Back to Blog

MCP Servers: The New Perimeter Your Company Is Not Monitoring

·5 min read
Centralized security gateway monitoring connections between AI agents and enterprise tools

In just a few months, the Model Context Protocol (MCP) has evolved from a niche technical proposal to the de facto standard for connecting AI agents to enterprise tools. Companies are adopting it without policies, without governance, often without IT even knowing. That is the problem.

Launched by Anthropic in November 2024, MCP has already accumulated thousands of public implementations — IDEs like Cursor, VS Code, Claude, and Copilot support it natively, and the ecosystem is growing rapidly. The benefit is real: automations that used to take weeks of development can now be composed in hours. The problem is that the ease of adoption has far outpaced governance maturity.

What Is MCP and Why Is It Everywhere

MCP is an open protocol that allows an AI agent to "call" external tools — reading emails, updating a CRM, querying a database, writing files — just like an API, but orchestrated in natural language. A developer describes the tool in a configuration file, and the agent invokes it as needed.

The Three Risks Nobody Is Measuring

1. OAuth Sprawl: Credentials Multiplying Without Control

Every MCP server handles its own authentication independently. The server accessing Google Drive uses Google OAuth. The one reading Slack uses a Slack token. The one writing to the CRM uses its own credentials. The result: dozens of active tokens, often with excessively broad scopes ("read everything", "write everything"), no scheduled rotation, no centralized inventory.

When a token is compromised — through a code leak, an unprotected log, an accidental public repository — the company has no response plan because it doesn't even know which tokens exist.

2. Zero Visibility: Nobody Knows What Agents Are Doing

When an AI agent calls a tool, this action leaves no structured trace in any enterprise system. No centralized log. No usage metrics. No alert if the agent accesses unusual data or acts at odd hours.

From a compliance standpoint — ISO 27001, NIS2, GDPR — this is a serious problem. Control A.8.15 of ISO 27001 requires logging of system activities. An AI agent operating without an audit trail is, technically, a non-compliant system. And in the event of an incident, incident response is blind.

3. Shadow MCP: Local Servers Outside the IT Perimeter

The most common and most underestimated scenario: a developer sets up an MCP server on their laptop, using personal credentials or an unapproved service token, to make their AI agent work faster. IT doesn't know. The CISO doesn't know. Corporate data flows through unmonitored, unapproved, unprotected infrastructure.

It is the modern equivalent of 2010s shadow IT, with a much larger attack surface because AI agents can act, not just read.

How They Should Be Managed

All three problems share a single root cause: there is no centralized control plane for AI tools. The solution is not to block MCP — it is to govern it. Effective governance is built on four levels:

  1. MCP server inventory and approval: every MCP server in use within the organization must be catalogued, assessed, and approved. The same process as any software that accesses corporate data.
  2. Centralized authentication: one token per agent identity, not one token per server. Corporate system credentials must not be distributed to individual MCP servers, but managed by a gateway that issues them with minimal scopes and automatic rotation.
  3. Structured audit trail: every tool call must generate a structured log — who called, which tool, with what arguments (anonymized if they contain personal data), with what outcome, when. This log is the foundation for incident response, compliance audits, and anomaly detection.
  4. Policy as code: rules on who can use which tools, in what context, with what access level, must be written as versioned configuration — not entrusted to informal conventions or team memory.

The Time to Act Is Now

Enterprise AI agent adoption is accelerating. Policies always lag behind — but every month of delay is a month of unmitigated exposure.

Tomato Blue helps organizations build AI tool governance: from inventorying MCP servers in use, to defining access policies, to integrating with already-adopted compliance frameworks (ISO 27001, NIS2, GDPR).

If your company uses AI agents and does not yet have a policy on MCP tools, now is the time to talk.

Let's build your AI tool governance together

From MCP server inventory to access policies, integrated with ISO 27001, NIS2 and GDPR.

Talk to us →

Tomato Blue Consulting — Governance, Risk & Compliance for the AI agent era.