University of Toronto — MCP security risk guidance
AI relevance: MCP is a key protocol for connecting AI models to tools and data, so its deployment model directly shapes the attack surface for agentic systems.
- UofT InfoSec emphasizes that MCP doesn’t create brand-new threats; it amplifies existing risks tied to trust in models, tool power, and system boundaries.
- The guidance breaks down risk by deployment model (local, organizational, multi-tenant, third-party, and hybrid).
- Local MCP deployments can be risky if the agent has access to more files/tools than needed.
- Org-hosted MCP increases exposure if configuration mistakes leak internal data.
- Multi-tenant MCP services raise impact because a single flaw can affect many teams.
- Third-party hosted MCP reduces visibility into data handling and security controls.
- Hybrid MCP setups are rated high risk due to complex boundary crossings and harder-to-detect mistakes.
Why it matters
- MCP is quickly becoming the connective tissue for agent tooling, so deployment choices are security decisions.
- Risk isn’t uniform; multi-tenant and hybrid MCP deployments can turn small mistakes into systemic incidents.
- Security teams need clear threat models for each MCP topology before rolling out agentic workflows.
What to do
- Limit tool and file access for local MCP agents to least-privilege scopes.
- Harden configuration review for org-hosted MCP services and audit data paths.
- Segment multi-tenant MCP deployments and plan for blast-radius containment.
- Demand transparency from third-party MCP providers on logging, data retention, and incident response.