AI
Data Leakage, Prompt Injection, and OAuth Misconfigurations
Data leakage is the biggest problem at a bank. Prompt injection can extract information from parsed emails and trigger unexpected tool executions. OAuth misconfiguration is a hard problem. In the last month alone, there were four Entra ID token related misconfigurations. Attackers can impersonate agents and users. The fix is short-lived tokens, strong identity controls, and avoiding over-permissioning. Treat the prompt as untrusted user input.
Misconfiguration at Scale and the Confused Deputy Problem
The blast radius is much bigger with AI. An unauthorized command like “get me all the things the CEO has access to” yields the golden mine. Smulovics shared a demo: an AI tasked with upgrading a dependency found a component had become paid. Instead of reimplementing, it generated a working keygen. The confused deputy problem is built into MCP: an attacker can disguise a tool call as from a legitimate source. MCP does not introduce new bugs but amplifies existing ones.
Why MCP Security Is Hard: Nondeterminism and Implicit Trust
AI is nondeterministic. Developers do not know what will happen. The MCP protocol lacks permission boundaries. Multihop calls create cascading risk. The confused deputy problem lets an attacker pretend to be a legitimate tool. The whole execution chain is invisible. Implicit trust propagation is dangerous. Security must be secured at the boundaries, not at the model. Treat the prompt as untrusted. Use prompt shields and input validation.
Building a Secure MCP Reference Architecture
Microsoft recommends least privilege: scope each MCP server, minimize data access, limit actions. Use strong authentication like Entra ID. Tokens must be short-lived and stored securely. Choose isolation: local MCP servers for limited blast radius or remote servers with extra security for high-value users. Implement input validation and tool output filtering. Use an MCP gateway for domain-specific policies. Centralize identity and token lifecycle. Deploy observability with OpenTelemetry across all choke points.
Scaling Security: From Dev to Continuous Governance
At dev stage, do threat modeling, simulate attacks, validate contracts. At prepod, introduce red teaming, audit permissions, validate identity. At prod, continuous monitoring, policy enforcement, runtime protection. Implement continuous security: inventory all MCP servers, remove unused ones, track ownership. Prevent shadow IT through server registries and approval processes. Three teams must collaborate: platform teams build the gateway, application teams define tools and permissions, security teams provide oversight.
Future: Zero Trust, Policy as Code, AI Firewalls
The ideal future includes packaged MCP gateway products with zero trust principles built into agents and protocols. Policy as code lets teams declaratively define what an agent is allowed to do. AI firewalls that stop prompt injection in under 10 milliseconds are coming. The November MCP standard introduced capability attestation. The big shift is from API security to agent security. As capabilities expand, shrink trust.
Q&A
How should non-technical users handle OAuth scopes when approving MCP tools? Use a gateway approach or custom app with token exchange to abstract scopes and enforce checks. ▶ Watch (22:00)
Is the industry production-ready for regulated environments? Not yet for complex execution; read and write are fine, but execution with security boundaries is still six months away. ▶ Watch (23:53)
Notable Quotes
Uh I’m working at a bank so data leakage is probably the biggest problem I could have. Peter Smulovics · ▶ Watch (0:02)
MCP itself doesn’t introduce new bugs in my mind but it helps you amplify the bugs if you already have there. Peter Smulovics · ▶ Watch (9:01)
So the big shift here is we are moving away from API API security into agent security. Peter Smulovics · ▶ Watch (21:00)
As we are expanding capabilities and I all for it, we have to shrink trust. Peter Smulovics · ▶ Watch (21:18)
Key Takeaways
- Treat the prompt as untrusted user input.
- Use short-lived tokens and strong identity controls for MCP servers.
- Implement continuous security: inventory, remove unused servers, track ownership.
About the Speaker(s)
Peter Smulovics is a Distinguished Engineer at Morgan Stanley with 15+ years at the firm and 30+ in the industry. A 2× Microsoft MVP and co-creator of C#, he serves as Vice Chair of FINOS (Linux Foundation) Technical Oversight Committee and leads Open Source Readiness. He focuses on applying security principles to AI at scale.