+ agents.
Under the Hood: How Two-Gate Enforcement Works
Technical deep-dive into PolicyLayer's two-gate cryptographic architecture that prevents transaction tampering without holding private keys.
The Anatomy of a Wallet Drain: How One Logic Loop Cost $100k
Case study of how a simple infinite loop bug can drain an AI agent's entire wallet in seconds, and how velocity limits prevent catastrophic loss.
Why Prompt Engineering is NOT Security: The Case for Policy Engines
System prompts can be jailbroken. Learn why deterministic policy engines are the only way to secure AI agent wallets against prompt injection attacks.
The Binary Permissions Problem: Why Traditional Wallets Fail AI Agents
Traditional crypto wallets offer all-or-nothing access. Learn why AI agents need granular policy layers between binary permissions.
Multisig vs Policy Layers: Which Approach Secures AI Agents Better?
Compare multisig wallets and policy layers for AI agent security. Learn when to use each approach—and why the best answer is often both.
ERC-20 Approval Attacks: Why AI Agents Are the Perfect Target
How infinite approval attacks work, why AI agents are uniquely vulnerable, and how to prevent token drain with intent-level controls.
Custodial vs Non-Custodial: The Key Architecture Decision for AI Agent Wallets
Should you give your AI agents their own keys or use a custodial service? The trade-offs, risks, and when to use each approach.
X402 Protocol Security: Stop AI Agents Draining Your Wallet
X402 lets AI agents pay for resources autonomously. Without spending controls, a single loop can drain your wallet. Here's how to enforce limits on agent payments.
How to Prevent AI Agents from Draining Crypto Wallets
Comprehensive guide to securing AI agent wallet access with spending limits, recipient whitelists, and two-gate cryptographic enforcement.