What is the Model Context Protocol (MCP)?

The model context protocol (MCP) is an open standard introduced by Anthropic in late 2024 to bridge the gap between AI models and the real-world systems where data and tools reside. Even the most advanced large language models (LLMs) have historically been isolated from up-to-date data and external applications – they can’t naturally access current databases, business apps, or cloud services on their own. 

This isolation forces developers to write one-off integrations or plugins for each data source or API, an approach that is brittle and hard to scale. MCP addresses this by defining a universal interface that allows AI assistants to connect with many different data repositories and services through a single standardized protocol. In other words, MCP acts like a “USB-C port” for AI applications, providing a common plug that replaces dozens of custom adapters for different tools.

Under the hood, MCP follows a simple client–server architecture. Developers can deploy MCP servers that expose specific capabilities or data (for example, a server for Gmail, a server for a database, etc.), and then build AI agents (MCP clients) that connect to those servers via the protocol. Communication happens through JSON-based messages, enabling secure two-way interactions between the AI and the external system.

By standardizing how context (documents, queries, tool actions) is exchanged, MCP makes it much easier for AI agents to fetch information or trigger operations across diverse systems. The end goal is that AI assistants can deliver better, more relevant responses by dynamically pulling in the latest data and taking actions on the user’s behalf in a consistent, scalable way.

Security Risks and Challenges of MCP

Like any powerful new technology, MCP introduces security risks and challenges that organizations must consider. Below are some of the key concerns that have emerged in discussions by the AI and security community.

1. Authentication & Access Control

Exposing many tools via MCP means there’s a new intermediary handling potentially sensitive commands. Ensuring authentication and permission controls is important. Without strong access control, an AI agent could invoke tools or read data it shouldn’t, or a malicious party could hijack an MCP endpoint. Open-source efforts like MCP Guardian have already appeared to log all requests and enforce policies on tool usage, underlining the need for strict gatekeeping on what the AI can do.

2. Trusting External Tools/Servers

MCP makes it easy for an agent to plug into any number of external servers or APIs – but not all of those will be trustworthy. It’s important to caution that a self-evolving agent might connect to untrusted or even malicious MCP servers if left unchecked. In effect, an AI agent could download a “tool” that is actually malware or that leaks data. Without governance (e.g. whitelists or an approved registry of tools), an attacker could trick the agent into loading a harmful integration, posing massive security and privacy risks.

3. Prompt Injection Attacks

Because MCP allows natural language to drive actions, it opens the door to indirect prompt injection exploits. An attacker could make a seemingly innocuous input (for example, a chat message or email) that contains hidden instructions. When the AI agent reads it, those hidden commands could execute unwanted tool actions via MCP. For example, a cleverly formed email might cause an AI assistant to issue an MCP command to forward confidential files to an attacker’s address. This is a new kind of supply-chain attack through the AI’s language interface – one that users might not notice, since the trigger is buried in content the AI is asked to process.

4. Credential & Server Compromise

MCP servers often need access to private data or APIs, which means they store credentials or tokens (such as API keys, OAuth tokens, etc.) for the services they connect to. This creates a juicy target for attackers. If an MCP server is compromised, the attacker can gain access to all the integrated services and data that server has credentials for – essentially the “keys to the kingdom”. Even just stealing a token (without breaching the server code) can enable full account takeover. Notably, using a stolen token via MCP might not trigger typical security alerts, because it can look like normal API traffic from the legitimate server. This makes detection harder while the attacker quietly pillages data or issues malicious commands on behalf of the AI’s user.

Kindo’s Governance Platform - Mitigating MCP Risks

So, how do we address these challenges? 

At Kindo, we understand that granting AI agents access to powerful tools and sensitive data through protocols like MCP requires a strong governance framework. That is why the Kindo platform offers a comprehensive agent governance architecture designed to mitigate these risks. In effect, Kindo serves as a central hub for security and policy enforcement, positioned between the AI agents, the tools they use, and the data or LLMs they access.

As shown in the figure above, Kindo’s platform governance module sits at the center of the AI ecosystem. On one side, it connects to a wide range of tools and MCP servers (databases, SaaS apps like Slack, ServiceNow, GitHub, Splunk, etc.), and on the other side it interfaces with various Large Language Models (LLMs) (from providers like OpenAI, Anthropic, Meta, and others). 

