Anthropic introduced the Model Context Protocol (MCP) in November 2024, and since then, we have seen an explosion of interest from companies rushing to adopt the standard. MCP is a lightweight, open protocol that standardizes a way for AI assistants and Large Language Models (LLMs) to gain additional context — like external data, tools, and services — to accomplish tasks. This makes MCP essential for organizations looking to scale AI responsibly and effectively.
While MCP unlocks unprecedented interoperability and efficiency in agentic workflows, it demands comprehensive guardrails to address emerging risks in security, observability, and governance. Early security research and ecosystem reports have already highlighted misconfigurations and unsafe MCP server deployments in the wild, such as unauthenticated/network‑exposed instances or overly powerful tools. As enterprises begin adopting MCP at scale, they should proactively introduce a dedicated gateway layer to enforce consistent security controls, resilience, and policy‑driven governance across agentic workflows.
Below, we break down the key challenges enterprises face when adopting MCP, along with five practical strategies to help secure their AI infrastructure, control costs, and innovate responsibly.
Navigating the Five Challenges of MCP Integration
1. Agentic Identity and Tool-Level Access Control Challenges: In MCP-driven agentic architectures, the core challenge today is around authentication and authorization,, especially how authenticated identities are constrained, delegated, and enforced as agents invoke tools across distributed systems. Intelligent agents often act on behalf of users, other agents, or system principals across multiple MCP servers, making it difficult to consistently determine permitted actions at each step. While OAuth-based IAM establishes identity and coarse-grained access, it can’t express tool-level intent, least-privilege permissions, or multi-hop delegation. Teams therefore rely on ad hoc authorization embedded in individual services, leading to fragmented policies, over-scoped access, and brittle security models. As agents chain tools across boundaries, the authorization context becomes ambiguous and implicitly expands. What’s missing is a consistent way to enforce fine-grained, tool-level authorization on top of authenticated identities.
2. Tool Poisoning and Context-Based Attacks: A critical vulnerability within MCP lies in the way LLMs interpret tool metadata as natural language context. This opens the door to Tool Poisoning Attacks (TPAs), where malicious instructions embedded in tool descriptions manipulate agent behavior, potentially leaking data, executing unintended actions, or corrupting workflows. This governance nightmare is a direct result of developers spinning up ad-hoc MCP servers without a standardized process, often by manually wrapping existing REST APIs. The risk compounds when MCP servers are publicly exposed or shared across organizational boundaries without robust validation layers, leading to a sprawl of buggy, risky, and inconsistent tools that have no central oversight.
3. System Fragility and Operational Blind Spots: In agentic architectures, failures in remote MCP servers can cascade across entire workflows. Agents frequently chain tools across multiple MCP servers, often owned by different teams or organizations, so a single degraded dependency can stall or break broader processes. The issue is not that MCP lacks native support for high availability, but that many deployments expose tool servers directly without resilient traffic-management layers. As a result, workflows lack standardized retries, failover, circuit breaking, and intelligent load balancing, making them fragile under real-world conditions. This fragility is compounded by limited observability into MCP-specific traffic. Traditional API metrics cannot explain agent-tool interactions, latency accumulation, token usage, or failure points across chained calls. Together, these gaps make MCP systems hard to operate at scale and turn transient faults into systemic outages.
4. Fragmented Developer Experience and Discoverability Gaps: As MCP adoption grows, so does the fragmentation of tools and servers. Developers face significant friction when trying to discover trusted, well-documented MCP services. Without a standardized registry or a central developer portal where tools can be published and managed, or the ability to curate tool collections into logical bundles (e.g., “DevOps tools”), onboarding new tools is opaque and inconsistent, undermining collaboration, slowing iteration, and limiting reusability across teams and organizations.
5. Context Growth and Inefficient LLM Usage: As agentic systems scale, LLM context management becomes increasingly difficult. MCP allows agents to discover and invoke a growing number of tools, each with associated metadata and parameters. Although MCP does not automatically inject this context, agent implementations often include broad tool metadata to preserve flexibility during early experimentation. Over time, this inflates prompts, increases token consumption and latency, and drives up operational costs. Agents may also overuse tools that are readily available in context due to simplistic decision logic or poor task scoping, leading to inefficient execution paths in multi-agent workflows. The core issue is not limited semantic intelligence, but the lack of clear architectural boundaries between agent logic and execution infrastructure. Without standardized execution patterns and visibility into LLM usage, teams struggle to optimize cost, performance, and reliability in production.
