MCP Security Checklist | Andrew Dannenberger

Authorization & Identity

Who the agent is, and what it is allowed to do on whose behalf.

Each MCP tool runs with least-privilege credentials, not a shared admin token.
The agent's identity is distinct from the end user's — no ambient or inherited authority. Prevents confused-deputy situations where the agent acts with more privilege than the requesting user holds.
Access scopes are defined and enforced per tool, not granted broadly across the server.
Credentials and tokens are short-lived and rotated; long-lived static secrets are avoided.

Tool Boundaries & Scope

What each tool can be asked to do, and with what inputs.

Tool parameters are validated against a strict schema before execution.
Tools cannot be invoked with arbitrary paths, queries, or commands supplied by the model.
The tool catalog exposed to the model is the minimum needed for the task. A smaller surface means fewer ways for a manipulated model to take an unintended action.
High-impact tools (delete, pay, send, deploy) are clearly separated and gated.

Human Oversight

Where a person stays in the loop — especially for irreversible actions.

Consequential actions (writes, payments, deletions, external sends) require explicit human approval.
Approval prompts show the actual action and parameters — not a model-written summary. A summary can be manipulated; the real call cannot hide what it will do.
Users can deny or modify a proposed action before it executes.

Input & Content Trust

Treating retrieved data and tool output as untrusted by default.

Retrieved content and tool output are treated as untrusted input (indirect prompt injection).
System instructions are isolated from user- and tool-supplied content.
Untrusted content cannot silently change which tools are called or with what arguments.

Auditing & Monitoring

Being able to see, after the fact, exactly what happened.

Every tool invocation is logged with inputs, outputs, and the acting identity.
Logs are tamper-resistant and retained according to policy.
Anomalous tool-use patterns are monitored and can raise alerts.

Deployment & Supply Chain

Where the MCP servers come from and what they can reach.

MCP servers come from trusted sources and are pinned to known, reviewed versions.
Network egress from tools is restricted to the destinations they actually need.
Secrets are never passed through the model context or prompt.

Sources & Inspiration

CIS Controls v8.1 Model Context Protocol (MCP) Companion Guide (Principal Co-author)
CIS Controls v8.1 AI and LLM Companion Guide (Collaborator)
CIS Controls v8.1 AI Agents Companion Guide (Collaborator)

This checklist is inspired by these guides and adapted into simplified educational form. It is not affiliated with or endorsed by CIS.

Personal educational tool — This checklist is a simplified educational tool on Andrew Dannenberger's personal website. It is not an official CIS checklist, audit, certification, or employer product, and it does not replace a formal security review.