Being a leader or a laggard in the AI race is a crucial differentiator for any brand. But in the rush to be first out of the gate with AI-based innovation, are modern organizations opening themselves up to risk? Model Context Protocol (MCP), the emerging standard that enables AI models to interact with external tools and services, often relies on tokens and secrets passed silently behind the scenes. When misused or exposed, these tokens can become a silent backdoor, one that’s invisible to traditional IT controls and easy to overlook.
For IT security managers, MCP and AI connectors represent a new class of risk, and in many ways have become the modern equivalent of shadow IT. It’s time to get two steps ahead before an incident occurs.
The Threat You Can’t See: Shadow MCP
Just like shadow IT, shadow MCP refers to technology introduced into your environment without formal review or approval. But while shadow IT usually involves unapproved SaaS tools or endpoints such as personal devices, shadow MCP is harder to detect: it’s code-level, deeply embedded, and often transitive, which means it can sneak in through third-party packages or pasted scripts.
AI tools like LangChain, Semantic Kernel, and even ChatGPT APIs are increasingly embedded in internal apps and automation flows. These integrations often use MCP to connect models to plugins, APIs, or internal systems, sometimes with tokens and secrets hardcoded in code or config files. Without central oversight, you’re left with a distributed mesh of model interactions, many of which your team didn’t authorize, doesn’t know about, and can’t monitor.
Why is Shadow MCP Worse Than Traditional Shadow IT?
Although using the metaphor of shadow IT can help security and IT teams to understand the shadow MCP challenge, the two are not equal in risk. After all, shadow IT is basically a problem of visibility, and information for SaaS tools is usually centralized or logged, or can be uncovered with minimal effort.
In contrast, MCP connectors can be triggered at runtime, invoked from build scripts, agents or containers, and can connect directly to external services using API keys or long-lived tokens. This makes shadow MCP a control problem, and makes enforcement a whole lot harder for three main reasons:
- There’s no authentication broker or SSO protecting the call: When an AI agent or an application uses MCP to connect to an external service, it doesn’t go through your standard login system, so there’s no way for IT to track, control or limit the request.
- Tokens can be scoped too broadly, or not changed regularly: APIs use tokens to give access, but these can give more access and privileges than is safe, and may also not be rotated often enough, or at all. Even after people leave the business or tools change, an attacker may still have that token.
- There is no endpoint logging with MCP: Most MCP calls won’t leave behind a log which says what was accessed, or who by. If something goes wrong, your business doesn’t have traceability or an audit trail, so you won’t be able to say what happened or even know how to fix it.
In short: it’s like letting someone borrow a master key, never asking for it back, and not writing down who took it or what they opened. The result is a growing attack surface that sits outside your current access controls and SIEM visibility, quietly operating behind the scenes.
Real-World Risk Scenarios
Let’s think about two real-world risk scenarios that could cause trouble for your organization.
First up, a developer copies a script from a tutorial. This tutorial uses an AI agent to summarize tickets, adding productivity to the workflow and saving a ton of time for CSMs. The script connects to OpenAI with a hardcoded API key, pushing data from your Jira instance for processing. Unfortunately, the developer doesn’t realise it includes internal or sensitive ticket content. Worse, the token is never rotated, and gives access to other AI services, making it a persistent and untracked backdoor.
Let’s raise the stakes. Imagine an open-source dependency includes a plugin that sends structured prompts to a third-party service, perhaps for enrichment or parsing. The connector uses OAuth, but also an outdated token-handling library that allows for token replay, which could be exploited for unauthorized access.
In both of these cases, AI-driven workflows are not protected by your usual security processes or tools.
How to Regain Control: Build an AI Connector Registry
The path back to full control is a well-worn one. Remember the principles of SaaS vendors and cloud resources when you moved to the cloud? The fear of unmanaged endpoints from remote work or hybrid office set-ups? The same now applies to MCP workflows and AI model connectors. You need to start cataloging and controlling how your environment interacts with external models and agents.
Think about an AI connector registry as your inventory of all MCP usage, including model endpoints, orchestration tools, API keys and any plugins. This will give you full visibility to understand exactly what’s being used across the pipeline.
Implementation Path: Lightweight but Strategic
Getting practical about it, here are the four key steps to building an AI connector registry for your organization:
1. Discover
Scan source code, containers, and CI/CD pipelines for known AI SDKs, MCP endpoints, and model orchestration behavior with a comprehensive modern application security platform. This gives you a baseline: where are models being used, and how are they connecting?
2. Register
Define a process for formally documenting approved model usage. This doesn’t need to be bureaucratic, but it should include the model, the connector type (e.g. API, plugin, SDK), and the data being sent. Map this registry to your internal data classification policies.
3. Monitor
Set up ongoing scanning for AI-specific behaviors, such as prompt chaining, outbound endpoint calls, and embedded API keys. Use tooling that can integrate with your CI/CD and alert on unauthorized or unknown MCP behavior with shift left in mind, ie: before it reaches production.
4. Enforce
Apply policy-as-code to ensure that only registered and approved model interactions are allowed to ship. Block unregistered AI connections in your pipeline. Looking ahead, require code reviews and metadata tagging for new integrations.
You’ve Seen This Before — Don’t Wait for the Breach
This isn’t the first time innovation has outpaced governance. We saw it with cloud sprawl, shadow SaaS, and bring-your-own-device. Now it’s happening again, but this time it’s with AI.
MCP itself is not the underlying issue, it’s just one element of a new world built around AI. We need to start thinking hard about agent autonomy, and how we keep security shifting left as we give more and more power to these systems. Without the right controls in place, MCP can become an invisible attack surface, but with a structured but lightweight approach, it can become a manageable part of a wider AI strategy.
Join our LinkedIn group Information Security Community!
