MCP Security: Least-Privilege Playbook

MCP integrations are powerful. Their risk profile depends on permission design.

Least-privilege baseline

• separate read-only and write-capable servers,
• scope credentials to workflow purpose,
• avoid broad account-level tokens where granular scopes exist.

Execution guardrails

• Decision node checks before mutating calls,
• approval branches for high-impact actions,
• strict parameter validation in Code nodes,
• explicit deny paths for unknown tool intents.

Auditability requirements

• log tool selection and arguments,
• record initiating workflow path,
• store approval actor and timestamp where applicable,
• retain enough trace to reconstruct action rationale.

Least privilege is not a one-time setting. It is an operating discipline.