Understanding MCP: Limitations Beyond the Protocol

F5 Newsroom Staff

By James White, VP, Engineering, F5

Model Context Protocol (MCP) is fast becoming a pillar of the agentic AI ecosystem. Designed as a standard way for AI agents to interface with tools, APIs, and external systems, MCP promises safe, scalable interoperability.

So it’s easy to understand why the major model makers and some of the world’s biggest companies support MCP as a standard for agents to interact. But for all its benefits, MCP may be solving the wrong problem at the wrong level of abstraction.

By tightly constraining agent behavior through rigid pathways and interfaces, MCP prioritizes safety, but at the cost of flexibility, adaptability, and ironically, effective oversight. In other words, it overshoots on security in ways that may limit the utility of AI agents while doing little to address actual risk in dynamic environments.

What MCP Gets Right

MCP is a step forward in AI safety. It provides a structured, transparent way for AI agents to call tools via APIs, defining clear interfaces and permissions. That’s important in a world where agents are increasingly expected to take actions like triggering workflows, moving money, or writing code.

Think of it as the protocol version of least privilege access: allow agents to perform only the operations they’ve been explicitly granted.

From a design perspective, it’s clean. From an enterprise risk perspective, it’s reassuring. But from a real-world security perspective? It’s incomplete.

The Tradeoff: Static Protocols, Dynamic Agents

MCP works well for simple, deterministic tasks. But as agents become more capable and autonomous, their decisions become more contextual. They need to adapt on the fly, chain together tools in novel ways, and handle unexpected conditions without human supervision.

In that environment, static interface schemas and rigid permission structures begin to break down. They reduce the surface area for attack but also reduce the agent’s ability to reason through complex workflows. In prioritizing safety, MCP can unintentionally reduce agents’ operational abilities – and an enterprise’s ability to innovate.

More importantly, this rigidity masks real security gaps. Just because an agent is MCP-compliant doesn’t mean it’s behaving safely. For example:

• An agent with read-only permissions could still exfiltrate data through indirect channels
• A narrowly scoped tool call could still be chained into a larger, emergent action with unintended consequences
• A well-formed request doesn’t mean the agent making it has the right context or judgment to do so safely

Agentic security isn’t just about what the agent is allowed to do – it’s about what it intends to do, and how it behaves in context.

The Real Risk Isn’t Just the Protocol. It’s What It Enables.

MCP introduces a permissioned, standardized way for AI agents to act, but that doesn’t make those actions inherently safe. The protocol might enforce strict boundaries, but it doesn’t account for how agents interpret context, chain tools, or behave under pressure.

In other words, MCP secures the connection, but not the consequence. And that’s the gap enterprises need to close.

Real-world AI risk isn’t about whether an agent can call a specific API. It’s about what it chooses to do across thousands of interactions, and whether your systems can detect and respond when that behavior starts to drift.

Think Beyond a Framework

MCP represents meaningful progress in securing agent-tool interactions. But it also signals a broader truth: as agents become more powerful, traditional notions of protocol-level safety may not be enough.

Enterprise leaders need to think beyond permission frameworks. Agent behavior, context drift, emergent tool use, and chained actions all demand new approaches to oversight and control. Because the real risk isn’t in the handshake, it’s in what comes after.

About the Author

F5 Newsroom Staff

More blogs by F5 Newsroom Staff