In the MCP era, there is no 'expected behavior' to deviate from. Every workflow is unique. Every sequence of tool calls is generated on the fly.
Expertise from Forbes Councils members, operated under license. Opinions expressed are those of the author., a pioneer of unified API protection.Last quarter, one of our Fortune 500 financial services clients discovered an AI agent had been making unauthorized database queries for three weeks.
The agent, initially granted read-only access to customer data for a chatbot project, had additionally dynamically chained together multiple API calls to reconstruct sensitive financial profiles—information it was never supposed to access. The security team's post-mortem revealed something unsettling: Every action was technically "authorized." The agent used valid tokens from Okta, made legitimate API calls to approved services and triggered no anomaly detection rules. Yet the combination of these calls—the dynamic sequence the agent constructed in real time—created a serious security breach that traditional monitoring did not catch. Welcome to the Model Context Protocol era, where the traditional rules of API security no longer apply.For two decades, the industry built APIs on a simple premise: Deterministic behavior equals trustworthy systems. You define the logic, validate the flows, deploy the code and audit the outcomes. Once an API performs as expected, you can trust it to consistently repeat that behavior. Authentication happens at login, a token is issued and that token grants consistent, predictable access throughout its lifetime. This model worked because APIs were designed by humans, tested by humans and used by humans . Identity platforms like Okta, Microsoft Entra ID and Google Cloud Identity Platform excelled at this: Authenticate the user once, issue a token and trust that the subsequent API calls align with tested, approved workflows. The entire security posture depended on predictability. If you could map all possible execution paths, you could secure them.MCP fundamentally breaks this model. In MCP-powered environments, AI agents don't follow pre-programmed workflows; they generate workflows dynamically based on context, available tools and the problem they're solving. The same input today might produce a completely different sequence of API calls tomorrow. In technology parlance, this is called "non-deterministic." This isn't a bug; it's a feature. MCP's power lies in its flexibility. An agent analyzing quarterly revenue doesn't follow a rigid script but instead discovers what data it needs, determines which tools can retrieve the needed data and constructs a novel chain of actions to get the answer. This adaptability is what makes AI agents valuable.Consider what happens when an agent is given a simple task: "Summarize our Q3 customer complaints." In an MCP environment, that agent might:• Fetch email conversations from the messaging platformEach individual action is authorized. Each API call uses a valid token. But nobody pre-approved this specific combination of actions. Nobody tested whether this particular chain of calls might expose data that should remain siloed. And critically, nobody is monitoring whether the agent's behavior aligns with the human user’s original intent.Modern identity solutions were built for the login moment, not the entire workflow lifecycle. They authenticate users brilliantly with multifactor authentication, conditional access policies and risk-based authentication. But once they issue an identity token, they're effectively blind to how that token gets used. In the API era, this limitation was manageable. Tokens were used for predictable, tested actions. If something went wrong, you could trace it back through application logs and identify the deviation from expected behavior. In the MCP era, there is no "expected behavior" to deviate from. Every workflow is unique. Every sequence of tool calls is generated on the fly. Traditional identity platforms can tell you who authenticated, but they can't tell you:• Whether the combination of actions violates policy• Whether the workflow aligns with the original user intent This visibility gap isn't theoretical. It's measurable. In our research across enterprise MCP deployments, we found that 73% of agent-initiated API calls involved tools or data sources not mentioned in the original user prompt. While the agent made reasonable decisions to fulfill its task, those decisions were invisible to security teams until after the fact. As enterprises lean further into MCP-driven automation, the takeaway is clear: It is no longer enough to secure individual API calls, because security teams now need to understand and govern the dynamic chains of actions that AI agents construct on their own. Organizations need to monitor full agent workflows, not just endpoints; establish policies, guardrails and limits tailored specifically to AI agents rather than human users; and explore emerging MCP-aware or zero-trust extensions that can enforce policy across entire sequences rather than at the individual request level. These steps set the foundation for what comes next, which I will examine in part two as we look at the trust gaps created by shadow MCPs; token reuse and prompt-driven attacks; and outline the kind of modern trust model required to close them.
United States Latest News, United States Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
Every Wild Thing That Happened in Week 15Injuries, upsets, comebacks and more. It was quite the busy Sunday in the NFL.
Read more »
Every Version of Thanos in the MCU, Ranked by Power (There’s More Than You Think)The Marvel Cinematic Universe introduces more than a few version of Thanos, but they're not all cut from the same cloth.
Read more »
Why Every Business Owner Needs A Personal Financial Stress TestEven business owners who are objectively doing well with steady revenue, loyal clients, healthy margins report elevated financial stress.
Read more »
Miss Manners: Sober and sick of the peer pressure to drinkWhy does everyone always ask me why I'm not drinking?
Read more »
Everything is gambling nowHow Polymarket and Kalshi took over the internet, why MCP is crucial to AI’s future, and why every AI company wants you shopping, on The Vergecast.
Read more »
Why This Equity Asset Class Has Outperformed Every Other MarketMarket Analysis by covering: US Dollar South African Rand, JPMorgan Chase & Co, iShares MSCI Brazil ETF, US Dollar Korean Won. Read 's Market Analysis on Investing.com
Read more »