Tool inventory

Owner: Platform

Expected evidence: MCP register, owner, environment, version, source and validation date.

Every installed MCP server is registered with owner, purpose and source. Tools exposed by each server are listed with their sensitivity level. MCP dependencies and versions are tracked to support remediation.

Permissions and least privilege

Owner: IAM

Expected evidence: Role-tool matrix, dedicated service accounts, access reviews.

Permissions are granted by role instead of broad defaults. Destructive or costly actions require explicit approval. MCP service accounts are isolated from human accounts.

Secrets and sensitive data

Owner: SecOps

Expected evidence: Vault, rotation, log redaction and leak tests.

No secret is stored in the repo, system prompt or public configuration. MCP logs redact tokens, cookies, API keys and personal data. Credential rotation is defined for every MCP server credential.

Prompt injection and tool poisoning

Owner: AppSec

Expected evidence: Adversarial tests, reviewed tool descriptions, context guardrails.

MCP tool descriptions are reviewed to avoid hidden instructions or ambiguity. External content is treated as untrusted and cannot change policy. Prompt-injection tests cover documents, tickets, web pages and user data.

STDIO, SSE and network transports

Owner: Infrastructure

Expected evidence: Flow diagram, TLS, network filtering and reverse proxy configuration.

STDIO servers stay limited to authorized workstations or runners. SSE or HTTP endpoints use TLS, authentication and origin filtering. Timeouts, size limits and quotas prevent abuse or costly loops.

Approval policy

Owner: CISO

Expected evidence: Approval rules, audit trail and exception examples.

A policy defines when human confirmation is required before tool execution. Exceptions are logged with user, tool, justification and outcome. Users clearly see which data is sent to an MCP server.

Check MCP servers before connecting them to your stack

A fast control point for teams adopting MCP

Interactive diagnostic

Tool inventory

Permissions and least privilege

Secrets and sensitive data

Prompt injection and tool poisoning

STDIO, SSE and network transports

Approval policy

Minimum controls before production