MCP Security for AI Agents: Tool Poisoning, Prompt Injection, and Safe Orchestration
Why MCP security is suddenly a board-level topic
Model Context Protocol (MCP) is quickly becoming a standard way to connect AI agents to external tools—databases, ticketing systems, browsers, CRMs, internal APIs, and more. The value is obvious: a consistent interface that lets agents act in the world.
The risk is equally obvious: once an agent can call tools, security stops being only about model outputs and starts being about what actions the system can take.
Two attack families show up repeatedly in real deployments:
- Prompt injection: manipulating the agent’s instructions or context so it behaves unsafely.
- Tool poisoning (including MCP Tool Poisoning): compromising the tools, tool metadata, or tool outputs so the agent takes harmful actions.
OWASP has explicitly documented MCP Tool Poisoning as an emerging attack and provides a useful starting vocabulary for mitigations (see OWASP’s community write-up on the attack and defenses: https://owasp.org/www-community/attacks/MCP_Tool_Poisoning ). The key takeaway: when tools become part of an agent’s “operating environment,” tools are now part of the attack surface.
At AgilityOS, we approach MCP security as an orchestration problem: strong boundaries, runtime policy enforcement, and auditability across every tool call and every step in a long-running workflow.
The threat model: where MCP-connected agents break in production
Most agent security incidents don’t start with “the model went rogue.” They start with inputs the system trusted.
In an MCP-enabled stack, common trust boundaries include:
- Tool discovery and descriptions (what capabilities a tool claims)
- Tool outputs (data returned by a connector, web page, or internal API)
- Memory and state (what gets persisted between steps)
- Human handoffs (approvals, reviews, ticket updates)
- Secrets and credentials (how tools authenticate)
- The orchestration layer (what is allowed to run, when, and with what permissions)
If any of these are implicitly trusted, attackers can influence behavior without ever “breaking into” the model itself.
MCP Tool Poisoning: what it is and why it’s different
Traditional prompt injection often focuses on untrusted content (a web page, email, document) that contains instructions like “ignore previous directions.” Tool poisoning is broader: it targets the mechanisms that agents use to act.
In MCP Tool Poisoning, attackers can exploit:
- Malicious or compromised MCP servers/connectors
- Tampered tool schemas or tool descriptions that misrepresent behavior
- Manipulated tool outputs that include hidden instructions or misleading data
- Dependency confusion or supply-chain issues in tool hosting and deployment
Why this matters: agents frequently treat tool responses as authoritative—especially if the workflow is designed to “continue until done.” A poisoned tool response can nudge the agent toward unsafe actions, data exfiltration, or privilege escalation.
Prompt injection for AI agents: still the #1 entry point
Prompt injection remains the most common way to steer an agent into unsafe behavior—especially when agents browse the web, read inbound messages, or process documents.
In production, prompt injection typically shows up as:
- Instruction hijacking: untrusted content overrides system policies.
- Data exfiltration: the agent is coerced into revealing secrets (API keys, internal docs) via tool calls.
- Policy evasion: the agent is tricked into taking disallowed actions (“just do it once”).
The twist in agent systems: prompt injection becomes more dangerous when paired with tools. A successful injection doesn’t just produce bad text—it can produce unauthorized API calls.
Safe orchestration: the control plane that makes MCP usable
Security teams often ask, “How do we secure MCP?” The practical answer is: secure the runtime that orchestrates MCP tool use.
A safe orchestration layer provides controls that are difficult to bolt on later:
- Least-privilege tool access per agent, per workflow, per step
- Runtime policy enforcement that can block, require approval, or redact
- Deterministic audit logs of decisions, tool calls, and data flows
- Separation of duties between builders, operators, and approvers
- Incident response hooks (kill-switches, quarantine, replay)
This is the difference between “agents as scripts” and an agent control plane.
Practical defenses: what to implement first
Below are the highest-leverage controls we recommend for MCP-connected agents.
1) Treat every tool output as untrusted input
Tool responses should be handled like web content: potentially malicious.
