---
title: "How to Avoid Shadow MCP Servers in the Enterprise"
description: "Shadow MCP servers are the new shadow IT. Here's how to bring them under enterprise governance with inventory, monitoring, least privilege, and a gateway."
canonicalUrl: "https://zuplo.com/blog/2026/07/13/how-to-avoid-shadow-mcp-servers"
pageType: "blog"
date: "2026-07-13"
authors: "billDoerrfeld"
tags: "MCP, AI Gateway, API Best Practices"
image: "https://zuplo.com/og?text=How%20to%20Avoid%20Shadow%20MCP%20Servers"
---
By some estimates, as many as 80% of company employees use
[shadow IT](https://www.ibm.com/think/topics/shadow-it). Shadow IT is the
unsanctioned use of internal technologies, often picked up by employees out of
haste and to avoid red tape. As such, these tools never went through traditional
tool acquisition or security checks, and their ongoing use is unmonitored.

Shadow IT can pose risks related to authentication issues, supply chain risks,
undetected bugs, and third-party vulnerabilities. And lately, shadow
[Model Context Protocol](https://zuplo.com/learning-center/what-is-an-mcp-server)
(MCP) servers are emerging as a new type of shadow IT.

Below, we'll explore how the proliferation of MCP is causing a new shadow IT
dilemma, and consider ways to prevent this from turning into a nightmare at an
enterprise scale.

Unknown MCP usage carries classic shadow IT risks: unknown tool provenance,
untracked costs, and increased threat vectors. Solving it will require a
multi-step process involving maintaining a proper inventory, introducing
monitoring, reviewing permissions, and adding new governance layers when
necessary.

## What are shadow MCP servers?

Shadow MCP servers can arise when the use of MCP servers becomes completely
ungoverned within an organization. These servers are often quickly configured by
engineers within agentic coding platforms and immediately integrated without the
typical enterprise approvals or security reviews.

It's easy for shadow IT to emerge when there is much excitement and hockey-stick
adoption curves. And MCP is no exception.

Developer interest in coding agents is increasing dramatically, leading to the
quick adoption of new tools like MCP, a standard protocol to empower agents with
connectivity to external APIs, databases, and SaaS tools. MCP especially shines
as a way to bring
[more context to engineering efforts](https://www.infoworld.com/article/4175336/the-role-of-mcp-in-context-engineering.html).

The top 20 most popular MCP servers alone generate over 180,000 monthly
searches, according to
[MCP Manager](https://mcpmanager.ai/blog/mcp-adoption-statistics/). That figure
measures search interest rather than actual usage, but it points to strong and
growing developer attention.

Most of these are remote servers that connect with popular SaaS,
[developer tools](https://www.infoworld.com/article/4096223/10-mcp-servers-for-devops.html),
or
[databases](https://www.infoworld.com/article/4181843/10-mcp-servers-to-connect-llms-with-databases.html).
Some examples include Figma MCP, GitHub MCP, Context7 MCP, Cursor MCP, Supabase
MCP, and Notion MCP.

## Why shadow MCP servers pose a risk

Shadow MCP servers pose a possible risk to enterprises for a few reasons. First,
the lack of ongoing monitoring or awareness amplifies cybersecurity threats,
since you can't secure or audit what you don't know.

Shadow MCP servers that aren't registered and sitting beyond corporate control
are beyond security monitoring and coverage for things like known
vulnerabilities, misconfigurations, and emerging exploits.

Each MCP server is unique, and their permissions are sometimes wide and varied.
This sets organizations up for not only privilege drift, but possibly
unauthorized actions being autonomously orchestrated by large language model
(LLM) based agents, which are known to act unpredictably. Shadow servers with
unknown access amplify this problem.

Lastly, the servers themselves often have unknown provenance, posing supply
chain security risks. Data already shows that many MCP servers are unvetted: in
late 2025,
[research from Clutch](https://www.clutch.security/blog/mcp-servers-what-we-found-when-we-actually-looked)
found that within a typical 10,000 member organization, 15% of employees are
running an average of two MCP servers each. And of these MCP servers, 38% are
unofficial implementations from "unknown authors."

## 5 techniques to avoid shadow MCP servers

Thankfully, there are some emerging techniques that IT and security leaders can
implement in order to safeguard their MCP adoption at scale. Together, they
should help decrease the number of shadow MCP servers, and prevent future ones
from emerging as well.

### 1. Catalog your inventory

The first strategy is similar to avoiding shadow tools and APIs in general:
create an internal
[IT asset inventory](https://thehackernews.com/expert-insights/2025/03/why-aggregating-your-asset-inventory.html).
For example,
[MCP registries](https://www.infoworld.com/article/4145014/how-to-build-an-enterprise-grade-mcp-registry.html)
often hold information about approved-for-use MCP servers, including metadata,
tool descriptions, and an approval process for adding new servers.

Having an inventory of your technical assets benefits discoverability for agents.
It also improves organizational awareness, promotes tool reusability and
compliance, and provides more visibility to security teams.

Getting this together might take some effort to ask developers about their tools
and requirements, but it is a necessary first step to limiting shadow MCP
servers.

### 2. Set up agentic traffic monitoring

Similar to how a lack of API monitoring leads to
[shadow APIs](https://nordicapis.com/the-risks-of-shadow-apis-how-unmanaged-endpoints-bypass-your-ci-cd-checks/),
a lack of ongoing MCP visibility leads to MCP security gaps. At scale,
discovering your current MCP inventory may require automated discovery
mechanisms. Some runtime network tools can monitor corporate firewalls for MCP
signatures in order to enhance discovery.

