Over the last year, Model Context Protocol (MCP) servers have transitioned from "cool developer experiments" into critical production infrastructure. Developers love them because they allow AI agents to open tickets, query databases, and update records with almost zero integration backlog.
But there is a fundamental truth we must acknowledge before moving forward: The AI revolution is actually an API revolution. Every action an AI agent takes, every context an MCP server provides, and every tool a CoPilot triggers is, at its core, an API call.
If AI agents are your new workforce, MCP servers are their master key system, and the keys are APIs. Currently, many organizations are handing out these master keys without building a security desk.
Understanding MCP Servers and Associated Attack Vectors
Think about how an AI agent works. A user gives it a task. The LLM reasons through it. Then the agent reaches out through MCP servers to interact with real systems: your CRM, your file storage, your internal APIs, your third-party services.
Every one of those interactions is an action. Every action carries risk.
The LLM is the brain. The MCP servers are the hands. The APIs are the buttons and levers that those hands can press. Securing the brain without securing the hands is not a security strategy. It is a gap.
When most people think about AI security, they think about the LLM itself. Prompt injection. Jailbreaks. Model safety. Those are real concerns, but they're not where your biggest exposure lives in a production agentic environment.
Your agents don't just think. They act. They use MCP servers to connect to your internal systems, databases, APIs, and SaaS applications. MCP is like the hands of your agentic infrastructure. And right now, for most organizations, those hands are completely invisible to your security team.
If your organization is deploying AI agents:
- MCP servers connect agents to your most sensitive systems, and they're being stood up faster than anyone is tracking them.
- The vulnerability works precisely because MCP's STDIO interface allows arbitrary OS command execution with minimal authentication. You need to understand what your agents are authorized to do and monitor what they actually do.
At Salt, we built the Agentic Security Graph, the only framework that gives security teams full visibility and control across all three layers of agentic infrastructure: the LLM, the MCP servers, and the APIs they call. Not because we predicted this exact vulnerability, but because we understood the structural problem from the start.
The Paradigm Shift: The AI Action Layer
The risk in AI has officially shifted from the "model" to the AI Action Layer. The model doesn't log into your systems; the agent does, exclusively through APIs. Analyst research discusses the urgency: Gartner® predicts that by 2028, 80% of organizations will see AI agents consume the majority of their APIs, and that through 2029, over 50% of successful cybersecurity attacks against AI agents will exploit access control issues.
A "hardened" MCP server is more than a secure config file; it is a governed API asset. At Salt Security, we help CISOs and their teams secure this layer through our three-pillar strategy: See It, Govern It, and Protect It.
Pillar 1. See It: Discovery Beyond the "Shadow AI" Iceberg
You cannot protect what you cannot see. MCP servers often start as local scripts that quickly drift into production, creating a massive, unmanaged API attack surface.
- The Visibility Gap: Traditional inventory tools are static. They miss the "Shadow" MCP servers and the dynamic, ephemeral APIs created by agents on the fly via protocols like MCP and A2A.
- The Salt Advantage: Salt’s Discovery engine provides a real-time, continuous inventory of your entire agentic attack surface. We identify the connection, map the data flow, and classify the business risk, ensuring that "temporary" developer experiments don't become permanent backdoors.
Pillar 2. Govern It: Posture and the "Least Privilege" Mandate
A hardened MCP server treats machine identities with more scrutiny than human ones. Because agents operate at machine speed, a single misconfigured API can cause a catastrophic data leak within seconds.
- The Governance Gap: Most teams use shared API keys or broad "run_any_query" tools that violate every principle of Zero Trust.
- The Salt Advantage: Salt’s Posture Governance engine automatically identifies and classifies the sensitivity of data (PII, financials, secrets) flowing through these AI-to-API interactions. We enable CISOs to demonstrate compliance with the EU AI Act and ISO 42001 by enforcing granular access controls and ensuring AI agents have only the privileges necessary to function.
Pillar 3. Protect It: Stopping "Low-and-Slow" Intent Attacks
Prompt injection is the new phishing. If an attacker tricks your LLM, they aren't just getting a bad answer—they are triggering malicious API calls through your MCP server.
- The Detection Gap: Traditional WAFs and gateways are blind to business logic abuse. They see individually valid API calls, missing the malicious intent behind a sequence of requests.
- The Salt Advantage: Salt’s Threat Protection uses patented Intent Analysis and behavioral baselining to detect when an AI agent goes "off-script." If an agent that normally queries ticket status suddenly attempts a bulk data export, Salt identifies the anomalous behavior and blocks the activity in real-time.
MCP Posture Management
Organizations face pressure from internal policies and industry compliance regulations alike. At Salt, our posture governance engine offers dozens of prebuilt templates for fast time-to-value, plus the ability to create custom policies and alerts in just a few clicks.
Securing agentic infrastructure means covering every layer: agents, MCP servers, APIs, and downstream services, each generating different security risks, including external exposure, configuration posture, code-level risk, and runtime behavior. The Agentic Security Graph is Salt Security's answer: a unified security context that correlates four distinct data sources into one view of your agentic environment, with agentless or minimal deployment.
Salt empowers you to enforce security and compliance across API-driven AI infrastructure, evaluating posture across AI agents, MCP servers, and LLM integrations while flagging non-compliant APIs and misconfigured MCPs.
From Checklist to Action
A hardened MCP server isn’t about slowing down innovation; it’s about providing the guardrails to move at AI-speed.
As Gartner says: “Model Context Protocol (MCP) and Agent2Agent (A2A) do not replace existing APIs. They rely on APIs for data, context, tools and resources.” To navigate this shift safely, organizations must “Double down on API security by adding specialist security solutions to supplement standard gateway protections.” By moving to a platform that unifies discovery, posture, and protection, you can embrace the power of AI without putting the company at risk from unchecked API configurations.
The next time a team says they are "just testing MCP," ask them: "If an attacker manipulated this agent to exfiltrate data via our APIs right now, would we even see the traffic?" If the answer is no, it's time to build your blueprint.
If you want to learn more about Salt and how we can help you, please contact us or schedule a demo. You can also get a free Agentic Attack Surface Assessment from Salt Security's research team and learn what attackers already know.
Source: Gartner, “How MCP and the A2A Protocols Impact API Management,” Shameen Pillai, Mark O’Neill, Aaron Lord, 25 August 2025. Gartner is a registered trademark of Gartner, Inc. and its affiliates. All rights reserved.