Providing the Right Guardrails to Safeguard MCP Servers
While MCP integration is not without its challenges, organizations that treat MCP as a natural extension of API management and implement it through a gateway architecture can build resilient, scalable AI systems ready for production deployment.
Here are five practical strategies for enterprises looking to safely and efficiently integrate MCP servers.
1. Layer Authorization for Agentic Workflows: In MCP-driven, agentic architectures, identity is still established through existing IAM systems and OAuth-based flows. The challenge is not replacing those systems, but extending them to handle agent-specific, tool-level authorization as agents chain actions across distributed MCP servers.
Rather than attempting to fully centralize IAM, the emerging pattern is a layered authorization model. OAuth remains responsible for authentication and coarse-grained authorization, while a dedicated control layer enforces fine-grained, MCP-aware policies on top of those identities. This allows organizations to preserve their existing IAM investments while addressing gaps that traditional OAuth scopes and roles were never designed to cover.
By introducing tool-level access controls at the MCP layer, teams can:
- Constrain what authenticated agents are allowed to do, not just who they are
- Apply least-privilege permissions per tool and capability, even when multiple tools share the same OAuth identity
- Prevent over-scoped tokens from automatically granting access to every downstream tool
- Standardize authorization across MCP servers, without embedding complex logic into each service
This layered approach becomes especially important as agents act autonomously and invoke tools dynamically. OAuth establishes trust, but tool-level ACLs define intent and boundaries, ensuring that authenticated agents cannot exceed their operational mandate.
When combined with infrastructure-level guardrails and traffic management, this model enables organizations to move beyond experimentation and deploy agentic systems that are secure, auditable, and resilient by design without forcing a rewrite of their existing identity infrastructure.
2. Standardize Server Generation and Enforce Layer Trust Boundaries: To mitigate risks like tool poisoning and inconsistent governance, organizations must control how MCP servers are created, exposed, and accessed, rather than allowing ad hoc implementations to proliferate. A major source of risk comes from developers manually wrapping existing REST APIs into MCP servers, embedding natural-language tool metadata without standardized validation or oversight.
By using a gateway to auto-generate MCP servers from existing REST APIs, organizations establish a clear trust boundary at the MCP layer. This enables consistent governance through fine-grained, tool-level access control, ensuring that only explicitly authorized agents or consumers can discover and invoke specific tools. Enforcing least-privilege access at this layer significantly reduces the blast radius of malicious or malformed tool definitions and prevents uncontrolled tool sprawl.
Parallelly, organizations must address context-based attacks that target the LLM itself, where malicious instructions are injected through prompts, tool descriptions, or retrieved context. This is where LLM-side guardrails play a critical role. By applying dedicated safety and content inspection controls at the LLM interaction layer, teams can automatically detect and block prompt injection attempts, toxic content, and PII leakage before model responses are generated or acted upon.
Together, these layered controls close the governance gap created by ad hoc MCP servers:
- MCP-layer controls define which tools exist and who may call them
- LLM-layer guardrails protect how context is interpreted and acted upon
- Both are enforced centrally, without requiring changes to individual agents or tools
This layered approach transforms MCP from an experimental integration pattern into a governable, prod-ready foundation for agentic systems, even in environments where tools are shared across teams or organizational boundaries.
3. Implement MCP-Aware Observability and Layered Resilience Controls: MCP-based workflows depend on remote services and multi-hop tool chains, making operability and visibility critical for production deployments. Rather than relying solely on generic API metrics, platforms must provide MCP-aware observability that captures how agents interact with tools across distributed systems.
Purpose-built MCP observability enables teams to:
- Track which tools are being invoked by agents, and in what sequence
- Measure end-to-end latency across chained tool calls, not just individual requests
- Correlate errors and failures to specific MCP servers or tools
- Understand traffic patterns unique to agentic workflows, which are invisible to traditional API monitoring
At the same time, resilience must be applied at the appropriate layer. While MCP governs tool discovery and invocation, circuit breaking, retries, and load balancing operate at the LLM and traffic-management layer, protecting agent workflows from upstream model failures, degraded providers, or cascading request storms. By isolating failures before they propagate, these controls prevent localized issues from impacting broader agentic systems.
Together, MCP-aware observability and layered resilience controls transform MCP from an opaque integration surface into a manageable, production-ready component. This allows platform teams to maintain SLOs, detect degradation early, and govern agent behavior at scale without conflating responsibilities across architectural layers.
