Without central governance, direct MCP connections expose agents to tool poisoning, prompt injection, privilege escalation, credential theft, and missing audit trails. Bifrost centralizes MCP access control, validation, and logging.
When an AI agent connects directly to MCP servers without a governance checkpoint, you've essentially handed the model keys to your infrastructure and hoped nothing goes wrong. Bifrost, a Go-based open-source MCP gateway from Maxim AI, intercepts every tool call with access controls, input/output validation, and audit logging. This post walks through the five most dangerous gaps in ungoverned MCP setups and how a centralized gateway fills each one.
Defining Ungoverned MCP Server Access
An ungoverned MCP server configuration is one where agents talk directly to external Model Context Protocol servers with no intermediary layer to check tools, filter what models can access, validate incoming and outgoing data, identify callers, or keep records. The Model Context Protocol, an open standard released by Anthropic in late 2024, lets AI models dynamically discover and invoke external tools across filesystems, databases, APIs, and internal services at runtime.
MCP's strength (instant tool availability) is also its vulnerability surface. When agents contact tool servers directly, three risk factors align dangerously: privileged system access, potentially hostile input (from documents, web pages, tool responses), and a communications channel to exfiltrate data. All five risks below follow from that convergence.
- Tool poisoning via malicious metadata embedded in tool definitions
- Indirect prompt injection through tool response content
- Excessive privilege with no enforcement of least-privilege access
- Secret exposure across prompts, arguments, and tool output
- Missing forensics with no record of who ran what tool and when
Risk 1: Tool Poisoning in Tool Metadata and Descriptions
Tool poisoning occurs when a rogue or compromised MCP server stores malicious instructions inside tool properties like names, descriptions, or JSON schema. The model reads these properties as trusted input, visible to the LLM but invisible to the user watching the terminal. Invariant Labs first documented this attack as a subset of indirect prompt injection, and OWASP now classifies MCP tool poisoning as its own threat category, with a structural gap between initial connection and runtime behavior.
Ungoverned setups broadcast every available tool to the model with zero filtering, making it trivial for a poisoned definition to steer the agent toward data theft or unauthorized operations. Bifrost's tool filtering flips the default to deny: unless a virtual key explicitly permits access to a specific client and its tools, nothing is available. Instead of exposing your entire tool library, teams whitelist only what each agent legitimately needs, which curtails how far one poisoned tool can propagate. Bifrost also consolidates your tool registry in one place, letting your security team review a single governed surface instead of hunting through every agent's independent MCP connections.
Risk 2: Indirect Prompt Injection Via Tool Responses
Indirect prompt injection is when hostile instructions slip into content an agent processes: a malicious support ticket, a booby-trapped web page, or the result returned from a tool. Because the model treats all context equally, it can't separate a real user instruction from a planted one. Microsoft's security researchers detailed this attack pattern for MCP, and known incidents follow the same playbook: in mid-2025, a Supabase agent with database-level privileges got tricked by injected SQL in user-submitted tickets, leaking OAuth integration tokens to a public forum.
The solution requires a layer that watches every prompt and response in flight, not distributed filters inside each application. Bifrost enforces guardrails at the gateway, scanning both LLM inputs and MCP tool inputs/outputs in real time. The same safety rules that screen user prompts also inspect what gets passed to and returned from your tools, with options for prompt-injection defense, PII masking, and content filtering via native or third-party providers. If a rule is violated, Bifrost can stop the request, erase sensitive fields, or write it to an audit log, giving you one control point across your entire agent fleet rather than fractured per-service policies that drift over months.
Risk 3: Privilege Creep: When Every Agent Can Call Every Tool
Privilege creep is the default misconfiguration: agents get broad API credentials and the full tool menu because building tight per-consumer scoping without a control plane is tedious. The outcome: your internal prototype and your customer-facing agent invoke the same destructive operations. Bifrost inverts this by making least privilege the starting point.
Virtual keys are Bifrost's primary governance unit; each holds its own allow-list of which MCP clients and tools a consumer can access, plus model and cost limits. Bifrost enforces the allow-list twice: once when planning which tools the model sees, and again when the model actually tries to invoke a tool, so a key meant for read-only diagnostics can't silently pivot to writing data. For larger deployments, governance extends to RBAC and tool groups, named collections of tools you attach to keys, teams, or users and resolve per request. Every model call only ever touches the tools its consumer is authorized for.
