NSA warns on MCP: AI agents must be secured as infrastructure

The U.S. National Security Agency has turned the Model Context Protocol into a board-level security issue for organizations that let AI agents connect to internal systems.

NSA’s Artificial Intelligence Security Center published new guidance on May 20 for MCP, the protocol many AI tools use to let models interact with databases, developer tools, document stores and other services. The point is not that MCP should be stopped. The point is that companies cannot treat it like a normal API integration.

That distinction matters.

MCP is becoming a fast lane into the most sensitive enterprise work surfaces. NSA points to use across business, finance, legal, software development and other sectors. It also highlights sensitive tasks such as querying personally identifiable information.

Once an agent gets those connections, the risk is no longer just that the model gives a poor answer. The risk is that it may call the wrong tool, share context in the wrong place, create trust between systems that were never meant to trust each other, or be abused through weaknesses around the protocol implementation.

NSA’s language is measured, but the warning is sharp: traditional controls such as authentication, authorization and input validation remain necessary, but they are not enough. Agentic AI systems using MCP introduce novel and systemic risks. The agency names dynamic tool invocation, implicit trust relationships and context sharing as issues established cyber defense patterns do not fully cover.

For CIOs and CISOs, this lands directly in the 2026 enterprise AI roadmap. Many organizations are moving from pilots to agent workflows in software development, customer operations, analysis, case handling and internal support. MCP becomes risky exactly when those workflows move from demo to production.

The agent is not just another user

The usual IAM model is built around a fairly simple idea: a person or service gets access to something, with a known purpose and a defined scope. The agent model is more ambiguous.

An AI agent can retrieve data, interpret data, choose tools, call new services, write back to systems and carry context forward. It often acts on behalf of a user, but with an operational speed and breadth that the user does not have. Asking whether the agent is “logged in” is not enough.

The better questions are specific:

• Which tools can the agent call?
• Which data can it read?
• Which systems can it write to?
• What context can it carry between tools?
• Who owns the action when the agent gets something wrong?
• Can the organization reconstruct the full chain of events afterwards?

NSA describes the MCP environment as a continuum, not a set of isolated endpoints. That is the key point. A weak assumption in one part of the chain can propagate to the next. A small boundary problem between the agent, the MCP server, the data source and the identity layer can become a real incident once the agent is assigned valuable work.

This belongs with leadership, not only developers

MCP sounds technical. That makes it tempting to leave the issue with the platform team. That would be a mistake.

When agents get access to contracts, customer data, source code, transaction information, HR records or internal decision support, this is enterprise risk management. It touches access control, logging, data minimization, vendor responsibility, incident response and audit.

Leadership should therefore require a separate control model for agent access. Not just a list of approved AI tools.

A sensible minimum should include:

• Agent identities separated from human identities, with dedicated roles and limits.
• A tool catalogue with explicit approval before an agent receives new capabilities.
• Context boundaries that prevent data from one system being reused elsewhere without authority.
• Full logging of tool calls, data access, responses and write operations.
• Human approval for irreversible or financially sensitive actions.
• Regular testing for prompt injection, data leakage and incorrect tool use.
• Vendor requirements that make MCP servers, plugins and agent environments auditable.

This is not bureaucracy. It is normal security governance moved into a new interface.

Why it is urgent

MCP has momentum because it solves a real problem. Agents become useful only when they can do things. They need to look up documents, fetch data, open tickets, read code, create pull requests and write back into work tools. Without tool access, they are expensive chat windows.

But tool access is also where the risk starts.

NSA says real-world adoption of MCP has accelerated. That matters. This is not a future standard sitting in a lab. It is a protocol already appearing in enterprise products and internal AI projects.

For organizations outside the U.S. too, the lesson is direct: do not let MCP arrive as a developer convenience. Treat it as part of the security architecture. The teams responsible for identity, data flow and audit need to be involved before agents go into production.

Otherwise, a company can end up with an AI agent that technically uses only approved tools, but practically has broader authority than any employee would ever receive.

What leaders should do now

The first step is a factual inventory. Which AI tools in the organization use MCP or MCP-like connectors? Which have access to internal data sources? Which can write, not only read? Which run with the vendor, and which run inside the organization’s own environment?

CIO and CISO should then create a joint policy for agent connectors. It should be short, technical enough and operational. A ban alone will not work. Developers and business teams will use agent tools because they save time. Governance must make safe use possible, not just slow.

What NSA is doing now is moving MCP from “clever integration” to “AI infrastructure with security requirements.” That is the right level.

The next phase of enterprise AI is not about who has the best chatbot. It is about who is willing to give agents responsibility, and who has enough control to survive that responsibility.

Sources and media

• Primary source: National Security Agency, press release, May 20, 2026: https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/4496698/nsa-releases-security-design-considerations-for-ai-driven-automation-leveraging/
• Report: “Model Context Protocol (MCP): Security Design Considerations for AI-Driven Automation”, NSA Cybersecurity Information Sheet: https://www.nsa.gov/Portals/75/documents/Cybersecurity/CSI_MCP_SECURITY.pdf?ver=bmgiSbNQLP6Z_GiWtRt6bg%3d%3d
• Publish time verified via Google News RSS: May 20, 2026, 15:20:35 UTC.
• Thumbnail: GPT/OpenAI Image 2 / hogby.ai.