For too long, the Model Context Protocol (MCP) has operated on a principle of open access: connect an AI agent to an MCP server, and it gets access to every single tool that server offers. While this approach is simple for initial experimentation, it quickly becomes a liability in production. Exposing unneeded tools to an agent creates a significant security risk from over-permissioned agents and a severe performance hit known as "Context Rot" that degrades an LLM's ability to reliably select the right tool.
This post breaks down why traditional prompt-injection defenses miss the more fundamental issue of tool governance, and introduces a robust, gateway-level solution for implementing tool-specific Access Control Lists (ACLs), ensuring your AI agents only see — and can only use — the capabilities they absolutely need.
MCP servers expose all tools by default. There are two problems with this: security (agents get capabilities they shouldn't have) and performance (too many tools degrade LLM tool selection). The solution? Put a gateway between agents and MCP servers that filters tools based on who's asking. Default deny, role-based access, credential isolation.
Who this is for:
Skip this if:
MCP servers expose tools by default — all of them. Connect an agent to an MCP server, and it gets access to every capability that server offers. No scoping, no filtering, no restrictions.
This is fine for experimentation. It's a problem in production.
GitHub's MCP server exposes 40+ tools. Jira, Confluence, Slack — each adds more. Connect an agent to three or four MCP servers, and you're easily looking at 100+ tools loaded into context before your agent does anything useful.
Most MCP security discussions focus on prompt injection and tool poisoning. Important threats, but they miss something more immediate: what happens when you hand an AI agent a toolbox it can't effectively use?
This post covers why restricting MCP tools matters for security and performance and how to implement tool-level access control at the gateway layer.
Restricting tools solves two distinct problems:
Security: Over-permissioned agents
An AI agent with access to merge_pull_request can merge code. An agent with delete_repository can delete repositories. Most agents don't need these capabilities, but MCP servers expose everything by default.
This creates shadow tooling—capabilities your agents technically have but shouldn't use. Traditional API security solved this with scopes and permissions. MCP needs the same treatment.
Efficiency: Context rot
Every tool you expose to an agent consumes context. The tool name, description, parameter schema — it all goes into the prompt. Load 40 tools, and you've burned thousands of tokens before the agent does anything useful.
Worse, the agent's ability to select the right tool degrades as options increase.
Context rot refers to performance degradation when LLMs process increasingly long inputs. As context grows, models don't degrade gracefully — they become unreliable. They hallucinate parameters, call the wrong tools, and miss instructions.
Anthropic's guidance indicates that tool selection accuracy degrades significantly beyond 30-50 tools. In practice, using Claude Opus 4.5 with its 200K context window, I've observed reliability beginning to decline around 60% context utilization.
References:
Model providers are responding. Anthropic's tool search feature addresses this directly:
This is the right direction. But it's Claude-specific. If your agents use multiple models, you need:
That's where gateway-level control comes in.
The pattern is straightforward: put an MCP gateway between your agents and MCP servers. The gateway intercepts tool lists and filters them based on who's asking.
About the examples below
The examples throughout this post use GitHub's MCP server as the backend, though the patterns apply to any MCP server.
The configurations use Kong AI Gateway with the ai-mcp-proxy plugin. Kong is configured declaratively using YAML files that define:
You can apply these patterns with other gateways, but the specific syntax will differ.
Kong consumer groups primer
Consumer groups are Kong's mechanism for categorizing API consumers. The key pattern:
This means ACLs are attached to groups, not individual consumers. You define groups once, configure their tool access, then map any number of consumers to those groups via JWT claims.
Progressive security model
Kong's MCP gateway implements tool governance as a progressive security model with four layers:
Layer 1: Pass-through proxy
┌─────────┐ ┌─────────┐ ┌────────────┐
│ Agent │ ───► │ Gateway │ ───► │ MCP Server │
└─────────┘ └─────────┘ └────────────┘
│ │
└── Agent provides GitHub token ────┘
Gateway proxies requests to MCP servers. Agents still provide their own credentials. You get centralized logging and analytics but no access control yet.
Layer 2: Gateway-managed credentials
┌─────────┐ ┌─────────┐ ┌────────────┐
│ Agent │ ───► │ Gateway │ ───► │ MCP Server │
└─────────┘ └─────────┘ └────────────┘
│ │ │
│ └── Injects token ─┘
│ from vault
└── No credentials needed
Gateway injects backend credentials from a secrets vault. Agents never see the underlying tokens.
Layer 3: OAuth/OIDC authentication
┌─────────┐ ┌─────────┐ ┌────────────┐
│ Agent │ ───► │ Gateway │ ───► │ MCP Server │
└─────────┘ └─────────┘ └────────────┘
│ │ │
│ ├── Validates │
│ │ IDP token │
│ └── Injects GitHub ┘
│ token
└── Presents IDP token (Entra, Okta, etc.)
Agents must present a valid token from your identity provider before accessing any MCP endpoint.
