MCP, Tool Use, and the New Attack Surface Nobody Is Mapping
The agent wasn’t compromised.
The model wasn’t compromised.
The tool wasn’t compromised.
Every component did exactly what it was designed to do. The system still executed an action nobody authorized.
That is not a vulnerability in the traditional sense. There was no implementation flaw to patch, no misconfigured permission to revoke, no anomalous credential activity to detect. The failure occurred in the authority chain between components — in the delegation logic that connected a user request to a tool execution across three intermediate layers. And there is currently no discipline in enterprise architecture that knows how to govern that chain.
MCP — the Model Context Protocol — makes this problem structural. It introduces delegated authority chains that are longer than any governance model enterprises currently operate. Not longer by degree. Longer by category. The tools are new. The trust assumptions are new. The failure modes are new. The discipline required to govern them does not yet exist.
This is an mcp security architecture failure before it is a security tooling failure.
Framework #141 — Agentic Authority Boundary
The Agentic Authority Boundary defines the formal limit within which an agentic system may delegate execution authority — constrained by explicit scope, identity, ownership, and revocability.
FRAMEWORK #141 — AGENTIC AUTHORITY BOUNDARY
The formal boundary within which an agentic system may delegate execution authority — constrained by explicit scope, identity, ownership, and revocability.
When any failure state is present, the boundary has already collapsed — the question is only whether it’s visible before or after an incident.
Authority Chain Opacity deserves particular attention. The first three failure states describe how the boundary breaks. The fourth describes why nobody knows it broke. If the evidence record is not generated as part of execution, no amount of post-incident logging can recreate it. That is not a logging problem. It is an architecture problem — one that makes the other three failure states permanently invisible until something goes wrong at the wrong scale.
Most enterprises can answer: who made the API call? Very few can answer: which authority chain enabled the tool execution that followed?
MCP Security Architecture and the Trust Model Break
To understand why existing governance patterns fail here, the execution model needs to be visible.
Traditional systems establish authority at the perimeter and carry it forward explicitly. A user authenticates, a credential is issued, that credential travels with the request. The authority chain is short, synchronous, and inspectable at every hop. Network controls, API gateways, and identity governance all operate on this assumption.
Agentic systems break every part of that model.
The table below is not about complexity for its own sake. It is about which properties enterprise security controls were designed to govern — and which ones they were not.
| Property | Traditional Execution | Agentic Execution |
|---|---|---|
| Identity | Visible at every hop | Indirect — inherited by orchestrator |
| Authority | Explicit — carried with credential | Delegated — passed through chain |
| Ownership | Clear — defined at service boundary | Distributed — often undefined |
| Auditability | Native — log the request, log the response | Often missing — chain is implicit |
The auditability row is where Authority Chain Opacity lives. In a traditional execution path, the identity and authority evidence is produced as a side effect of execution. In an agentic chain, it is not. No log of the model’s invocation captures the authority context the orchestrator was operating under. No tool server log captures which upstream delegation authorized the call. The chain ran. The action executed. The authority record was never created.
MCP accelerates this problem by standardizing the protocol through which tool servers are invoked — without standardizing any of the authority or delegation semantics. Tool servers are registered, discovered, and called through a consistent interface. What authority the calling orchestrator holds, what scope that authority covers, whether the grant is revocable, and whether any evidence of the delegation exists are all left entirely to the implementer. The protocol governs the transport. Nobody governs the trust.
Tool servers are also the new shadow IT vector. They are deployed by developers, invoked by agents, and invisible to network security teams. An engineer wires an MCP server into a workflow. The orchestrator calls it. The tool executes against systems the security team does not know are in scope. The exposure accumulates before any inventory exists to capture it.
Five Eyes Got the Threat Model Right — and Stopped There
In May 2026, the Five Eyes intelligence alliance published joint guidance on agentic AI systems. The threat model in that document is accurate: prompt injection, tool abuse, and uncontrolled agentic execution are correctly identified as the primary risk categories.