Risk 4: Secrets in Flight: When Credentials Leak Into Logs and Responses
Secrets leak when API keys, OAuth tokens, or passwords flow through prompts, tool parameters, or results and end up in logs, vector databases, or attackers' hands. Ungoverned MCP deployments make this worse in two ways: you tend to embed provider credentials in every agent separately, and there's zero inspection as a secret transits a tool invocation.
Bifrost solves both. Provider credentials stay encrypted inside the gateway and never ship to client code; they rotate independently of the virtual keys that reference them, so secrets never live in app config or .env files. On detection, Bifrost's secrets guardrail, powered by Gitleaks under the hood, catches leaked keys, tokens, and certificates in prompts and completions before they escape. For teams in regulated industries, in-VPC and self-hosted options keep request payloads, detection events, and all credentials within your network perimeter, and vault integrations (HashiCorp Vault, AWS Secrets Manager, Google Secret Manager, Azure Key Vault) handle rotation and access.
Risk 5: No Audit Trail: When You Can't Answer "What Happened?"
Ungoverned MCP setups scatter tool-call evidence across application logs, if it's captured at all, which makes incident postmortems and compliance audits painful. The MCP spec itself says best practice is a human in the loop with ability to veto tool invocations, and that's only credible if every action is recorded.
Once Bifrost becomes the single checkpoint between agents and tools, each tool call becomes a first-class log entry with full metadata: tool name, source MCP server, arguments sent, response received, latency, the virtual key that triggered it, and the originating LLM request. You can slice by virtual key to see what a specific consumer executed, or by tool to track which server gets hammered. For compliance, immutable audit logs meet SOC 2, GDPR, HIPAA, and ISO 27001 standards and can ship to external SIEM and data-lake systems for archival and investigation.
How Bifrost Governs MCP From Request to Tool Return
Bifrost sits as both an MCP client (connecting to your external tool servers) and an MCP server (exposing one controlled endpoint to agents and desktop clients like Claude Desktop). Routing every tool call through a single control plane is what makes all five protections consistent rather than ad hoc per-application. By default, Bifrost blocks auto-execution of tool calls; the model returns suggestions, and your code must explicitly approve and invoke them, preserving human judgment for risky operations. For teams that want automation, Agent Mode lets you set an auto-approval list while keeping the boundary explicit.
Bifrost also tackles cost and context bloat. When agents connect to many servers, Code Mode has the model generate compact Python code to orchestrate tools in a sandbox instead of stuffing every tool definition into the prompt, cutting input tokens by up to 92.8% and shrinking the payload that poisoned definitions can corrupt. The overhead is tiny: 11 microseconds per request at 5,000 RPS, so governance never becomes your latency bottleneck. The cost-and-access deep dive shows how filtering, logging, and Code Mode combine at production scale.
Common Questions About MCP Security
What's the #1 MCP attack vector?
Prompt injection (including tool poisoning) tops the list. It's scary because it combines three factors: an attacker controls tool metadata, the model reads it as gospel truth, and the agent has real system access. This pattern shows up in almost every documented MCP incident.
Does a gateway actually stop prompt injection?
A gateway alone doesn't make your model immune, but it adds layers that direct connections lack: request and response guardrails on every tool call, deny-by-default filtering, and tamper-evident logs. Together they shrink both the odds of a successful attack and how much damage one can do.
How do you actually implement least privilege for MCP agents?
Give each agent its own credentials and tool permission set instead of sharing universal access. Bifrost virtual keys apply a per-consumer allow-list to both what the model sees and what it can actually invoke, enforced at planning time and execution time so privilege doesn't escalate mid-call.
Starting With Bifrost
Ungoverned MCP server setups concentrate privileged tool access, untrusted input vectors, and exfiltration paths into one blind spot. A governed MCP gateway decouples those concerns: deny-by-default tool filtering, runtime guardrails on prompts and responses, credential isolation, and immutable logs, all running between your agents and external tools. Bifrost provides this control plane as an open-source AI gateway with enterprise governance, and the full feature set is documented in the resources hub. Ready to see how Bifrost locks down MCP access across your agent infrastructure? Book a demo with the team.
Top comments (0)