Layer 3b: Hybrid authentication (gateway auth with pass-through MCP credentials)
┌─────────┐ ┌─────────────────────┐ ┌────────────┐
│ Agent │ ───► │ Gateway │ ───► │ MCP Server │
└─────────┘ └─────────────────────┘ └────────────┘
│ │ │
├── IDP token ────────┤ │
│ (validated) │ │
│ │ │
└── MCP credentials ──┼── Passed through ──────┘
(GitHub PAT, (gateway doesn't
Jira key, etc.) manage these)
Not every use case requires the gateway to manage MCP credentials. If your agents connect to multiple backend MCP servers—each with individual, user-specific access—you may want the gateway to handle authentication and governance while letting credentials pass through to the backend.
In this model:
This is useful when users have varying access levels across different MCP servers, or when centralizing credential management isn't practical. The gateway still provides authentication, tool filtering, logging, and rate limiting—just not credential injection.
Layer 4: Tool-level ACLs
┌─────────┐ ┌─────────────────────┐ ┌────────────┐
│ Agent │ ───► │ Gateway │ ───► │ MCP Server │
└─────────┘ │ │ └────────────┘
│ │ 1. Validate token │ │
│ │ 2. Map to consumer │ │
│ │ group via claims │ │
│ │ 3. Filter tools │ │
│ │ by ACL │ │
│ └─────────────────────┘ │
│ │
└── Sees only allowed tools ──────────────────┘
(e.g., 2 tools instead of 40)
Based on JWT claims, the gateway maps agents to consumer groups and filters which tools each group can see.
Example JWT payload:
The github-mcp-access claim contains the consumer group name. When this token hits the gateway, the agent gets mapped to github-cicd-agents and sees only the tools allowed for that group.
Kong configuration:
The key insight: the tool list terminates at the gateway. The backend MCP server might expose 40 tools, but your security-scanner agent only sees 2.
The ai-mcp-proxy plugin supports multiple approaches to restricting tools:
Option 1: Consumer groups with JWT claim mapping
Your identity provider includes a claim (e.g., github-mcp-access) that specifies which consumer group the agent belongs to. The gateway maps this automatically.
Option 2: Static consumer assignment
Define consumers explicitly and assign them to groups. Useful when agents use API keys instead of JWT tokens. These keys are generated and managed by the gateway—essentially virtual credentials that never touch your backend systems.
Option 3: Route-based separation
Create separate routes for different agent types, each with its own tool configuration. Simpler to reason about, but requires agents to know which endpoint to use.
The common thread: default deny. Tools not explicitly listed in the tools array with an allow ACL are blocked.
Here's a real scenario. You have GitHub's MCP server with 40+ tools. You want three types of AI agents to use it:
Note: Tool names are illustrative and may differ from the actual GitHub MCP server implementation.
Notice what's missing: merge_pull_request, push_files, delete_file. No AI agent gets these. Human-in-the-loop by design.
Full configuration:
When the security scanner connects and requests the tool list, it sees exactly two tools. The CI/CD agent sees seven. The code reviewer sees eight. The backend GitHub MCP server still has 40+, but agents only see what they need.
There's a secondary benefit to gateway-managed credentials: agents never see your GitHub token.
Without gateway:
┌─────────┐ ┌────────────┐
│ Agent │ ─── GitHub PAT ──► │ MCP Server │
└─────────┘ └────────────┘
│
└── Agent config contains the credential
(compromised agent = exposed token)
With gateway:
┌─────────┐ ┌─────────┐ ┌────────────┐
│ Agent │ ───► │ Gateway │ ───► │ MCP Server │
└─────────┘ └─────────┘ └────────────┘
│ │
│ └── GitHub PAT injected
│ from vault
└── IDP token only (scoped to agent's permissions)
Even if an agent is compromised, the attacker gets an IDP token scoped to that agent's consumer group—not your GitHub PAT with repo admin access.
Don't wait until you have 40 tools. Start with these principles:
From day one:
As you scale:
Signs you waited too long:
The cost of adding restrictions later is higher than starting restrictive. Shadow tooling is easier to prevent than to clean up.
The evolution of AI agents and autonomous systems has created new challenges for enterprise organizations. While securing API endpoints is well-understood, controlling access to individual AI agent tools presents a unique authorization problem. Toda
The example below shows how an AI agent can be built using Volcano SDK with minimal code, while still interacting with backend services in a controlled way. The agent is created by first configuring an LLM, then defining an MCP (Model Context Prot
In one of our posts, Kong AI/MCP Gateway and Kong MCP Server technical breakdown, we described the new capabilities added to Kong AI Gateway to support MCP (Model Context Protocol). The post focused exclusively on consuming MCP server and MCP tool
The Kong MCP Registry acts as a central directory for AI agents and clients to access services that provide context or take action. For AI agents, think of it as a combination of a "Service Catalog" and a "Developer Portal." It offers the metadata,
Why Risk Management Will Separate Agentic AI Winners from Agentic AI Casualties Let's be honest about what's happening inside most enterprises right now. Development teams are under intense pressure to ship AI features. The mandate from leadership
AI agents are spreading across organizations rapidly. Each agent needs secure access to different Model Context Protocol (MCP) servers. Authentication becomes complex. Scaling creates bottlenecks. The dreaded "too many endpoints" problem emerges.
The first pillar is enablement. Developers need tools that reduce friction when building AI-powered applications and agents. This means providing: Native MCP support for connecting agents to enterprise tools and data sources SDKs and frameworks op