What the guidance does not provide is the architectural layer required to operationalize a response.
Identifying prompt injection as a risk does not produce a delegation inventory. Naming tool abuse as a threat does not define an authority boundary model. Recognizing that agentic risk exists does not create the governance discipline required to govern it.
The gap between the guidance and what enterprise architecture actually needs can be stated precisely. Enterprise security programs have mature disciplines for governing known risk categories:
| Existing Discipline | Governs |
|---|---|
| Identity Governance | Who can act |
| Network Governance | Where traffic flows |
| API Governance | What interfaces expose |
| Policy Governance | What is permitted |
| Delegation Governance | How authority moves — missing |
The Five Eyes guidance identified the symptoms. Delegation governance is the discipline that would treat them. The threat model exists. The governance model does not. That is the architectural gap — and it is not filled by patching individual tool servers or tightening prompt engineering rules.
The CVE That Made This Concrete
CVE-2025-49596 carries a CVSS score of 9.4. It was active in Anthropic’s own MCP SDK. OX Security’s accompanying research documented a systemic remote code execution path in the official implementation.
The finding matters here not as a vulnerability disclosure but as a diagnostic signal about the protocol’s foundational assumptions.
Traditional vulnerabilities expose implementation flaws. A buffer overflow, an injection point, a misconfigured access control. Patch the implementation and the vulnerability closes.
MCP vulnerabilities expose authority-model flaws. The RCE path existed because the SDK’s trust assumptions about where tool server input came from — and what authority that input carried — were wrong at the specification level. The implementation was consistent with the specification. The specification was wrong about the trust model.
That distinction matters architecturally: implementation patches close the current expression of the gap. They do not close the gap. A patched SDK operating under incorrect authority assumptions remains exploitable through any future expression of the same assumption. The attack surface does not shrink when the trust model is unaddressed.
CVE-2025-49596 is not the endpoint of this analysis. It is evidence for the framework. The authority-model flaw was present before the CVE was identified. It will be present in the next implementation that inherits the same assumptions.
What Architecture Actually Needs
The controls that apply to this mcp security architecture problem map directly to the four failure states in #141.
SCOPE CREEP DELEGATION → AUTHORITY DECLARATIONS
Tool servers must declare explicit authority scope at registration — not a capability list, an authority boundary. The orchestrator’s invocation must be validated against that declared scope before execution begins. Any invocation outside declared scope requires an explicit elevation path, not a default-permit.
IMPLICIT TRUST INHERITANCE → IDENTITY ISOLATION
The orchestrator’s credential must not transit into tool execution context. Tool servers authenticate the invocation, not the upstream identity. Allowing the orchestrator’s identity to carry through into the tool layer collapses the entire authority boundary — the tool server cannot distinguish a legitimate orchestrator call from an injected one operating under inherited credentials.
NON-REVOCABLE GRANT → REVOCABLE DELEGATION SCOPES
Delegation grants must carry explicit expiration and revocation paths. A tool server registration that cannot be revoked without redeploying the orchestrator is not a governed tool — it is a permanent grant with a protocol wrapper. Scope expiration and runtime revocation are architectural requirements, not optional features.
AUTHORITY CHAIN OPACITY → EVIDENCE-GRADE EXECUTION RECORDS
Every tool invocation must generate an execution record that captures: the delegation chain that authorized the call, the authority scope active at invocation time, the identity context at each layer, and the output produced. This record must be generated at execution time — not reconstructed from logs afterward. Turning on verbose logging post-incident cannot recreate an authority chain that was never recorded.
The fourth control — evidence-grade execution records — connects directly to the operational memory problem. When an incident occurs, the question is not only what the system did. It is what the system believed it was authorized to do, and why. Infrastructure that remembers configuration but forgets intent cannot answer that question. The evidence record has to be architectural, not investigative.
