Agentic AI infrastructure continues to push its way into traditional GenAI tools and use cases. The latest development? ChatGPT can now connect to any remote Model Context Protocol (MCP) server, enabling it to trigger tools autonomously as part of the regular ChatGPT experience. While this capability promises to revolutionize how organizations integrate AI into their workflows, it also introduces a new attack surface that security teams must urgently address.
The MCP Accessibility Challenge: Power Without Guardrails
What makes this development particularly concerning from a security perspective is its deceptive simplicity. Despite being labeled under “Developer Mode,” the MCP integration requires minimal technical skills. Any employee with ChatGPT access can potentially connect to remote MCP servers, without specialized training or oversight. This democratization of powerful AI-to-system connectivity creates an immediate governance challenge for security teams.
Security teams will need governance tools to effectively manage which MCPs are authorized within their organization, enforce security controls over data transmitted to MCP servers, or monitor these interactions at scale. Without it, governance at scale will be a critical security gap that organizations must address through policy and process.
Understanding the MCP Risk Landscape
OpenAI has acknowledged several key risks associated with MCP integration, but understanding their full implications is crucial for organizational security:
Data Exfiltration Through Malicious MCP Servers
Malicious MCP servers represent the most immediate threat. These servers can attempt to steal data through sophisticated prompt injection attacks. When ChatGPT calls an MCP server, it transmits the full context needed to execute the requested function. For instance, if ChatGPT searches through an MCP server, that server receives, and can log, all search queries and associated context.
The attack vector becomes particularly dangerous when combined with prompt injection. A carefully crafted injection could trick ChatGPT into calling a malicious MCP server and inadvertently transmitting sensitive data as part of its query. This data might come from the current conversation, connected systems, or even other legitimate MCP servers the user has authorized.
The Write Action Dilemma
Write actions significantly amplify both the utility and risk profile of MCP servers. While OpenAI claims to require human approval before any write function executes, this safeguard relies entirely on the AI’s reasoning engine to correctly identify potentially destructive actions. Like any AI system, ChatGPT’s reasoning can make mistakes, potentially misclassifying harmful operations as benign or vice versa.
The implications are eye opening: an MCP server with write permissions could wipe databases, send communications, or integrate with sensitive integrations, like Stripe. The tool’s assessment of what constitutes a “write action” requiring approval becomes a single point of failure in the security chain.
Routine Data Exposure
Even legitimate, non-malicious MCP servers pose inherent risks. Every MCP server receives whatever data ChatGPT determines is necessary for the interaction. This could include sensitive information from earlier in the conversation, data pulled from other connectors, or contextual information the AI deems relevant.
Consider a scenario where an employee discusses confidential project details with ChatGPT, then later in the same conversation asks it to search for public information through an MCP server. The AI might inadvertently include proprietary context in its query, exposing sensitive data to the external server.
Supply Chain and Account Takeover Risks
MCP servers themselves become high-value targets for attackers. If an MCP server holds or has access to sensitive organizational data, it becomes an attractive target for:
- Prompt injection attacks designed to provoke destructive actions, or overshare data from sensitive MCP servers
- Supply chain risks including typosquatting and rug-pull style attacks
- Supply chain attacks compromising the MCP server infrastructure
Critical MCP Server Security Recommendations
Given these risks, organizations planning to leverage ChatGPT MCP server capabilities must implement comprehensive security measures:
- Establish Trust Boundaries: Only connect to verified, trusted servers. This means:
- Maintaining an approved list of MCP servers at the organizational level
- Implementing a vetting process for new MCP servers that includes security assessment
- Regularly auditing connected servers for security updates and potential compromises
- Use only trusted and official MCP servers
- Requiring security review for any third-party MCP server connections
- Comprehensive Employee Education: The accessibility of MCP connections makes user education paramount. Organizations must:
- Develop clear policies on MCP usage and communicate them organization-wide
- Train employees to recognize the risks of connecting to unknown or untrusted servers
- Educate users on data classification and what information should never be shared through MCP-connected sessions
- Create awareness about prompt injection risks and social engineering attempts
- Establish clear escalation paths for suspicious MCP behavior or requests
- Implement Strict Human Supervision Protocols: Never use “Approve for this conversation” for write actions. This convenience feature essentially grants ChatGPT carte blanche to execute potentially destructive operations without further human intervention. Instead:
- Require explicit approval for each write action
- Examine the autonomy level of different AI Agents within your organization
- Log all approved actions for audit purposes
- Regularly review approved actions to identify potential security incidents or policy violations
- Deploy Runtime Protections: While governance tools are still catching up to this new capability, organizations should implement AI runtime protection measures:
- Deploy AI Data Loss Prevention (DLP) solutions that can inspect ChatGPT sessions
- Enforce human-in-the-loop controls before any destructive action
- Implement a kill switch that can immediately terminate destructive behavior before it is executed
Looking Ahead: The MCP Governance Gap
The rapid adoption of MCP by major AI providers has outpaced the development of enterprise governance tools. This creates a challenging period where organizations must balance innovation with security through primarily manual processes and existing security tools not specifically designed for this use case.
Security teams should actively engage with:
- Their AI platform vendors to understand roadmap plans for MCP governance features
- Security tool vendors to advocate for MCP-specific detection and prevention capabilities
- Industry peers to share best practices and threat intelligence related to MCP usage
Conclusion: Proceed with Measured Caution
The integration of MCP into ChatGPT represents a powerful advancement in AI capabilities, but it also introduces significant security challenges that organizations cannot afford to ignore. The combination of easy accessibility, limited governance tools, and substantial risk potential creates a perfect storm for potential security incidents.
Organizations should not prohibit MCP usage outright, doing so would forfeit significant competitive advantages. Instead, they must implement comprehensive security measures, establish clear policies, and maintain vigilant oversight while the governance ecosystem matures.
The key is to move forward with eyes wide open, understanding that today’s MCP integration is powerful but immature from a security perspective. By implementing the recommendations outlined above, organizations can begin to harness the benefits of MCP while maintaining reasonable security postures.
As the MCP ecosystem evolves, so too must our security strategies. The organizations that successfully navigate this transition will be those that balance innovation with prudent risk management, treating MCP not as just another feature, but as a fundamental shift in how AI systems interact with our digital infrastructure.
Contact Noma Security for more insights on MCP server governance specifically and agentic AI security generally.
