Heimgard | Security Series

    Securing MCP in the Enterprise: A CISO Playbook for Agentic AI

    Five concrete controls to harden MCP servers and registries, with lessons from recent supply‑chain incidents

    Oct 5 2025 | 7 min read

    TL;DR

    • MCP (Model Context Protocol) is quickly becoming the backbone of agentic AI, but it introduces new supply-chain and runtime risks.
    • This playbook distills five critical controls for CISOs to secure MCP environments.

    AI Agents are the New Attack Gateway

    In September 2025, security researchers uncovered a malicious npm package named postmark-mcp, a tool impersonating the legitimate Postmark email integration. After 15 harmless versions, version 1.0.16 quietly added a single new behavior: it BCC’d every outbound email to an attacker’s domain.

    Organizations using the fake MCP server had unwittingly exfiltrated sensitive business emails for weeks.

    Why it worked:

    • No signature or provenance validation.
    • No diff-based review of new versions.
    • Over-permissive scopes (“send email” without recipient restrictions).
    • No layer-7 inspection for outbound recipients or domains.

    This incident exposed a larger truth: as AI agents adopt MCP, supply-chain security must extend to every server and manifest.

    The 5 controls every security leader needs

    Goal: reduce exposure while preserving developer velocity, mapped to MCP’s own best‑practice guidance and industry frameworks (OWASP LLM Top 10; NIST AI RMF & AI 600‑1).

    1. Establish a trusted MCP Registry

    Threats addressed: supply‑chain typosquatting, tool poisoning, silent permission drift.

    What “good” looks like

    • Curate & proxy: Publish only vetted servers internally; block direct pulls from public npm.
    • Provenance & signing: Require cosign/Sigstore signatures and attested SBOMs (SPDX/CycloneDX).
    • Version gating: Block promotion until tool descriptions and scopes diff cleanly; flag rug-pulls.
    • Policy labels: Tag servers by data sensitivity, scope, runtime class, and auth pattern.

    Case in point:

    postmark‑mcp impersonated a legitimate project, then injected a one‑line BCC exfiltration in v1.0.16—exactly the kind of regression a signed SBOM + diff gate would flag.

    2. Inspect traffic & enforce Layer‑7 policy between agents and MCP servers

    Threats addressed: prompt/tool injection leading to unsafe tool calls, data exfiltration, confused‑deputy flows.

    What to implement

    • Deploy an MCP Gateway (L7) enforcing OPA/Rego rules via Envoy or external-auth filters.
    • Treat all outputs as untrusted—require human approval for high-risk tools (file system, messaging).
    • Detect hidden exfil cues, unexpected tool swaps, or unauthorized recipients.

    Minimal Rego sketch (illustrative):

    package mcp.gateway

default allow = false

# Only allow signed, allowlisted servers and constrained tools/scopes
allow {
  input.server.signature.verified == true
  input.server.id == data.allowlist.servers[_]
  all_tools_compliant
}

all_tools_compliant {
  not some t in input.request.tools
  # each tool must be in allowlist with minimal scopes
  data.tools_policies[t.name].allowed
  input.request.scopes[t.name] == data.tools_policies[t.name].scopes
}

    3. Continuously scan & audit your MCP estate

    Threats addressed: Malicious updates, dependency CVEs, secret leaks.

    • Automate SBOM generation for every build; sign & attach as attestations. -Integrate SLSA checks in CI/CD for reproducible, verifiable builds.
    • Log tool calls, scopes, versions, and prompt deltas; map detections to MITRE ATLAS.
    • Align evidence and controls with NIST AI RMF and AI 600-1 compliance frameworks.

    4. Enforce least‑privilege and ephemeral identity

    Threats addressed: Token abuse, lateral movement, over-privileged access.

    • Never use “token passthrough”; it’s explicitly forbidden by MCP spec.
    • Issue short-lived, audience-bound credentials via OIDC STS or workload identity (SPIFFE/SPIRE).
    • Define discrete roots per environment (dev/test/prod) to prevent cross-domain leakage.

    5. Build shared visibility & accountability

    Threats addressed: Shadow MCP servers, unclear ownership, delayed detection.

    • Maintain dashboards for approved servers, versions, and usage history.
    • Report policy drift (e.g., manifest changes since last approval).
    • Track metrics such as MTTD, % servers with signed SBOMs, and % ephemeral credentials in use.

    How Heimgard Helps

    Heimgard provides both layers of this architecture:

    • A Trusted MCP Registry that verifies signatures, SBOMs, and provenance before publication.
    • An MCP Gateway enforcing OPA-based policy and injecting ephemeral, audience-bound credentials.

    Together, they give enterprises a single control plane to approve, monitor, and govern all MCP usage.

    Security and platform teams can map existing controls to this playbook and deploy reference policies within hours, not weeks.

    Reference architecture

    • Gateway enforces signature/provenance, allows only approved servers/scopes, and injects ephemeral, audience‑bound credentials.
    • Registry holds signed artifacts + SBOM attestations, promotes only after policy checks & diffs, and emits inventory/alerts.
    • Hosts/Clients present human‑in‑the‑loop confirmations for risky tool calls per MCP guidance.

    FAQs

    Is MCP itself insecure?

    No. The protocol includes sound security guidance. Risks arise from how servers are distributed, permissioned, and monitored, especially when combined with untrusted instructions (prompt/tool poisoning).

    What’s the right authentication model?

    Avoid token passthrough. Use OIDC-issued, short-lived credentials bound to specific audiences.

    How does this map to frameworks?

    • OWASP LLM Top 10: Prompt Injection, Supply-Chain, Improper Output Handling.
    • NIST AI RMF 1.0 / AI 600-1: Governance, Transparency, Data Security, and Risk Monitoring.

    References & Further Reading

    1. Model Context Protocol. MCP Specification and Security Best Practices, 2025.
    2. Anthropic. Introducing the Model Context Protocol, 2024.
    3. Microsoft Developer. Protecting Against Indirect Prompt Injection and Tool Poisoning in MCP, 2025.
    4. Koi Security. The Postmark-MCP Incident: Malicious NPM Package Exfiltrating Emails, 2025.
    5. OWASP Gen AI Security Project. 2025 Top 10 Risk & Mitigations for LLMs and Gen AI Apps, 2025.
    6. Sigstore Blog. Cosign Verification of NPM Provenance, GitHub Artifact Attestations, and Homebrew Provenance, 2025.
    7. Open Policy Agent. Policy Enforcement Patterns for OPA and Envoy External-Auth Integration, 2025.