The AI agent (and its chat interface) does not talk to these tools or models directly, but instead goes through the governance layer. This allows Kindo to inspect and control every interaction: the platform can enforce policies (e.g. role-based access restrictions on which actions are allowed), perform real-time data loss prevention (DLP) scanning on the agent’s inputs/outputs, and log all activities for audit purposes. 

Governance is administered through a secure admin portal, giving human administrators a dashboard to review agent behavior, adjust policies, and ensure compliance. In short, Kindo inserts an essential trust and safety layer into the MCP-driven agent workflow – so organizations can leverage powerful AI tools without giving the AI free rein over their systems. Concretely, Kindo’s platform provides several enterprise-grade security controls to govern AI agents.

1. Data Loss Prevention (DLP)

The platform includes built-in DLP filters that scan the content of prompts and responses. Sensitive information (company IP, personally identifiable info, credentials, etc.) can be automatically detected and scrubbed before the prompt is sent to an LLM or before an agent’s output is returned. By tokenizing or removing secrets and sensitive data on the fly, Kindo reduces the risk of accidental data leakage through the AI’s context. This directly counters certain prompt injection scenarios and ensures compliance with data handling policies even as the AI is pulling in information from various sources.

2. Comprehensive Audit Logging

Every interaction that flows through Kindo is recorded in detailed audit logs. This includes all messages between humans and agents, the tools invoked via MCP, the LLM queries and responses, etc. Kindo maintains these logs in a structured JSON format, making it easy for security teams to review what the AI is doing. The audit trail provides accountability – if the AI makes a change to a system, there is a record of who/what prompted it, what tool was used, and what the result was. In case of an incident or anomaly, investigators can trace back the AI’s actions step-by-step. This level of observability is essential for deploying AI agents in sensitive environments, and it’s something that vanilla MCP lacks by default.

3. Secrets Management & Isolation

To tackle the risk of credential exposure, Kindo never exposes raw secrets to the AI agent. Instead, it integrates with enterprise secret managers (like AWS KMS, HashiCorp Vault, etc.) to securely store API keys and tokens. When an agent needs to use a credential (say to call an external API via an MCP server), Kindo retrieves it securely and provides just the needed token at execution time – the agent itself doesn’t keep or see the secret value. This limits the impact of a compromised agent or prompt injection; even if an attacker somehow manipulated the agent, they can’t simply steal a pile of API keys because those are vaulted behind Kindo’s governance layer. Additionally, by segmenting the agent’s connections, Kindo can ensure an AI session only has access to the credentials required for its current task, following the principle of least privilege.

4. Secure Deployment Architecture

The design of Kindo’s platform itself takes into account enterprise network security. Kindo can be self-hosted within the organization’s own cloud or on-prem environment, rather than as a public SaaS service. Running the whole agent framework in a controlled environment means that all data, MCP connections, and LLM interactions stay within the company’s security perimeter. This avoids the issue of having to pipe sensitive internal data out to a third-party service. Kindo’s governance layer essentially becomes part of the enterprise infrastructure, subject to the same security monitoring and compliance rules as the rest of the stack. By operating behind the firewall with full admin oversight, Kindo addresses organizational requirements for data residency, compliance, and integration with internal systems.

Kindo’s Value in Securing MCP-Driven AI Ecosystems

As AI agents become more capable through protocols like MCP, it’s vital to also raise the bar on security and governance. The model context protocol opens exciting possibilities for AI to interact with the world of tools and data – but as we’ve seen, it also expands the attack surface and complexity in ways that traditional security controls weren’t designed to handle. Kindo’s platform is purpose-built to fill this gap. 

It combines the flexibility of MCP with enterprise security guardrails, allowing organizations to harness autonomous AI agents confidently. By enforcing policies, monitoring all AI activities, and preventing data leaks or misuse, Kindo provides a comprehensive vantage point to ensure these AI integrations remain safe and compliant.

In practice, Kindo enables the best of both worlds: companies can leverage powerful LLMs and a rich ecosystem of MCP-connected tools to automate tasks, boost productivity, and respond faster – all while maintaining full visibility and control over what the AI is doing. The value proposition is clear: unlock the potential of agentic AI, without losing sleep over security. 

In an era where cyber adversaries are also exploring AI, Kindo offers a way to stay one step ahead, empowering security and operations teams with AI agents that are effective, accountable, and secure by design. With Kindo’s governance layer protecting the MCP-driven ecosystem, enterprises can confidently adopt autonomous agents to streamline workflows, knowing that defenses and oversight are built in every step of the way.

Request a demo to find out what we can do for your security team.