Implement:
- Output sanitization (strip or quarantine executable instructions)
- Content-type validation (don’t parse HTML as JSON, etc.)
- Schema validation against strict, versioned contracts
- Instruction isolation (keep tool outputs out of the instruction channel)
A simple rule: tool outputs inform decisions, but they should not become new “system instructions.”
2) Enforce allowlists and capability scoping
Broad tool access is the fastest path to costly incidents.
Implement:
- Tool allowlists (only approved MCP servers/tools)
- Capability scoping (read-only vs write; specific endpoints only)
- Environment scoping (dev vs prod; tenant boundaries)
- Time-bound access (short-lived grants for sensitive actions)
For example: a support-ticket agent may need to read customer context and draft an update, but not issue refunds or change account owners.
3) Runtime policy enforcement (not just “guidelines”)
Policies that live only in prompts are not controls.
Implement enforceable policies such as:
- Data loss prevention (DLP) checks before any outbound tool call
- PII/PHI redaction rules depending on workflow context
- Approval gates for high-impact actions (money movement, deletions, permissions)
- Rate limits and spend caps to prevent runaway execution
This is where orchestration pays off: policies can be evaluated at runtime with full context—who initiated the workflow, what data is present, what tools are being invoked, and what the agent is attempting to do.
4) Strong identity, auth, and secret handling for tools
MCP makes it easy to connect tools; security requires disciplined identity.
Implement:
- Per-agent identities (no shared “god tokens”)
- Short-lived credentials (OIDC where possible)
- Secret vault integration with audited access
- Scoped service accounts aligned to least privilege
If a tool token grants broad access, a prompt injection can become a full account compromise.
5) Human-in-the-loop for irreversible actions
Autonomy should be graduated. A safe default is:
- Autonomous for low-risk, reversible actions
- Approval required for high-risk, irreversible actions
Examples that typically warrant review:
- Changing payment terms
- Deleting records
- Granting permissions
- Sending external emails to large distributions
- Publishing code or infrastructure changes
The goal isn’t to slow teams down—it’s to put friction only where the blast radius is real.
6) Audit logs that support forensics (and learning)
Agent systems need logs that answer:
- What was the input?
- What did the agent decide and why?
- Which tools were called, with what parameters?
- What data left the boundary?
- Which policy allowed or blocked the step?
Without this, teams can’t investigate incidents, prove compliance, or improve reliability.
A reference “secure MCP” architecture (what good looks like)
A production-grade setup typically looks like this:
- Agent runtime (LLM + planner/executor)
- Orchestration layer (workflow state, retries, approvals, scheduling)
- Policy engine (runtime checks: DLP, RBAC/ABAC, approvals, spend caps)
- Tool gateway (MCP client that enforces allowlists, schema checks, and identity)
- Observability stack (structured logs, traces, evaluations, alerts)
- Secrets + identity (vault, OIDC, short-lived tokens)
The design principle: agents should never call tools “directly.” They should call tools through a controlled gateway with policies, identity, and logging.
Security checklists for teams piloting MCP
For US enterprise teams moving from proof-of-concept to production, these are the checkpoints that prevent most avoidable failures:
- Inventory every MCP server/tool and classify data sensitivity
- Define allowed actions per agent (capabilities, not just prompts)
- Implement runtime approval for high-risk actions
- Validate tool schemas and sanitize tool outputs
- Use per-agent identities and least-privilege service accounts
- Log every tool call with enough detail for forensics
- Add a kill-switch and quarantine mode for suspicious workflows
Conclusion
MCP accelerates agent adoption because it standardizes how agents reach tools—but that same convenience expands the attack surface. The safest path is to treat MCP tool use as a governed runtime: least privilege, policy enforcement, and auditable orchestration around every action.
AgilityOS is built for teams deploying autonomous workflows in production, with the control-plane capabilities needed to operate MCP-connected agents safely. For organizations standardizing agent deployments across the United States, reaching out to the AgilityOS team is a practical next step when it’s time to move from experiments to secure, governed orchestration.