AgilityOS

Home / Blog

MCP Security for AI Agents: Tool Poisoning, Prompt Injection, and Safe Orchestration

AI AgentsSecurityMCPOrchestrationGovernance

Why MCP security is suddenly a board-level topic

Model Context Protocol (MCP) is quickly becoming a standard way to connect AI agents to external tools—databases, ticketing systems, browsers, CRMs, internal APIs, and more. The value is obvious: a consistent interface that lets agents act in the world.

The risk is equally obvious: once an agent can call tools, security stops being only about model outputs and starts being about what actions the system can take.

Two attack families show up repeatedly in real deployments:

OWASP has explicitly documented MCP Tool Poisoning as an emerging attack and provides a useful starting vocabulary for mitigations (see OWASP’s community write-up on the attack and defenses: https://owasp.org/www-community/attacks/MCP_Tool_Poisoning ). The key takeaway: when tools become part of an agent’s “operating environment,” tools are now part of the attack surface.

At AgilityOS, we approach MCP security as an orchestration problem: strong boundaries, runtime policy enforcement, and auditability across every tool call and every step in a long-running workflow.

The threat model: where MCP-connected agents break in production

Most agent security incidents don’t start with “the model went rogue.” They start with inputs the system trusted.

In an MCP-enabled stack, common trust boundaries include:

If any of these are implicitly trusted, attackers can influence behavior without ever “breaking into” the model itself.

MCP Tool Poisoning: what it is and why it’s different

Traditional prompt injection often focuses on untrusted content (a web page, email, document) that contains instructions like “ignore previous directions.” Tool poisoning is broader: it targets the mechanisms that agents use to act.

In MCP Tool Poisoning, attackers can exploit:

Why this matters: agents frequently treat tool responses as authoritative—especially if the workflow is designed to “continue until done.” A poisoned tool response can nudge the agent toward unsafe actions, data exfiltration, or privilege escalation.

Prompt injection for AI agents: still the #1 entry point

Prompt injection remains the most common way to steer an agent into unsafe behavior—especially when agents browse the web, read inbound messages, or process documents.

In production, prompt injection typically shows up as:

The twist in agent systems: prompt injection becomes more dangerous when paired with tools. A successful injection doesn’t just produce bad text—it can produce unauthorized API calls.

Safe orchestration: the control plane that makes MCP usable

Security teams often ask, “How do we secure MCP?” The practical answer is: secure the runtime that orchestrates MCP tool use.

A safe orchestration layer provides controls that are difficult to bolt on later:

This is the difference between “agents as scripts” and an agent control plane.

Practical defenses: what to implement first

Below are the highest-leverage controls we recommend for MCP-connected agents.

1) Treat every tool output as untrusted input

Tool responses should be handled like web content: potentially malicious.

Implement:

A simple rule: tool outputs inform decisions, but they should not become new “system instructions.”

2) Enforce allowlists and capability scoping

Broad tool access is the fastest path to costly incidents.

Implement:

For example: a support-ticket agent may need to read customer context and draft an update, but not issue refunds or change account owners.

3) Runtime policy enforcement (not just “guidelines”)

Policies that live only in prompts are not controls.

Implement enforceable policies such as:

This is where orchestration pays off: policies can be evaluated at runtime with full context—who initiated the workflow, what data is present, what tools are being invoked, and what the agent is attempting to do.

4) Strong identity, auth, and secret handling for tools

MCP makes it easy to connect tools; security requires disciplined identity.

Implement:

If a tool token grants broad access, a prompt injection can become a full account compromise.

5) Human-in-the-loop for irreversible actions

Autonomy should be graduated. A safe default is:

Examples that typically warrant review:

The goal isn’t to slow teams down—it’s to put friction only where the blast radius is real.

6) Audit logs that support forensics (and learning)

Agent systems need logs that answer:

Without this, teams can’t investigate incidents, prove compliance, or improve reliability.

A reference “secure MCP” architecture (what good looks like)

A production-grade setup typically looks like this:

The design principle: agents should never call tools “directly.” They should call tools through a controlled gateway with policies, identity, and logging.

Security checklists for teams piloting MCP

For US enterprise teams moving from proof-of-concept to production, these are the checkpoints that prevent most avoidable failures:

Conclusion

MCP accelerates agent adoption because it standardizes how agents reach tools—but that same convenience expands the attack surface. The safest path is to treat MCP tool use as a governed runtime: least privilege, policy enforcement, and auditable orchestration around every action.

AgilityOS is built for teams deploying autonomous workflows in production, with the control-plane capabilities needed to operate MCP-connected agents safely. For organizations standardizing agent deployments across the United States, reaching out to the AgilityOS team is a practical next step when it’s time to move from experiments to secure, governed orchestration.

Run your business on AgilityOS

Give it tasks in plain language — it executes, delivers, and organizes the work.

Get started free