4. Improve Developer Experience with Standardized MCP Interfaces and Curated Exposure:
As MCP adoption scales, developer productivity suffers when tools and servers proliferate without consistent interfaces, documentation, or ownership. The solution is not to rely on authorization controls for discovery, but to standardize how MCP servers are exposed, described, and curated through a common control layer.
By introducing a gateway layer in front of MCP servers, organizations can:
- Standardize MCP server generation and metadata, ensuring tools are consistently described, documented, and exposed
- Provide a single, predictable interface for discovering MCP services, regardless of which team owns the underlying tools
- Curate and group MCP tools into logical collections (e.g., “DevOps,” “Customer Support,” “Finance”), reducing cognitive overhead for developers and agents
- Control tool visibility separately from access, ensuring only relevant tools are surfaced to specific consumers or workflows
This approach improves discoverability and onboarding before authorization is even evaluated. Fine-grained access controls can then be layered on top to enforce least-privilege usage, but they are no longer responsible for solving discovery or developer experience problems.
By managing MCP servers and tool metadata declaratively (e.g., via infrastructure-as-code workflows), organizations reduce fragmentation, improve reuse across teams, and enable faster iteration without sacrificing governance or security.
5. Standardize and Optimize LLM Interactions at the Infrastructure Layer: As agentic systems scale and MCP enables broader tool discovery, inefficiency often comes not from prompt size alone, but from fragmented provider APIs, inconsistent generation workflows, and suboptimal request routing across models. While agents remain responsible for constructing and managing context, the infrastructure layer plays a critical role in standardizing how LLM interactions are executed and routed. By providing a unified interface for advanced generation patterns — like batch processing, file-based context ingestion, multi-modal inputs, and real-time streaming — platform teams reduce integration complexity and duplicated logic across agents. Combined with provider-aware and semantic-aware routing, this ensures LLM requests are handled efficiently, reliably, and consistently across multi-model environments.
Rather than implicitly shrinking context, this approach creates a stable, efficient execution foundation for LLM interactions, allowing teams to optimize cost, performance, and availability while keeping prompt design firmly under application control.
The Role of the Gateway in Responsible AI Integration
As disruptive businesses understandably rush to adopt the MCP standard, they would invariably need an infrastructure that treats MCP not as a fringe developer protocol, but as an essential production interface. Some platforms extend core API management principles — like security, observability, governance — into the AI integration layer. This convergence is not futuristic; it’s already available through specific, enterprise-grade MCP gateway solutions.
Thanks to this convergence, enterprises can now:
- Apply consistent policies across AI and non-AI APIs. Apply consistent authentication and governance policies across all workloads — whether they serve human developers or AI agents — with centralized OAuth 2.1 enforcement and fine-grained MCP (ACLs) on top of OAuth, that align directly with the MCP specification to enforce least-privilege access.
- Monitor and secure all agent interactions and service calls in one place. Move beyond standard API metrics with purpose-built MCP observability and integrated guardrails (like Lakera.ai for LLMs), enabling teams to monitor every agent interaction, prevent PII leakage, track tool usage, and diagnose performance issues across the entire AI toolchain.
- Control access and enforce boundaries even in autonomous workflows. Auto-generate secure MCP servers from existing REST APIs, and instantly apply all existing security policies as a trust boundary, utilizing native circuit breakers (for LLMs) to shed traffic from unhealthy upstreams and prevent cascading failures.
- Scale agentic AI integrations safely across business units. By curating and exposing tools through a central developer portal, platform teams can manage discovery and consumption for both human developers and AI agents across multi-modal, file-based, and real-time streaming workflows, spanning an expanded ecosystem of providers such as Anthropic, xAI(Grok), and Alibaba Cloud.
By leveraging a solution like Kong AI Gateway v3.13, organizations have started moving MCP from a fragile, ad-hoc experiment to an enterprise-grade reality. This AI gateway delivers the first comprehensive, dedicated MCP capabilities — from a centralized OAuth 2.1 policy that solves the IAM complexity, to fine-grained tool-level ACLs that eliminate governance gaps, and advanced load balancing that finally opens the black box, allowing teams to harness the full agility of MCP while enforcing the rigorous control, visibility, and security demanded in real-world deployments.
By bringing this new, robust standard of API discipline into the world of agentic AI, enterprises are finally equipped to future-proof their AI investments and lead the way toward scalable, responsible agentic architectures. Building AI systems that can safely integrate with the world starts with treating integration as the strategic, first-class discipline it has now become. Securing and governing MCP isn’t just a technical requirement — it’s the non-negotiable foundation for innovation that lasts.