Human-in-the-loop gates belong in this list, but their placement matters. Mapping approval requirements to authority elevation events — not to subjectively “sensitive” operations — gives the gates architectural meaning. An operation that elevates authority scope beyond declared boundaries requires human approval. An operation within declared scope does not. That is a governable model. “Sensitive” is not.
The Real Exposure Map
The enterprises most exposed to this attack surface are not necessarily running the most sophisticated AI deployments. They are running agentic workflows where the tool layer is not first-party.
Organizing by ownership model rather than by product makes the exposure visible:
| Exposure Tier | Tool Ownership Model | Authority Boundary Condition |
|---|---|---|
| Low | First-party tools only — built and operated by the same team running the orchestrator | Authority boundary is organizational — auditable through existing controls |
| Medium | Internal tools plus external connectors — mix of owned and third-party integrations | Boundary is partial — internal tools auditable, connectors introduce implicit trust inheritance |
| High | Third-party MCP ecosystem — tools registered from external providers through a marketplace or hub | Authority declarations are missing or unverifiable — scope assumptions are made at registration |
| Extreme | Dynamically discovered tools — orchestrator discovers and registers tools at runtime | No static inventory is possible — authority chain is unknown until execution occurs |
Copilot Studio, Bedrock Agents, n8n, LangChain-based workflows, and any custom orchestration layer that consumes MCP servers from outside the organization’s own codebase sits somewhere between Medium and Extreme on this table. The organizations that fall into Extreme are often unaware of it — because dynamic tool discovery is frequently a feature, not a flag.
The maturity question that reveals actual exposure is not “what agentic tools are you running?” Most security teams can answer that. The question that matters is: can you produce an inventory of every tool your agentic systems can invoke today — including which authority scope each tool was granted, and whether those grants are revocable?
Twenty years ago, the equivalent question was: can you produce an inventory of every privileged account in your environment? That question built identity governance as a discipline. The MCP inventory question is building the case for delegation governance in the same way. Most organizations cannot answer it. That is the exposure.
Architect’s Verdict
MCP introduces an mcp security architecture gap — a trust delegation model that enterprise architecture has no existing governance pattern for. The protocol is not the problem. The absence of the discipline required to govern what the protocol enables is the problem.
Every existing security control in the enterprise stack was designed for systems where the execution boundary is visible at the network layer or the identity layer. MCP makes the execution boundary implicit, dynamic, and trust-inherited across a chain of intermediate systems. Identity governance tells you who authenticated. API governance tells you what was called. Neither tells you how authority moved from a user request through a model, through an orchestrator, into a tool that executed against production systems.
Delegation governance is the missing discipline. It does not exist in most enterprises today as a named practice with defined controls, ownership, and audit requirements. CVE-2025-49596 is not the reason to build it — it is evidence that the absence of it was already being exploited before the absence had a name. The attack surface is live. The inventory does not exist. The authority chains are running. Nobody is mapping them.
Additional Resources
Editorial Integrity & Security Protocol
This technical deep-dive adheres to the Rack2Cloud Deterministic Integrity Standard. All benchmarks and security audits are derived from zero-trust validation protocols within our isolated lab environments. No vendor influence.
R.M.
Senior Solutions Architect with 25+ years of experience in HCI, cloud strategy, and data resilience. As the lead behind Rack2Cloud, I focus on lab-verified guidance for complex enterprise transitions. View Credentials →
Get the Playbooks Vendors Won’t Publish
Field-tested blueprints for migration, HCI, sovereign infrastructure, and AI architecture. Real failure-mode analysis. No marketing filler. Delivered weekly.
Select your infrastructure paths. Receive field-tested blueprints direct to your inbox.
- > Virtualization & Migration Physics
- > Cloud Strategy & Egress Math
- > Data Protection & RTO Reality
- > AI Infrastructure & GPU Fabric
Zero spam. Includes The Dispatch weekly drop.
Need Architectural Guidance?
Unbiased infrastructure audit for your migration, cloud strategy, or HCI transition.
>_ Request Triage Session
