In this wide-ranging conversation, Salesforce SVP Marla Hay explains why the Model Context Protocol (MCP)—an open standard connecting large language models to tools and data—has surged in importance, and how its power raises familiar but acute security concerns.
She outlines concrete defenses, including least-privilege permissions, short-lived tokens, granular scopes, and continuous monitoring. Hay also details what to look for in a trustworthy MCP server, and why the protocol’s evolution—such as newly added authorization—points to a future where security is increasingly “baked in” as MCP becomes as ubiquitous as today’s API economy.
Core Takeaways
- What MCP is: An open standard that gives LLMs and agents a common “language” to interact with many APIs and data sources, reducing one-off integrations.
- Risk profile: The risks aren’t new (access control, token handling, prompt injection) but become more acute with MCP’s automation and breadth of access.
- How to mitigate: Enforce least-privilege, use short-lived tokens, request granular scopes, and perform ongoing permission reviews to prevent over-permissioning.
- What to buy/build: Choose MCP servers you trust—look for strong permissions management, encryption, logging, and threat/anomaly detection—and track the standard’s evolution (e.g., authorization added) as security becomes more native.
Key Quotes
MCP’s Role in the Stack
“We can think of MCP as almost a USB-C port for APIs. Instead of having to learn the quirks of every single interface you want to talk to—how to format requests, how to authenticate, how to interpret responses—you adopt one protocol and gain a language shortcut across many APIs and data sources. That shared grammar is what speeds up agent-to-agent and human-to-agent workflows and reduces a lot of brittle, one-off integration work.”
“When people say we live in an API economy, MCP is a way to move faster inside that economy. By standardizing the way large language models and agents converse with services, you get a consistent way to plug in capabilities. That’s why you’re seeing so much excitement: it compresses the integration layer and lets teams focus on actual outcomes rather than glue code.”
Risks: Familiar—but More Acute
“With any powerful connector, security has to be designed in from the start. The categories of risk in MCP—over-permissioning, token mismanagement or access breaches, and prompt injection—aren’t new in themselves. What’s different is the intensity: because MCP can automate actions on your behalf and fan out across multiple systems, the blast radius of a mistake can grow quickly if you don’t constrain it.”
“Think of it as the same threat model we know from access protocols, turned up a notch by automation. The more you allow an agent to do, the more deliberate you have to be about scoping that permission and monitoring its use. That’s why our recommendations emphasize controls that shrink exposure by default.”
Least Privilege, Token Hygiene, and Permission Reviews
“First and foremost, keep permissions as low as possible—true ‘least privilege.’ If an agent only needs to read emails to provide summaries, don’t grant the ability to send messages or download contacts. Tokens should be protected and short-lived so that even if a server is compromised, the window of usefulness is tiny. On the provider side, expose granular scopes; on the client side, ask for the smallest set that accomplishes the task.”
“It’s tempting to over-permission ‘just in case,’ but a better pattern is just-in-time elevation as the user attempts a more sensitive action. Pair that with continuous visibility—surface what’s been granted to whom, flag heavy or unusual permissions, and review them regularly. These are classic practices, but MCP’s reach makes them essential.”
Trustworthy Servers and a Maturing Standard
“Choose MCP servers you trust. Look for strong permission management at a granular level, encryption baked in, robust logging, and anomaly or threat detection so you’re alerted—or blocked—when behavior looks off. Treat the server like any connected application that can act on your behalf; the bar for trust should be high because it will hold tokens and execute operations in your name.”
“The protocol itself is evolving in the right direction. Authorization was added to MCP in June, which is a meaningful step toward security being native to the standard. Expect more attention to token time-to-live, scoping, and better defenses against prompt injection. As these pieces harden, MCP will feel less like ‘new plumbing’ and more like the everyday connective tissue of agentic systems—very much in line with how the API economy matured.”
