The MCP Governance Problem Nobody's Talking About
Executive Summary
Model Context Protocol is the new hotness. Every week brings dozens of fresh MCP servers—filesystem access, database connectors, API integrations, code execution. The ecosystem is growing faster than anyone can track.
That velocity is precisely the problem.
MCP adoption today looks like npm circa 2015: everyone publishing, nobody vetting, security treated as someone else’s problem. A developer finds a useful-looking MCP server on GitHub, drops it into their config, and suddenly their LLM can read files, execute queries, hit external APIs.
Convenient? Absolutely. Auditable? Not even close. Defensible to your security team after a breach? Good fucking luck.
This post addresses:
- The Trust Vacuum: Why “open source” is not a security posture.
- The Accountability Gap: Who owns the blast radius when an MCP server misbehaves?
- The Enterprise Nightmare: A concrete scenario of how this catastrophically fails.
- What’s Missing: The governance capabilities the ecosystem entirely lacks.
The core thesis: MCP tooling has outpaced MCP governance by approximately eighteen months. The bill comes due eventually.
1. The Trust Vacuum
1.1 The “Open Source” Fallacy
“It’s open source, so it must be safe.”
This reasoning is weapons-grade stupidity, and it’s pandemic in the MCP space.
Open source means the code is visible. It does not mean:
- Anyone reviewed it.
- Anyone competent reviewed it.
- That review happened recently.
- That review covered security implications.
- The maintainer isn’t malicious, compromised, or simply negligent.
MCP servers are not libraries you import and sandbox. They’re processes with capabilities—filesystem access, network calls, code execution. An MCP server with filesystem scope can read your SSH keys, your .env files, your customer data exports sitting in ~/Downloads because someone was “just testing something.”
The attack surface is not theoretical. It’s immediate, practical, and largely unexamined by the people cheerfully pip install-ing their way to a breach.
1.2 The Provenance Problem
Consider the typical MCP adoption flow:
- Engineer finds MCP server via Google/GitHub/Reddit.
- Engineer skims README, sees “useful features.”
- Engineer runs
pip installor clones repo. - Engineer adds to MCP config.
- LLM now has new capabilities.
At no point does anyone ask:
- Who maintains this?
- What’s their track record?
- When was the last security audit? (Never. The answer is never.)
- What data can this access?
- Where does telemetry go?
- What happens when the maintainer’s GitHub account gets compromised?
You wouldn’t install random npm packages into production without review. Why the fuck are you giving random MCP servers access to your LLM’s context—which increasingly includes proprietary code, internal documents, and customer data?
The cognitive dissonance is staggering.
2. The Accountability Gap
2.1 The Org Chart Question
When an MCP server causes a security incident, who owns it?
| Stakeholder | Likely Response |
|---|---|
| Developer who installed it | ”It was on GitHub with 200 stars. Seemed legit.” |
| Engineering Manager | ”I didn’t know they were using external MCP servers.” |
| Security Team | ”We have no visibility into MCP configurations.” |
| Platform Team | ”MCP isn’t in our scope. We do infrastructure.” |
| CISO | ”What the fuck is MCP?” |
This is not a technology problem. It’s a governance vacuum. Nobody owns MCP security because nobody has defined MCP security as a domain requiring ownership.
And in that vacuum, chaos breeds.
2.2 The Audit Trail That Doesn’t Exist
After a security incident, investigators need answers:
- What MCP servers were active?
- What tools were invoked?
- What data was accessed?
- When did access occur?
- Who authorized the server’s installation?
In most current MCP deployments, the answer to all five questions is identical: “We don’t know.”
No centralized registry of approved servers. No logging of tool invocations. No access controls beyond “can reach the socket.” No approval workflow. No audit trail.
You’re operating a capabilities system with the governance posture of a 2005 PHP application. Congratulations on your innovation.
3. The Enterprise Nightmare Scenario
This is not hypothetical. It’s inevitable. The only variable is timing and whether it happens to you or your competitor first.
3.1 The Setup
Your company adopts LLMs for internal productivity. Developers love Claude/GPT with tool access. Someone sets up MCP servers to provide useful context:
- Internal documentation
- Code repositories
- Database read access (for “quick queries”)
- Slack integration (for “context gathering”)
Productivity goes through the roof. Leadership is thrilled. The quarterly report mentions “AI-driven efficiency gains.” Everyone gets a pat on the back.
