MCP and security: Protecting AI agent architectures

The adoption of Artificial Intelligence (AI) agents is radically transforming the way companies operate. It is no longer just about chatbots answering basic questions; we are entering an era where autonomous agents execute complex tasks, query databases in real time, and make operational decisions.

At the center of this revolution is the Model Context Protocol (MCP), an emerging standard that enables language models to seamlessly connect with data sources and external tools.

However, opening the doors of our internal systems to generative AI poses unprecedented security challenges. If an agent has the ability to read emails, execute SQL queries, or modify records in a CRM, how do we ensure it only does what it is supposed to do?

Security in agent-driven architectures is not an optional feature; it is the essential foundation to prevent data leaks and unauthorized access.

At Rootstack, we understand that innovation must go hand in hand with protection. In this article, we will explore what MCP is and, more importantly, how to design a robust security strategy that protects your data, controls access, and supervises the actions of your AI agents.

What is the Model Context Protocol (MCP) and why does it matter?

To protect something, we must first understand how it works. The Model Context Protocol (MCP) acts as a universal language to connect AI assistants with systems where data resides (such as Google Drive, Slack, GitHub, or PostgreSQL databases).

Before MCP, each integration required a custom and fragmented connector. With MCP, there is a standardized way for AI to “see” and “act” on your company’s context.

The inherent risk lies in this ease of connection. An MCP-enabled agent may have access to a large amount of unstructured information. If the architecture is not properly segmented, a user could persuade the agent (using techniques such as prompt injection) to reveal confidential information that the user should not have access to, or worse, execute destructive actions.

Security pillars in agent architectures

Protecting an MCP-based ecosystem requires a defense-in-depth approach that covers three critical areas: data, access, and actions. Below, we outline the essential strategies to secure your infrastructure.

1. Data Protection

The first step is ensuring that the agent only “sees” what is strictly necessary. Language models are voracious; if you give them access to an entire database, they will process everything they find.

• Context filtering: Do not connect raw data sources directly to the agent. Implement an intermediate layer that filters sensitive information (PII, financial data) before it reaches the model.
• Encryption in transit and at rest: Ensure that all communication between the MCP client, host, and MCP server is encrypted using TLS 1.3.
• Output validation: Implement mechanisms to monitor what the agent responds. If the response contains patterns matching credit card numbers or passwords, the system must automatically block the output.

2. Access Control: Authentication and Granular Authorization

Identity is everything. An agent should not have a “master key.” It must operate under the principle of least privilege.

• End-user identity: The agent must inherit the permissions of the human user interacting with it. If employee “A” does not have permission to view payroll data in the HR system, the agent acting on their behalf should not have it either.
• Short-lived access tokens: Avoid long-lived static API keys. Use OAuth tokens that expire quickly and require renewal.
• Access control lists (ACLs): Explicitly define which resources (files, tables, API endpoints) each agent instance can access.

3. Action Supervision: Human-in-the-Loop

An agent’s ability to execute actions (such as “send email” or “update inventory”) is where the greatest operational risk lies. A model hallucination could trigger a series of undesirable events.

• Read-only mode by default: Configure your MCP servers so that, by default, agents can only read data, not modify it. Write capabilities must be explicitly enabled on a case-by-case basis.
• Human approval (Human-in-the-Loop): For critical or high-impact actions (such as bank transfers or data deletion), the agent must prepare the action and request explicit user confirmation before executing it.
• Immutable audit logs: Every “thought,” query, and action performed by the agent must be logged. This is vital for forensic analysis in the event of a security incident and for understanding the model’s behavior over time.

Recommended security architecture for MCP

Implementing these measures requires an architecture designed with security in mind (Security by Design). At Rootstack, we recommend a topology that isolates critical components.

Sandboxing and Containers

Run your MCP servers in isolated environments such as Docker containers or micro-VMs. If an agent is compromised, the attacker will be confined to that container, unable to jump to the main corporate network. This limits the “blast radius” of any potential vulnerability.

AI API Gateways

Use a centralized AI Gateway that manages all traffic between users, LLM models, and your internal tools. This Gateway acts as an intelligent firewall that can:

• Detect prompt injection attacks.
• Apply rate limiting to prevent resource abuse.
• Manage unified authentication.

The role of Rootstack in your security

The transition to agent-driven architectures offers undeniable competitive advantages, but the technical complexity should not be underestimated.

Securely implementing MCP requires expertise in both modern software development and cybersecurity.

At Rootstack, we help organizations navigate this new landscape. We take care of:

• Infrastructure auditing: We assess your current systems to identify risks before connecting any AI.
• Secure MCP connector development: We create custom integrations that respect your data governance policies.
• Monitoring implementation: We configure observability tools so you always know what your agents are doing.

Toward an autonomous and secure future

Security in the era of AI agents is not a destination, but a continuous process. As models become more capable, defense strategies must evolve at the same pace.

Protecting data, rigorously managing access, and supervising every action are non-negotiable steps for any company seeking to leverage the power of MCP without compromising its integrity or the trust of its ecosystem.

By building on a solid and secure foundation, your organization can unlock true automation: teams focused on strategy, while digital agents execute processes efficiently, securely, and reliably.

Is your company ready to take this step?

At Rootstack, we help organizations design and implement secure, scalable AI solutions aligned with standards such as MCP.

Contact us and let’s talk about how to take your AI strategy to the next level, without sacrificing security.

Want to learn more about Rootstack? We invite you to watch this video.