- What: NSA's AI Security Center published a Cybersecurity Information Sheet (May 20, 2026) warning that MCP deployments collapse LLM agents, servers, and enterprise tools into one implicit trust domain that existing controls cannot adequately defend.
- Impact: Systemic and novel risk class: dynamic tool invocation, implicit trust relationships, and unclassified context sharing mean an attacker who influences agent context can redirect legitimate tool calls to malicious ends.
- Fix / mitigation: Per-tool authorization with human-in-the-loop for sensitive ops, short-lived brokered credentials, distinct non-human caller identities, tamper-evident audit logs capturing invocation context, and version-pinned tool catalogs.
- Who's at risk: Any organization running MCP servers in production or development, particularly those wiring agents into systems that hold credentials, sensitive data, or execute consequential actions.
On May 20, 2026, the NSA's Artificial Intelligence Security Center released a Cybersecurity Information Sheet titled Model Context Protocol (MCP): Security Design Considerations. It is the most direct statement yet from a US signals-intelligence agency on the security posture of the protocol now wiring AI agents into enterprise tools.
The headline finding is blunt. MCP, in its current state, introduces categories of risk that existing cybersecurity strategies do not adequately address. The agency is not telling organizations to stop deploying MCP. It is telling them the protocol's design assumptions need to be treated as security boundaries in their own right, and that defenses sized for traditional plugin ecosystems are not enough.
What MCP Is, In One Paragraph
MCP is an application-layer protocol that gives AI agents a standardized way to discover, invoke, and consume tools. An agent points at an MCP server, the server advertises its tool catalog, and the agent decides at runtime which tools to call based on the conversation. That last part is where the risk lives: the agent's tool selection is dynamic, the trust relationships are implicit, and context flows freely between components that were never designed to share a security domain.
The Risks NSA Named
The CSI calls out a specific set of risk categories. None of them are exotic exploits. They are properties of how MCP works.
- Serialization RisksUntrusted data crossing trust boundaries during tool invocation, with deserialization paths that can be coerced into producing attacker-controlled behavior.
- Trust BoundariesMCP servers, clients, and the underlying model all sit inside one effective trust domain at runtime. Assumptions made by any component propagate to the others.
- Agent MisuseAn attacker who can influence the agent's context can steer tool invocation toward unintended actions, including legitimate tools used for illegitimate purposes.
- Dynamic Tool InvocationTool selection happens at runtime based on natural-language context. Traditional allow-listing assumes a static caller-callee relationship that does not exist here.
- Implicit Trust RelationshipsConnecting an MCP server grants it standing the user never explicitly authorized at the per-tool level. The trust is at the connection, not the action.
- Context SharingConversation context, tool outputs, and intermediate data move between components with no native classification, sanitization, or audit guarantees.
The CSI argues MCP cannot be secured in pieces. It calls the agentic environment a continuum: misaligned assumptions or subtle inconsistencies at any stage propagate and compound into exploitable conditions. A correctly configured MCP server is not enough if the client trusts its output blindly. A hardened client is not enough if the model decides which tool to call.
Why Existing Defenses Fall Short
The NSA's argument is structural, not anecdotal. Most enterprise security controls assume two things: that components have stable identities, and that authorized actions are enumerable in advance. MCP breaks both.
An IAM policy controls who can call a tool. It does not control whether an AI agent should call that tool given the current conversation. A WAF inspects HTTP requests. It cannot reason about whether a tool invocation is consistent with the user's actual intent. An audit log records what happened. It does not capture why the agent decided it should happen, because that decision lives in the model's context, not in the network trace.
This is the same gap that broke browser plugin security in the 2010s, IoT in the late 2010s, and supply chain trust in the 2020s. NSA's framing makes the analogy explicit: MCP is a plugin ecosystem with an LLM-shaped attack surface stacked on top.
What NSA Recommends
The CSI does not ban deployment. It pushes adopters toward defense-in-depth patterns that match the way MCP actually behaves.
- Policy enforcement at the tool layer. Per-tool authorization, with explicit human-in-the-loop for sensitive operations, not blanket trust at the MCP-server level.
- Credential brokering. Tools should run with the minimum credentials their immediate operation requires, brokered by an authority outside the agent's trust domain. The agent should never hold long-lived keys.
- Identity assignment for non-human callers. Each agent gets a distinct identity that downstream systems can audit, rate-limit, and revoke independently of the human user.
- Tamper-evident audit trails. Logs that capture invocation context, not just transport metadata, written to a store the agent cannot modify.
- Heightened scrutiny of tool catalogs. Treat each MCP tool as a third-party dependency. Pin versions. Review behavior. Re-review after upgrades.
If your organization has deployed MCP servers or is preparing to, the NSA's CSI is a permission slip to slow the rollout and ask harder questions. The agency is not signaling that the protocol is broken. It is signaling that the protocol is new enough that no one's defenses are calibrated for it yet, and the gap matters most in exactly the environments where MCP is most useful: production systems with real data and real consequences.
What This Means Operationally
The CSI is going to land in three places over the next 90 days. Compliance teams will start citing it in vendor questionnaires. Boards will start asking whether their AI rollouts have been reviewed against the agency's design considerations. And insurance carriers, who have been quietly tightening AI-related underwriting questions all year, will use it as the reference text.
For security teams running MCP today, the immediate work is inventory. Which agents are connected to which MCP servers? What tools do those servers expose? What credentials and data scopes do those tools actually carry? Most organizations cannot answer those questions on a single page. The CSI is, in effect, telling them they need to.
For organizations evaluating MCP deployments, the practical takeaway is that the protocol is not yet safe to wire into high-stakes workflows without compensating controls. That does not mean it stays that way. The protocol will mature. Reference implementations will harden. Governance patterns will emerge. But today, in May 2026, the agency that knows the most about adversaries exploiting design-level weaknesses is publicly saying the gap is large.
Bottom Line
The NSA's MCP CSI is not a panic document. It is the federal government formally acknowledging that agentic AI introduces a new class of security problem and that the existing tooling does not solve it. Organizations that read the report, map their MCP exposure, and add the missing controls will be in a defensible posture. Organizations that treat MCP as just another protocol will discover, eventually, that the agent is not just a client. It is a decision-maker with credentials.
Deploying MCP or agentic AI in your environment?
RedEye Security helps organizations map agent exposure and build the defense-in-depth controls NSA's CSI describes.
Talk to us