Treat MCP servers as privileged third-party code.
MCP expands what an agent can do. That makes server provenance, tool descriptions, command arguments, credentials, and runtime isolation part of the security boundary.
Connector trust boundary
command
args
tool descriptions
env
network
outputs
Baseline
MCP controls before production use.
The minimum goal is to make connector behavior explicit, narrow, reviewable, and observable before tools touch sensitive systems.
Inventory MCP servers before agents can load them.
Pin server packages, commands, and arguments instead of trusting mutable defaults.
Review tool descriptions as untrusted input that can influence model behavior.
Scope credentials by connector and session rather than sharing a broad environment.
Require approval when tools, permissions, or server commands change.
Monitor tool-call arguments before filesystem, shell, browser, or SaaS actions run.