Enterprises are rapidly adopting large language model applications, AI assistants, and model orchestration platforms at a pace that rivals the early days of cloud computing. With this acceleration comes both significant opportunity and risk. Yet AI security is lagging behind, struggling to match the speed and scale of adoption. One of the hottest topics right now is MCP security.
MCP, or Model Context Protocol, is a standard that defines how AI apps connect to external resources like data sources and tools. The goal is simple: instead of every developer building custom point-to-point integrations, MCP provides a standardized interface for discovery and access.
What is MCP and Why it Matters
MCP, or Model Context Protocol, is a standard that makes it easier for AI apps to connect with external tools and data sources. Instead of every developer building custom integrations, MCP provides a common interface that enriches isolated AI models with more context and functionality.
Enterprises are already adopting it in sensitive systems. Salesforce is offering a hosted MCP servers that exposes CRM data through a hosted MCP server, HubSpot offers one in beta for managing contacts and tasks, and Atlassian has launched a remote MCP server that connects directly to Jira and Confluence. These integrations show the power of MCP, but also highlight the risk: once an LLM can access business data through MCP, a jailbreak or prompt injection could expose customer records or leak internal documents.
MCP can be deployed in several ways. A local MCP might connect an app to something on your device, like a calendar, where the data never leaves your machine. A remote MCP server works like an API endpoint hosted by a third party. Fully remote MCPs go further, with all communication happening between the model provider and the server, leaving little visibility for the enterprise. Each approach adds capability but also increases the attack surface.
This balance of power and risk is why MCP security has quickly become a top enterprise concern.
“MCP initially does not include native authorization between the MCP client and MCP server, and this is arguably the biggest security gap.”
Gartner’s Perspective on MCP Security
According to Gartner, MCP security is still maturing. The first versions of the protocol did not include native authorization, leaving a major gap between MCP clients and servers. A March 2025 update added OAuth 2.1 based authorization, but thousands of MCP servers are already deployed without it. Retrofitting them will take time, and enterprises may be left with a patchwork of secure and insecure implementations.
MCP servers vary widely in quality and security. Some are officially supported by vendors and follow documented security practices. Others, such as community-maintained connectors or database MCP servers, are entirely open source, with varying levels of quality control, code review, and reputation. The risk is that low-reputation servers, sometimes deployed by internal teams or downloaded off GitHub, may grant excessive privileges, effectively exposing customer data to model-driven exploits.
Gartner points out several areas where enterprises should take caution:
- Always assume a remote MCP server is untrusted and filter any data or instructions you receive.
- Keep a full inventory of MCP servers in use, since many may become legacy technical debt.
- Use only HTTPS based servers and prefer those that support the latest protocol updates.
- Harden the underlying workloads to monitor network and file access
- Expect the protocol to evolve, but recognize that enterprise grade features like adaptive access control may take years to develop.
“It is reasonable to anticipate it will take time for MCP to evolve into such an enterprise-grade security state, if it ever gets there.”
These recommendations are an important reminder that MCP is still young. Security leaders cannot assume the ecosystem will secure itself.
How Aqua Extends MCP Security
This is where Aqua Secure AI comes in. Our focus is not on rewriting the MCP protocol or building another gateway. Instead, Aqua secures MCP usage where it matters most: inside the workload as closely as possible to where the AI app is running
Here is how Aqua aligns with and extends Gartner’s recommendations:
Discovery and inventory
Aqua automatically discovers MCP tools, AI models, and services running inside containers. This gives security teams a real time inventory of AI usage, including shadow AI that may not be visible through traditional monitoring.
Visibility into runtime activity
Using our lightweight eBPF-based Enforcer, Aqua can see the traffic between containers, models, and MCP tools. That includes prompts, responses, and tool calls. Security teams gain the full context of how MCP is being used in production. Aqua can monitor and secure all types of MCP servers, both remote and local, which is impossible to do using gateways.
Detection of unsafe or malicious behavior
Aqua inspects every interaction for risks. This includes detecting prompt injection attempts, exposure of secrets or personally identifiable information, unsafe tool use, and toxic responses. If something suspicious happens, Aqua alerts or blocks according to policy. This inspection is critical to LLM security in production.
Unified forensic trail
All MCP activity is tied into Aqua’s forensic pipeline. If a malicious prompt leads to a file deletion attempt or container compromise, Aqua shows the full trace from the AI app down to the OS level. This allows teams to investigate faster and understand the complete attack path.
Non intrusive deployment
Unlike gateways or SDK based approaches, Aqua requires no code changes and no application level integration. The Enforcer works inside the container, so developers can continue using MCP and AI tools without friction.
Looking ahead to agentic AI security
As enterprises begin experimenting with agentic AI systems that act autonomously, agentic AI security will depend on the same workload-level protection that Aqua provides.
Why MCP Security Matters for Enterprises
The reality is that MCP security will continue to evolve. Authorization standards will improve, gateways will emerge, and adaptive access control may eventually become part of the protocol. But enterprises cannot wait for that maturity to arrive.
AI workloads are already in production today. If your organization is using MCP to connect models to external tools, you are already exposed to the AI security risks Gartner describes. You need visibility into what MCP tools are being used, how they are used, and whether that usage is safe.
Aqua Secure AI provides that protection now. By embedding security directly into the workload, Aqua ensures that even if MCP servers lag in updates or security features, your environment is not left unprotected.
From Gartner’s Guidance to Action with Aqua Secure AI
MCP is one of the most important developments in the AI ecosystem this year. It makes AI applications more powerful and more flexible, but it also opens new security challenges that cannot be ignored. Gartner’s latest report highlights both the promise and the pitfalls of MCP security.
The MCP standard will improve over time, but attackers will not wait for those updates. Enterprises that rely only on protocol changes risk being exposed. Aqua Secure AI delivers the visibility and protection you need at the workload layer, so you stay secure no matter how quickly MCP evolves.
Access the full Gartner report on AI Security Trends and Developments
See how Aqua Secure AI can help you discover, monitor, and protect MCP usage without friction, Get exclusive access.