3.2 The Incident
Six months later, security gets a call. Customer proprietary data appeared on a paste site. Source unknown.
Investigation timeline:
- Week 1: Security audits production systems. Nothing unusual.
- Week 2: Someone mentions “those AI tools the devs use.” Security asks: “What AI tools?”
- Week 3: Discovery that 47 different MCP servers are running across engineering laptops. No inventory exists. Nobody knows who installed what.
- Week 4: One server—installed by an intern who left three months ago—was logging all tool invocations to an external endpoint “for debugging.”
The intern isn’t malicious. They’re just an intern who didn’t know better. The malice is in the system that let this happen without anyone noticing.
3.3 The Aftermath
- Legal exposure: Customer data exfiltration. Contract breach. Potential regulatory violation depending on jurisdiction and data type.
- Forensic impossibility: No logs of what data was accessed. No way to scope the breach. You can’t tell customers what was compromised because you genuinely don’t know.
- Accountability void: Nobody approved the server. Nobody reviewed it. Nobody even knew it existed until the breach investigation.
The incident didn’t happen because someone was malicious. It happened because nobody was governing. The system was designed—through negligence—to fail exactly this way.
4. What’s Missing From the Ecosystem
MCP as a protocol is elegant. MCP as deployed in enterprises is a governance catastrophe.
Here’s what production MCP adoption actually requires—and what nobody is building:
4.1 Allowlisting
Only pre-approved MCP servers should run. Not “anything from GitHub that looks useful.” Not “whatever the team found on Reddit.”
An allowlist means:
- Security reviews server before approval.
- Known-good versions are pinned.
- Updates require re-approval.
- Unapproved servers cannot connect—full stop.
This is table stakes. It doesn’t exist.
4.2 Audit Logging
Every tool invocation must be logged:
| Field | Purpose |
|---|---|
| Timestamp | When did this happen? |
| User/Session | Who triggered it? |
| Server + Tool | What capability was invoked? |
| Arguments | What was requested? |
| Data Accessed | What did it touch? |
| Response Summary | What was returned? |
When security asks “what did this server access?”, you need an answer that isn’t a shrug and an apology.
4.3 Access Control
Not every user needs every tool. This should be obvious. It apparently isn’t.
- The intern doesn’t need database write access.
- The contractor doesn’t need internal documentation.
- The marketing team doesn’t need code repository access.
Role-based access control for MCP capabilities is non-negotiable for enterprise deployment. It doesn’t exist in any coherent form.
4.4 Lifecycle Management
MCP servers are processes. Processes misbehave.
| Capability | Why It Matters |
|---|---|
| Health monitoring | Is this server responsive or silently dead? |
| State tracking | COLD → READY → DEGRADED → DEAD |
| Automatic recovery | Restart failed servers without human intervention |
| Garbage collection | Kill idle servers consuming resources |
| Visibility | What’s running right now across the fleet? |
Without lifecycle management, you’re operating blind. You won’t know a server is down until someone complains their tools stopped working.
4.5 Isolation
MCP servers should not share a trust boundary with the host system by default.
Container isolation provides:
- Scoped, controlled filesystem access
- Explicit network policies
- Blast radius containment for compromised servers
- Bounded resource consumption
Running MCP servers as naked subprocesses with full host access is security malpractice. It’s also the default configuration everywhere.
None of this exists as a coherent solution in the ecosystem today.
5. The Point
MCP is going to be everywhere. The protocol is solid. The tooling ecosystem is exploding. The governance story is nonexistent.
This isn’t a criticism of protocol designers—governance wasn’t their problem to solve. But it’s someone’s problem, and right now nobody’s solving it.
The enterprises adopting MCP today are building on sand. They’re one intern’s debugging server, one compromised maintainer, one misconfigured permission away from a breach they cannot forensically investigate because the audit trail doesn’t exist.
Someone will build the governance layer. Might be Anthropic. Might be a well-funded startup that raises $50M to solve a problem the ecosystem created through collective negligence.
“MCP tooling has outpaced MCP governance by eighteen months. The bill comes due eventually—and interest accrues daily.”
Disclosure: I’m building MCP Hangar in this space. The entire project is MIT-licensed at github.com/mcp-hangar/mcp-hangar.