Prevent MCP Bypass

Can MCP really be counted on for protection with AI agents? I was talking with someone recently about this and questioned how reliable MCP identity enforcement could be if ‘external’ agents (built and managed by others) could just decide to bypass MCP and call APIs or access websites directly, bypassing guardrails entirely. It’s like locking the doors of your car while leaving the windows rolled down.

In this article, I will lay out implementation options to avoid this huge gap in security.

 

 

The Model Context Protocol (MCP) emerged as the answer to agent chaos. It’s the structured way agents talk to each other and to your systems. Think of it as the control plane for agentic workflows — giving you visibility, governance, and the ability to say “no” when an agent wants to do something stupid.

But here’s the problem: MCP only works if agents actually use it. And right now, nothing is stopping external agents from going around it entirely and accessing APIs or your website directly.

The great MCP bypass

Agents are smart. Maybe too smart. When they want to get something done, they’ll find the path of least resistance. If your MCP server is slow or doesn’t have the right connector, that agent will just… improvise.

Direct API calls are the obvious bypass. Agent gets an API key –>skips MCP entirely –> hits your REST endpoints directly. No policy enforcement. No audit trail. Just raw API calls from autonomous software doing whatever it wants.

Website scraping is the sneaky one. Your agent can’t access the API? No problem. It’ll fire up a headless browser, navigate to your web app, and start clicking buttons like a very fast, very determined intern. All your MCP guardrails are sitting there uselessly while the agent automates your UI.

Shadow connectors are the insider threat. Some in-house developers build a “quick and dirty” connection that bypasses MCP for speed. Suddenly half your agent traffic is flowing through an unmonitored side channel that your security team doesn’t even know exists.

This is the same pattern we saw with shadow IT, BYOD, and every other time users found ways around corporate controls. The technology works perfectly — until people find ways to not use it.

Why bypassing MCP breaks everything 

When external agents bypass MCP, you lose the three things that make agent automation trustworthy:

Intent binding goes out the window. With MCP, you know an agent is “booking a flight” or “processing a refund.” Without it, you just see API calls. Was that agent supposed to access customer data, or is it going rogue? You have no idea.

Policy enforcement becomes impossible. Your MCP server can enforce rules like “agents can’t transfer more than $1000” or “customer service agents can’t access financial records.” But if agents bypass MCP and hit APIs directly, those policies might as well not exist.

Audit trails disappear. When everything flows through MCP, you get a complete record of who did what and why. When agents freelance, you get scattered logs that don’t tie back to business intent. Good luck explaining that to your auditors.

The result is shadow automation — agents doing things you can’t see, can’t control, or explain. It’s the compliance nightmare nobody wants to talk about because we’re all too busy being excited about the possibilities of AI.

The identity fabric solution

The answer isn’t trying to make MCP “better” or “faster” so agents will use it voluntarily. The answer is making MCP mandatory and ensuring that alternative paths to your APIs and website are also controlling access.

This is where we apply lessons from identity fabric architecture. Every request, human or agent, must flow through a consistent control plane that enforces policy and produces audit records. No exceptions. No side doors.

 

 

Here’s how you lock it down:

1. Identity-first agent authentication

Agents don’t get to be anonymous. Every agent gets a cryptographically verifiable identity — OAuth DCR, PKCE and SPIFFE/SVID certificates work well — that can only be authenticated through your MCP bridge. No certificate, no access.

Try to hit the API directly? Authentication fails.

The agent is then registered in an agent registry (AKA an Agent Fabric™) which is the equivalent of a human IdP but at a price point that works for the scale of agents.

2. Token mediation at the edge

Agents never hold long-lived API keys. Instead, your MCP bridge issues short-lived, scoped tokens using OAuth with DPoP or mTLS binding. The tokens are cryptographically tied to the MCP bridge session (AKA an Orchestrator). If an agent somehow gets a token and tries to use it outside MCP, the signature validation fails.

3. Proxy-enforced API access

Put an identity-aware proxy in front of every API. Configure your APIs to reject any request that doesn’t come through the proxy with the right MCP attestation. Even if an agent somehow bypasses authentication, it can’t reach the actual API endpoints.

4. Web application controls

This is the tricky one. External agents can drive headless browsers to interact with your web apps directly, bypassing both APIs and MCP.

To prevent this:

• Require strong authentication (passkeys, phishing-resistant MFA for humans and x509 certificates for non-humans) for all web sessions
• Embed your identity orchestrator into web app login flows so every session carries MCP provenance
• Use bot detection tuned to allow legitimate MCP-brokered automation while blocking unauthorized browser automation

Even if an agent tries to “click through” your web interface, it still has to authenticate properly and then get tagged as MCP-mediated traffic. This needs to be balanced with your website conversion goals and customer experience; but, from a security standpoint it’s possible to lock down access if that is the priority.

5. Continuous compliance monitoring

Deploy Continuous Access Evaluation (CAEP) so you can revoke agent privileges mid-session if behavior looks suspicious. Agent starts downloading unusual amounts of data? Pull its access token immediately. Agent tries to access systems outside its authorized scope? Kill the session.

6. Complete audit coverage

Every action generates a verifiable action attestation (VAA) that ties back to human intent, agent identity, transaction context and business outcome. When regulators ask “Why did this agent transfer $50,000?” you can show them exactly who authorized it, what the business justification was, and how the decision was made.

Real-world impact

Consider a simple scenario: a user asks an agent to book a concert ticket.

With enforced MCP:

• User authenticates with passkey
• Agent requests ticket purchase through MCP
• Identity bridge issues scoped token for “tickets:purchase”
• Ticket API validates token and MCP provenance
• Transaction completes with full audit trail

Without enforcement:

• Agent fires up headless browser
• Navigates to ticket website
• Somehow completes purchase (creating a user account along the way)
• You find out when you get the credit card bill

The first scenario gives you complete visibility and control. The second scenario is how you end up explaining to your CISO why an AI agent bought $10,000 worth of Taylor Swift tickets on the corporate card.

Making it real

At Strata, we built Maverics specifically to handle this kind of identity orchestration challenge. It sits between your agents and your systems, enforcing policy and producing audit records whether the traffic is headed for APIs or web applications.

The goal isn’t to make MCP optional and hope agents use it. The goal is to make MCP the only path that works.

Because here’s the reality: agents are going to keep getting smarter and more autonomous. If you don’t control how they access your systems now, you’re going to lose control entirely. And once that happens, the question isn’t whether something will go wrong — it’s whether you’ll be able to figure out what happened when it does.

Don’t let your agents free-solo your infrastructure. Put them on belay with MCP, and make sure you’re holding the rope.

I’ll come back with another post on how to apply these tactics to internal AI agents that you do control and show how you can ensure consistent control over MCP, API and data access.