The hidden risks of MCP: when an MCP deletes a production database

MCP (Model Context Protocol) is spreading quickly. What started with developers experimenting on the side has become the backbone of agentic AI experiences in tools like Claude, Cursor, and GitHub Copilot. MCP provides the connective tissue that allows AI clients and LLMs to use real tools, move data, and take actions without the fragile custom integrations teams used to build.

The same design choices that make MCP powerful also make it risky. Local servers, hidden tool catalogs, and supply chain gaps mean destructive actions can happen faster than security teams can react. The challenge now is how to embrace MCP without losing visibility or control.

What MCP really does

MCP isn’t a traditional server sitting in a data center. It’s lightweight software that provides standardized access to third-party resources. By acting as the link between AI clients, LLMs, and APIs, it replaces the need to manually stitch workflows together with code, prompt engineering, and vector databases Users can rely on MCP to make those connections for them.

That means a developer can ask, “Find idle EC2 instances and shut them down,” and the model, via MCP, will identify the right APIs, call them, and complete the task. The result is a major unlock. What once took custom scripts and brittle logic can now be orchestrated with a single request.

It is no surprise adoption is accelerating. Vendors from Salesforce to GitHub are publishing MCP servers, and everyday users, not just engineers, are starting to plug them in. MCP is quickly becoming the standard way to bring real-world actions into AI workflows.

How MCP flows and why it matters

Understanding MCP’s flow explains both its value and its risks. When a user makes a request, the AI client does not just pass along the prompt. It also passes the catalog of available MCP tools to the model. The model then decides which tool to use, and sends a command back to the client, which in turn calls the MCP server to execute.

This shift puts the model in the driver’s seat and the user may never even see or approve each action. That risk grows when MCP servers include destructive operations like “delete” or “update” enabled by default. 

This creates serious concerns:

• Local installs: developers can spin up MCP servers on their laptops with little oversight
• Prompt injection: tools can shape model behavior by embedding instructions in their metadata
• Supply chain risk: malicious or vulnerable packages can exfiltrate sensitive data
• Approval fatigue: users may bypass warnings, or never be asked to confirm actions at all

While MCP opens the door to powerful automation, it also expands the attack surface in ways most organizations are only beginning to understand.

Balancing productivity and protection

The obvious solution, blocking MCP, does not work. When employees lose access to the tools they rely on, they turn to shadow AI, creating even greater risk. The better approach is to combine visibility with controls that work at the model boundary.

SurePath AI sits at the network layer, watching the requests that flow between clients, models, and MCP servers. When an MCP server offers tools to a model, SurePath AI can intercept that list, redact the risky ones, and pass the safe options along. The model still responds to the user but without access to destructive capabilities.

In this demo, we show how a local AWS MCP server exposed the ability to spin up enormous AWS EC2 instances, an action that could rack up massive costs instantly and how we removed those options in-flight, and the model responded with code examples instead of launching resources. The user stayed productive, IT got full visibility, and no risky actions slipped through.

This also highlights why strong identity governance is critical. MCP often runs under a user’s own credentials, which means any excessive permissions follow them into AI-driven workflows. Enforcing least-privilege access has always been best practice, but with MCP, it becomes essential to prevent destructive or large-scale actions from occurring automatically.

Conclusion

MCP’s rapid adoption shows how powerful its promise is: connecting GenAI directly to the tools, data, and workflows that drive real results. But that same capability is what makes governance so critical. The organizations that succeed with MCP will be the ones that balance innovation with visibility and control, enabling the benefits of automation without expanding their risk surface.

Book a demo to see how you can govern any of the GenAI solutions that you build, adopt, or buy, including MCP.