MCP's Identity Crisis: Why Agent Security Can't Wait
CoSAI's RSAC 2026 session revealed MCP's identity crisis. Here's what the governance gap means for businesses building with AI agents — and what to do about it.
By Springvanta
At RSAC 2026 in San Francisco, the security community got a clear signal about where AI agent infrastructure is headed — and where the cracks are already forming. Jason Clinton and a team from the Coalition for Secure AI (CoSAI) presented "Securing MCP: Mitigating New Threats in Agentic AI Deployments" to a packed room at Moscone West. They walked through twelve threat categories and nearly forty individual threats spanning the full MCP stack. But the slides weren't the story. The Q&A was. When the floor opened, nobody asked about novel attack vectors or supply chain poisoning. Every question converged on the same problem: identity and authorization. Who is making this request? How do I know? What happens when an agent acts on behalf of a user across multiple hops? That convergence confirmed what many security practitioners suspected but hadn't seen validated so viscerally: identity is the load-bearing wall of MCP security, and most production deployments haven't poured the foundation yet.
The Architecture That Creates the Problem
In a conventional application, a user authenticates and a request gets made. The identity of the caller is clear. In an MCP-based agentic system, a user's request may pass through an orchestrating agent, traverse one or more intermediate MCP servers, and finally reach a downstream tool or API. Each hop makes decisions on behalf of the original caller. Each hop is a potential confused deputy. Traditional authentication answers "who are you?" MCP deployments need to answer a harder question: who authorized this action, through what chain, and with what scope? This isn't theoretical. The Asana incident from May 2025 , where a tenant isolation flaw allowed cross-organization data contamination affecting up to 1,000 enterprises, was rooted in this exact class of failure. A WordPress plugin CVE that same period involved privilege escalation through improper authorization in an MCP implementation. These aren't sophisticated attacks. They're the predictable consequences of deploying agents without rigorously applying identity and access control principles.
The Scale Has Already Outpaced the Controls
The numbers tell the story of adoption running far ahead of governance.
In July 2025, Knostic researchers scanned the public internet and found 1,862 exposed MCP servers. None required authentication. Of a sampled 119, every single one returned a full list of available tools to any anonymous request , including connectors to production databases and cloud management systems.
By late 2025, SecurityWeek reported that 43% of public MCP servers were vulnerable to command injection. In April 2026, The Hacker News documented a "by design" RCE flaw in Anthropic's official SDK affecting more than 7,000 publicly accessible servers and 150 million package downloads.
Meanwhile, the MCP registry has grown to over 5,000 servers with 97 million monthly SDK downloads , a 7.8× increase in a single year. Enterprise adoption is moving at the speed the protocol demands. The security layer is not.
What the Experts Recommend
CoSAI's MCP Security paper , produced with contributions from security practitioners at Anthropic, Google, IBM, Intel, NVIDIA, Cisco, and others, lays out five concrete recommendations that every organization deploying AI agents should implement now. Make every request traceable. All requests should be traceable across the entire execution chain. The emerging standard for workload-level identity is SPIFFE/SPIRE, which provides cryptographic workload identities carried through the execution chain as auditable records of every hop. Never pass through OAuth tokens. This is the single most common mistake in production MCP deployments. When an MCP server receives a user's OAuth token and passes it directly downstream, anything in the chain can impersonate the original user. The fix: perform token exchange with the authorization server using RFC 8693, producing a new token scoped to the specific operation. Reduce scope to the minimum required. MCP servers commonly request overly broad permission scopes. The June 2025 MCP spec revision (SEP-835) adds native support for defining scopes at the tool level. Use it. Remove write scopes when only read access is required. Use short-lived tokens with proof-of-possession. Long-lived tokens in multi-agent systems are a compounding risk. Combine short-lived tokens with DPoP (RFC 9449), which cryptographically binds a token to the client that requested it. Use your existing identity infrastructure. You do not need a new identity system for MCP. existing identity providers. Register MCP servers as OAuth clients with your IAM provider. Make them first-class participants in your existing identity architecture , not a parallel stack.
The New Agentic IAM Framework
CoSAI didn't stop at identifying the problems. In March 2026, their Technical Steering Committee approved a dedicated Agentic Identity and Access Management paper that defines how to represent, authenticate, authorize, and govern AI agents as verifiable, auditable identities. The paper introduces nine core principles it calls the "agentic identity imperatives," including treating agents as first-class identities distinct from both human users and service accounts, enforcing Zero Standing Privilege (no long-lived credentials , all access is just-in-time and task-scoped), and implementing a capability–risk classification matrix that scales controls with the stakes. The phased adoption model starts with something any team can do today: Phase 1 is to discover and register all agents as identities, eliminate shared accounts, and establish immutable action logging. If you're deploying agents and haven't done that, start there.
What This Means for Businesses Building With AI Agents
For organizations evaluating AI intake tools, voice agents, and automation platforms, MCP security isn't a developer concern , it's a business risk concern. Here's why it matters practically: Vendor questions you should be asking. When you evaluate an AI agent platform, ask: Do your MCP connections authenticate through SSO with MFA? Do you enforce least-privilege scopes per tool? Can you show a complete audit trail of every agent action? Do you perform token exchange at every trust boundary? If the answer to any of these is "we're working on it," that's worth understanding in detail. The compliance angle is arriving fast. MCP-driven CVEs are being disclosed across major implementations. Audit frameworks are catching up. Organizations that build governance now will be ahead of the curve when compliance requirements materialize , and they will. Your data flows through agents now. Even if your team isn't building agents directly, your SaaS tools increasingly are. Salesforce, HubSpot, Notion, and dozens of other platforms are embedding agentic features backed by MCP connections. The security of those connections is the security of your data. The MCP ecosystem is maturing fast. Claude Code is shipping weekly updates with enterprise-grade permission controls, workspace identity federation, and better agent management. Anthropic's Managed Agents platform now includes MCP connectors with permission policies. The tooling is getting serious. The question is whether the governance layer keeps up. The answer to that question will determine whether your AI automation investments become a competitive advantage or a liability.
Sources:
- CoSAI : After RSAC 2026: The MCP Security Question Everyone Kept Asking
- Nightfall AI : How to Monitor MCP Usage: A 10-Step Security Checklist for 2026
- CoSAI MCP Security Paper (PDF)
- CoSAI Agentic Identity and Access Management Paper (PDF)
- SecurityWeek : Top 25 MCP Vulnerabilities
- The Hacker News : Anthropic MCP Design Vulnerability
- TrueFoundry : Enterprise MCP Governance