The Problem
API Gateways Are Not Enough
Most teams deploying MCP in production put an API gateway in front of their MCP servers and call it secure. The gateway handles authentication, rate limiting, and TLS termination. The agent presents a valid token, the gateway lets traffic through, and every tool call from that agent is trusted equally.
This is the equivalent of giving someone a building keycard that opens every door. Zero-trust architecture was invented precisely because perimeter authentication is insufficient. The same principles apply to MCP, arguably more so, because AI agents are non-deterministic. You cannot predict which tools an agent will call or what arguments it will pass based on the initial authentication alone.
A compromised agent session with gateway-level auth can call any tool, access any resource, and exfiltrate any data the MCP servers expose. A compromised agent session with zero-trust MCP can do exactly what its scoped credentials allow, nothing more.
Mapping the Principles
Zero-Trust Principles Applied to MCP
Never Trust, Always Verify
Traditional
Verify user identity at the network perimeter.
MCP Zero-Trust
Verify authorization on every individual tool call. A valid session token is necessary but not sufficient. Each call must pass policy checks for the specific tool, arguments, and current session context.
Least-Privilege Access
Traditional
Grant minimum network access required for the role.
MCP Zero-Trust
Grant minimum tool access required for the task. An agent writing documentation does not need database query tools. An agent reviewing code does not need file write tools. Scope the tool set per session purpose.
Assume Breach
Traditional
Segment networks so a breach in one zone cannot reach others.
MCP Zero-Trust
Isolate MCP sessions so a compromised agent cannot access tools or data from other sessions. Credentials are per-session, per-tool, and time-limited. A breach in one session is contained to that session.
Continuous Verification
Traditional
Re-authenticate periodically, monitor for anomalies.
MCP Zero-Trust
Re-evaluate authorization continuously. If an agent starts calling tools outside its normal pattern, increase scrutiny. If a session exceeds its time limit, force re-authentication. Behavioral analysis, not just token validation.
Per-Tool Authorization
Scoped Credentials and Tool-Level Auth
The core mechanism of zero-trust MCP is per-tool authorization. Instead of a single session token that grants access to all tools, each tool call is evaluated against a policy that considers:
# Per-tool authorization policy session: id: "sess_abc123" user: "[email protected]" purpose: "code-review" ttl: 3600 tools: github.get_pull_request: allowed: true scope: "org/repo#*" github.create_comment: allowed: true scope: "org/repo#*" requires: ["github.get_pull_request"] # must read before commenting github.merge_pull_request: allowed: false # code review sessions cannot merge filesystem.read_file: allowed: true scope: "src/**/*.{ts,tsx}" # only source files exclude: ["**/.env*", "**/secrets*"] filesystem.write_file: allowed: false # read-only for review sessions database.query: allowed: false # not relevant to code review
Each tool gets its own credential scope. The GitHub tools receive a token scoped to read pull requests and write comments, but not merge. The filesystem tools receive a path allowlist that excludes sensitive files. Database tools are simply not available. If the agent tries to call a disallowed tool, the request is rejected at the policy layer before it reaches the MCP server.
Session Isolation
Every Session Is a Blast Radius
In zero-trust MCP, sessions are fully isolated. Two agents running for the same user do not share credentials, context, or tool access. Each session gets:
- ▶Unique session ID for audit correlation
- ▶Fresh credentials scoped to the session purpose
- ▶Independent rate limits and usage tracking
- ▶Separate DLP context (cross-call correlation is per-session)
- ▶Time-limited tokens that cannot be reused in other sessions
If one session is compromised through prompt injection or a malicious tool server, the blast radius is limited to that session. The attacker gets access to whatever tools that specific session was authorized to use, for the remaining lifetime of those credentials. They do not get lateral movement to other sessions, other users, or other tool servers.
Continuous Verification
Behavioral Analysis for Agent Sessions
Static policy enforcement is necessary but not sufficient. A legitimate code review session that suddenly starts calling filesystem tools to read credential files is suspicious even if those calls are technically within scope. Continuous verification adds a behavioral layer:
Tool Call Frequency
Detect sudden spikes in tool call rate. A normal agent makes 2-5 calls per minute. An agent under prompt injection attack might make 50.
Tool Call Sequences
Learn normal tool call patterns for each session type. Flag sequences that deviate significantly. Reading a file then immediately calling an external API is more suspicious than reading a file then writing a comment.
Argument Drift
Track the semantic content of tool arguments over time. If arguments start containing data that was not in the original task context, something has changed.
Session Duration
Most legitimate sessions complete within a predictable time range. Sessions that run far longer than expected may indicate an agent stuck in a loop or under adversarial control.
Getting Started
Incremental Zero-Trust Adoption
You do not need to implement full zero-trust MCP on day one. Start with the highest-impact controls and expand:
Tool allowlisting. Define which tools each agent role can access. Block everything not explicitly allowed.
Argument scoping. Add path restrictions, query limits, and parameter validation for allowed tools.
Session isolation. Issue per-session credentials with time limits. Enable audit logging for all tool calls.
Behavioral monitoring. Deploy anomaly detection on tool call patterns. Alert on deviations.
Continuous verification. Implement real-time policy evaluation with behavioral context. Automated session termination on high-confidence anomalies.
mistaike.ai
Zero-Trust MCP Out of the Box
mistaike.ai implements per-tool authorization, scoped credentials, session isolation, and continuous verification as a drop-in MCP proxy.
See How It Works