PolicyLayer

The State of MCP Security June 2026. We classified every tool on every Model Context Protocol server we could enumerate from the public registries - 31,000 tools across 2,031 working servers. The data shows an ecosystem that hands AI agents wide, dangerous, and almost entirely unannounced control over the systems they touch. https://t.co/RdMJ3NqVeA

Deterministic, argument-level policy evaluated pre-execution is what WAFs can't do for MCP. The missing layer isn't a smarter WAF. It's a policy enforcement point at the transport boundary that checks the actual arguments before the call goes through. https://t.co/gW7OeoxCq4 (5/5)

Google shipped a production GCS MCP server this week. The security architecture is worth reading carefully. The release has two modes. Remote: Google hosts the server, IAM controls access, Cloud Audit Logs records every request. Local: you run it, add custom tooling, own the configuration. The interesting piece is the optional content security layer: Google Cloud Model Armor, positioned at the MCP endpoint, scanning for prompt injection, tool poisoning, and malicious SQL or URL injections before requests reach the agent. Read that again. IAM alone is not sufficient. Google is explicitly describing a second, separate control layer for content threats at the request level. This is not unusual. It is the correct architecture. IAM answers: who is allowed to connect. Model Armor answers: does this specific request contain adversarial content. Two different threat surfaces. Two different control points. The gap most production deployments then miss is the third question: even if a request is legitimate and the caller is authorised, does this particular tool call, with these particular arguments, fall within the policy this organisation has defined for this agent? Model Armor does not answer that. IAM does not answer that. Neither knows that this agent should only read from one bucket, or that reads are capped at 1,000 objects per session, or that this particular argument value is outside the allowed range for this grant. Argument-aware policy enforcement is where operational governance lives. The Google release makes the category clearer, not smaller. If you are deploying agents against GCS today, the audit log and Model Armor integrations are worth enabling from day one. For the argument-level policies that sit above them, PolicyLayer handles that layer: https://t.co/GirUP7cytJ

OpenAI's Secure MCP Tunnel solves the right problem for network security teams: private MCP servers that don't expose inbound ports. That's a real blocker for enterprise adoption, and removing it matters. What it does not address is the layer below the transport boundary. The agent that reaches your private MCP server through the tunnel still has whatever access the server's tool list permits. If a tool allows stripe.refund_payment without an amount cap, or postgres.execute_sql without a pattern filter, the tunnel boundary is irrelevant to what the agent can do once it's inside. The two problems are real and separable. Network policy says who can reach the server. Tool-call policy says what they can do when they get there. Both are necessary. A good answer to the first does not reduce the need for the second.

The NSA published formal security guidance on MCP in May. It is worth reading carefully — not primarily for the recommendations, but for what the document signals. The guidance is 17 pages. The core observations are familiar to anyone tracking this space over the past year: the protocol's design was flexible and underspecified, adoption outpaced security infrastructure, and the inversion of the client-server relationship — servers querying and executing for clients rather than the reverse — created attack paths that were not well-traced before deployment reached scale. What is new is the institutional framing. The NSA's AI Security Center does not publish Cybersecurity Information Sheets on speculative risks. When they do publish one, they are describing a threat surface that organisations in regulated industries — finance, defence, critical infrastructure — will shortly be expected to address in writing. Procurement questionnaires follow NSA guidance. Compliance frameworks reference it. The gap between "best practice" and "required control" closes on a predictable schedule. The specific controls the document recommends are worth noting for anyone building agent infrastructure. Align tools and models with data classification zones. Treat all external MCP configuration input as untrusted. Implement comprehensive invocation logging covering exact parameters, identities involved, and the prompts that triggered each call. Apply filtering outgoing proxies for external MCP connections to reduce unintended data leakage. The logging and invocation-tracing requirements describe exactly the audit trail that regulators will ask for. If your agent infrastructure cannot produce a complete record of what tools were called, with which parameters, by which agent, acting on whose behalf — the NSA's May guidance is a preview of where the compliance baseline is heading.