MCP Without Getting Pwned: Secure Tool Use, Prompt Injection Defense, and Least Privilege
Intermediate
MCP doesn’t introduce new security problems.
It moves existing problems into places most organizations aren’t prepared to govern yet.
The moment an agent can call tools, you’ve shifted from static integrations to dynamic execution. This is where permissions are delegated, logic is emergent, and intent matters as much as outcome. Treating MCP tools as “just another plugin” is how teams accidentally accumulate serious security and governance debt.
In this session, we’ll take a threat-model-first, consultant-tested approach to MCP adoption—focused on how enterprises are actually getting tripped up, and what works in practice to avoid it.
We’ll walk through a realistic agent scenario and show, live:
• How over-scoped MCP tools quietly expand blast radius
• How prompt injection and indirect injection become confused-deputy problems once tools are in play
• Why traditional API security controls don’t fully map to agent behavior
• Where developers feel the friction—and how to reduce it without weakening guardrails
Then we’ll layer in a practical operating model that balances speed and safety:
• Tool governance (registry, ownership, versioning, approval paths)
• Behavioral least privilege (Read / Write / Admin tool tiers, confirmation gates, scoped execution)
• Prompt-injection impact reduction (allowlists, parameter validation, human-in-the-loop for irreversible actions)
• Runtime visibility (what the agent intended, what it did, and why)
• Fleet-level oversight using an agent control-plane mindset (where Agent 365 fits)
What you’ll see
• An MCP-connected agent making tool decisions and how small design choices change risk dramatically
• A “bad but realistic” configuration and how it fails
• The same scenario refactored with layered controls that contain damage without breaking usability
• A design-review checklist you can reuse with dev and security teams
MCP solves integration. This session solves the security and governance debt you inherit if you treat tools as “just another plugin.”
Learning Outcomes
Attendees will leave able to:
• Explain MCP security risks in architectural terms (not fear-based ones)
• Threat-model MCP tools using a simple, repeatable framework
• Design least-privilege tool access that accounts for agent behavior, not just scopes
• Apply practical mitigations for prompt injection that reduce blast radius
Establish governance patterns that developers won’t route around
Speaker note:
Happy to present multiple sessions, former St Louis resident.
It moves existing problems into places most organizations aren’t prepared to govern yet.
The moment an agent can call tools, you’ve shifted from static integrations to dynamic execution. This is where permissions are delegated, logic is emergent, and intent matters as much as outcome. Treating MCP tools as “just another plugin” is how teams accidentally accumulate serious security and governance debt.
In this session, we’ll take a threat-model-first, consultant-tested approach to MCP adoption—focused on how enterprises are actually getting tripped up, and what works in practice to avoid it.
We’ll walk through a realistic agent scenario and show, live:
• How over-scoped MCP tools quietly expand blast radius
• How prompt injection and indirect injection become confused-deputy problems once tools are in play
• Why traditional API security controls don’t fully map to agent behavior
• Where developers feel the friction—and how to reduce it without weakening guardrails
Then we’ll layer in a practical operating model that balances speed and safety:
• Tool governance (registry, ownership, versioning, approval paths)
• Behavioral least privilege (Read / Write / Admin tool tiers, confirmation gates, scoped execution)
• Prompt-injection impact reduction (allowlists, parameter validation, human-in-the-loop for irreversible actions)
• Runtime visibility (what the agent intended, what it did, and why)
• Fleet-level oversight using an agent control-plane mindset (where Agent 365 fits)
What you’ll see
• An MCP-connected agent making tool decisions and how small design choices change risk dramatically
• A “bad but realistic” configuration and how it fails
• The same scenario refactored with layered controls that contain damage without breaking usability
• A design-review checklist you can reuse with dev and security teams
MCP solves integration. This session solves the security and governance debt you inherit if you treat tools as “just another plugin.”
Learning Outcomes
Attendees will leave able to:
• Explain MCP security risks in architectural terms (not fear-based ones)
• Threat-model MCP tools using a simple, repeatable framework
• Design least-privilege tool access that accounts for agent behavior, not just scopes
• Apply practical mitigations for prompt injection that reduce blast radius
Establish governance patterns that developers won’t route around
Speaker note:
Happy to present multiple sessions, former St Louis resident.
Session prerequisites and resources may be available.
Sign in to access
Speaker
Brian Haydin
Microsoft Cloud & AI Architect | Azure • GitHub • Power Platform | Demo-first sessions (US + Europe)
Concurrency
I help teams modernize apps and platforms in the Microsoft ecosystem—Azure, GitHub, Power Platform, and identity (Microsoft Entra)—with a bias toward real-world constraints and practical outcomes. I’ve spent 20+ years building and advising solutions across manufacturing, healthcare, insurance, and f...
View Full Profile