MCP servers are the new privileged-dependency class. Your AI agents trust them with production credentials. Safeguard provides the governance layer: verified registry, capability-manifest review, scoped per-server credentials, and full audit logs of every tool invocation.
Open protocol, explosive ecosystem growth, no governance layer between "someone published it" and "it has your production credentials".
A traditional package dependency is code. An MCP server exposes tools — with capabilities to send email, read files, query databases. The security question is not 'what does the code do?' but 'what permissions does it hand the AI?'
An MCP server wrapping your Salesforce API has your Salesforce credentials by design. A malicious server does not need to escape; it was granted the keys at install time.
Because tool calls are triggered by LLM output, prompt injection anywhere upstream can trigger tool calls the operator never intended. Every context-window input is effectively a candidate instruction.
Engineers install servers for experiments and never uninstall them. Over months you accumulate ad-hoc tools with stale credentials. None of it is on your asset inventory.
Tiered trust model — Tier 1 for official, signed, widely-used servers; Tier 2 for reviewed community servers; Tier 3 blocked in production. Capability manifests reviewed before an MCP server is allowed in the org registry.
Purpose-built service identities per MCP server deployment. Credentials scoped to exactly the APIs the server declares needing. No more generic 'MCP runner' role with broad cloud permissions.
Every MCP tool call logged with full context: server, tool, arguments, LLM session, user. Drift from declared capability triggers alerts. Anomalous patterns (off-hours, unusual args) surface for review.
A developer requests an MCP server be added. Safeguard automatically fetches the manifest, verifies the signature, pulls down the source for review, and surfaces any dependency, capability, or credential-scope concerns to the security reviewer. On approval, the server is added to the org registry with scoped credentials provisioned and logging enabled. Invocations flow to your SIEM. Capability drift triggers a review ticket. Stale servers expire unless re-affirmed.
Put the registry, review process, and audit trail in place before MCP scales across engineering and business teams.