A 2025 study of
[more than 2,000 cybersecurity leaders](https://www.csoonline.com/article/3980431/more-assets-more-attack-surface-more-risk.html)
found that 73% had experienced a security incident because assets in their IT
infrastructure were not managed or simply unknown.

By actively monitoring agent traffic and logs, you can reduce this risk with the
visibility required to find (or prevent) unknown MCP servers within an
organization. The challenge here will be producing observability metrics that are
granular enough to distinguish MCP-generated traffic versus API calls that are
human or machine generated.

### 3. Avoid privilege drift

It's not just shadow servers, it's shadow privileges that are the real risk of
shadow MCP servers. Ideally, agents should follow the principle of least
privilege, meaning that tool access and permissions should be curated to reflect
the day-to-day role and privileges of the operator, and nothing else. But this is
rarely the case in practice.

In 2026,
[joint research from Oso and Cyera](https://www.osohq.com/research) found agentic
security flying in the face of least privilege: across 2.4 million workers and
3.6 billion application permissions, 96% of granted permissions went completely
unused over a 90-day window. Nearly one in three workers can modify or delete
sensitive data, too.

Where MCP is concerned, unnecessarily overpermissioned tool access could lead to
sensitive data leakage or deletion, accidental credential sharing, and more. One
answer, at the very least, is to default to read access only for MCP tools, then
incrementally add more sensitive privileges when needed.

But at enterprise scale, this will require scoped MCP access that is curated to
reflect different operator departments or roles. By minimizing privileges, you
reduce the chances of side-channel attacks, tool poisoning, sensitive data
leakage, and other MCP security vulnerabilities.

### 4. Set internal governance standards

Internal practices are nothing if they're not codified and enforced going
forward. Therefore, it'll probably be necessary to introduce some form of
internal standards to track MCP use within an enterprise to avoid unapproved use.
This could take the form of a formal mandate or group that governs what
capabilities AI agents can access, including skills, APIs, or MCP tools.

Such an internal compliance procedure is typically top-down, led by the CISO,
CTO, or CIO, depending on company size and organizational makeup, with support
from enterprise architecture, platform engineering, AppSec, or AI governance
teams. It might be wrapped into an existing
[API governance function](https://www.cio.com/article/1305658/why-cios-back-api-governance-to-avoid-tech-sprawl.html),
platform engineering program, or AI center of excellence.

By folding MCP into the grasp of enterprise security governance, you signal that
it's another tool and needs to be treated as such. This helps set clear
expectations for adding, vetting, and approving new MCP tools.

Not only does this provide standard operating procedures to an evolving area, it
could help avoid similar problems down the road as agentic AI progresses in
software engineering and beyond.

### 5. Use an MCP gateway

Lastly, there is a strong case for incorporating new
[MCP infrastructure layers](https://aisec.university/mcp-stack) to help
organizations mature their internal use of MCP. Of these, MCP gateways have
emerged as a central access point to control MCP use. They can either directly or
indirectly enable the action items above to help avoid shadow MCP server use:

- **Inventory and discovery**: Add approved MCP servers to your gateway so that
  agents only access vetted tools.
- **Observability and vetting**: Enable always-on monitoring for visibility into
  MCP tool calls and compliance concerns.
- **Traffic routing**: Generate highly scoped MCP servers that represent
  least-privilege access for various consumer types or agents.
- **Governance and control**: All in all, an MCP gateway is a way to organize how
  an organization uses AI and a focal point to consolidate governance
  initiatives.

A number of MCP gateways have emerged across the market, ranging from open-source
options to vendor-backed solutions. These include Composio MCP Gateway,
Lunar.dev MCPX, Portkey MCP Gateway, TrueFoundry MCP Gateway, and
[Zuplo MCP Gateway](https://zuplo.com/mcp-gateway), which is built for governing
agentic tool access, MCP tool routing, authentication, virtualized servers, and
policy enforcement.

## Preventing shadow MCP servers

Developers are already using MCP in their workflows. Zuplo's own 2026
[State of MCP report](https://zuplo.com/mcp-report) found that 70% of developers
using MCP have 2 to 7 MCP servers configured.

With MCP support growing across agent platforms, frameworks, and
[cloud tools](https://www.infoworld.com/article/4129024/five-mcp-servers-to-rule-the-cloud.html),
this trend shows no signs of slowing down. What's alarming for security engineers
and enterprise architects is the speed at which this has occurred.

This sudden rise requires some sort of deliberate response before it gets out of
hand, especially as privilege drift can balloon exponentially in
[multi-agent systems](https://nordicapis.com/how-to-manage-privilege-drift-in-multi-agent-systems/).
Fortunately, avoiding shadow IT has a number of historical precedents and
strategic tactics that can be transferred to MCP.

By cataloging existing inventory, monitoring for new shadow use, and aligning the
organization around standard controls and tools, enterprises can better reap the
rewards of MCP while maintaining a structured approach to integrating it into the
corporate IT fabric.

<CalloutSignup
  badge="Public beta"
  title="Put a governance layer in front of your MCP servers"
  description="The Zuplo MCP Gateway curates which tools each agent can reach, unifies auth across OAuth and API-key upstreams, and gives you per-call logs — all from a Git-backed, reviewable policy."
  features={[
    "Curate tools, prompts, and resources per consumer",
    "Universal auth across upstream MCP servers",
    "Per-call logs and audit trails",
  ]}
  signupButtonText="Spin up a project"
  signupUrl="https://portal.zuplo.com/signup?utm_source=zuplo-blog&utm_medium=web&utm_campaign=mcp-gateway"
  secondaryAction={{
    text: "Read the MCP Gateway docs",
    href: "https://zuplo.com/docs/mcp-gateway/capability-filtering",
  }}
/>