21 Apr 2026

The Model Context Protocol security story is really a story about organisational immaturity moving faster than organisational readiness. Eighty-three percent of organisations are deploying agentic AI. Twenty-nine percent are prepared for it. That gap is not a minor concern for consumer credit operations — it is the conditions under which a regulatory incident becomes inevitable.

MCP servers are the connective tissue between AI agents and the tools they act on. Book a meeting, query a database, trigger a workflow. In a loan origination context, that starts to look like: pull a credit file, update an application status, initiate a payout. The moment an agent can do those things autonomously, you have created a privileged access pathway that most security teams have not modelled yet.

The vulnerabilities the research points to — tool poisoning, privilege escalation — are not exotic. They are the same classes of problem we saw with early REST APIs before the industry standardised on OAuth and proper token scoping. We fixed those eventually. The concern is that with agentic AI, the attack surface is wider and the blast radius of a compromised agent is larger, because the agent can chain actions across systems before anyone notices.

What This Means in Practice

• Authentication on MCP servers cannot be an afterthought bolted on after deployment
• Tool definition pinning matters enormously — an agent acting on a silently modified tool definition is a serious exposure
• Sandboxing agentic workflows from production data systems is not optional in a regulated consumer credit environment

The FCA has been clear that firms are responsible for outcomes, regardless of whether a human or an automated system produced them. A customer harmed by an agent acting on poisoned instructions is still a harmed customer.

The uncomfortable question for technology leaders right now is whether your governance processes for agentic AI deployment are anywhere near as mature as your governance processes for, say, a new underwriting scorecard. I suspect for most firms, they are not close.