Your teams are deploying MCP servers right now. The question is whether you know about it.
A February 2026 study by Gravitee, surveying 750 CIOs, CTOs, and engineering leaders across US and UK enterprises, found that 47% of the roughly 3 million AI agents deployed by those firms are not actively monitored or secured. That’s an estimated 1.5 million agents at risk of “going rogue.” Worse, 88% of the organizations surveyed have already experienced — or suspected — an AI agent-related security or data privacy incident in the last twelve months.
The culprit behind many of these incidents has a name: shadow MCP.
- What Is Shadow MCP?
- Why Shadow MCP Is More Dangerous Than Shadow IT
- The Numbers: MCP Vulnerabilities Are Surging
- How Shadow MCP Servers Get Deployed
- Detection: Finding Shadow MCP Servers in Your Environment
- Centralized MCP Governance with an API Gateway
- Implementing Centralized MCP Governance with Zuplo
- Moving from Shadow to Governed
What Is Shadow MCP?
Shadow MCP refers to Model Context Protocol servers deployed by employees without IT or security review — analogous to the “shadow IT” problem that enterprises have battled for decades, but with significantly higher stakes.
Here’s what it looks like in practice. A developer spins up an MCP server to let their AI coding assistant interact with an internal database. A product manager connects Claude to a customer analytics tool via a community MCP server they found on GitHub. A data scientist wires up a LangChain workflow that calls production APIs through an unapproved MCP endpoint. None of these deployments went through security review. None have authentication configured. None are logged.
This pattern is accelerating fast. According to Gravitee’s report, 80.9% of technical teams have moved past the planning phase for AI agents into active testing or production — but only 14.4% report that all AI agents going live have full security and IT approval.
Why Shadow MCP Is More Dangerous Than Shadow IT
Traditional shadow IT — an employee signing up for an unauthorized SaaS tool or spinning up an unmanaged cloud instance — primarily creates data exposure risk. Sensitive information might leak to an unmonitored service or sit in an unpatched server.
Shadow MCP is fundamentally different because MCP servers don’t just serve data. They enable autonomous action.
When an AI agent connects to an MCP server, it gains the ability to execute operations on behalf of users: triggering workflows, writing to databases, calling external APIs, and chaining actions across multiple systems. A compromised or misconfigured MCP server doesn’t just expose information — it hands attackers a remote control for your infrastructure.
Consider the difference:
- Shadow IT risk: An employee stores customer data in an unapproved cloud spreadsheet. If breached, attackers can read the data.
- Shadow MCP risk: An employee deploys an MCP server that gives AI agents write access to a production database. If compromised, attackers can modify, delete, or exfiltrate data at machine speed — autonomously.
As Ariel Parnes, COO at Mitiga and former IDF 8200 cyber unit colonel, warned: “The next major cloud-scale breach won’t start in a misconfigured bucket — it’ll start in an MCP API.”
The Numbers: MCP Vulnerabilities Are Surging
The Wallarm 2026 API ThreatStats report puts hard data behind the concern. Their analysis of API attack telemetry and published vulnerabilities from 2025 revealed:
- 315 MCP-related vulnerabilities were published in 2025, accounting for 14.4% of all AI-related vulnerabilities
- MCP vulnerabilities increased 270% from Q2 to Q3 2025 alone
- A top-10 breach involved thousands of exposed MCP servers, where a single path-traversal vulnerability gave attackers access to production AI agent infrastructure
- 65% of assessed breaches originated from authentication issues — weak tokens, scope problems, reused credentials, and no runtime enforcement
The common root causes across all MCP-related incidents are consistent: over-permissioned tools, direct API access without authentication, and the absence of runtime enforcement. These are exactly the problems that arise when MCP servers are deployed outside governance frameworks.
How Shadow MCP Servers Get Deployed
Understanding the pathways helps you know what to look for. Shadow MCP deployments typically happen through four channels:
Developer productivity shortcuts
Developers discover that connecting their AI coding assistant to internal tools via MCP dramatically boosts productivity. They deploy a quick MCP server locally or on a dev instance, then share it with teammates. It works great — so it stays running, unmonitored, sometimes with hardcoded credentials.
Community MCP servers
Open-source MCP servers for popular services proliferate on GitHub and npm. They are easy to install and often work immediately. But many have not been security-audited, may request excessive permissions, and could contain vulnerabilities or even malicious code.
Department-level deployments
A team lead decides their department needs AI agent access to a specific tool. Rather than going through IT procurement and security review — which might take weeks — they deploy an MCP server themselves. Authentication is either missing or uses shared API keys that never get rotated.
Legacy API wrapping
Existing internal APIs get wrapped in MCP servers to make them accessible to AI agents. The MCP layer is treated as “just another interface” without recognizing that it fundamentally changes the threat model — because now autonomous agents, not just humans, are calling those APIs.
Detection: Finding Shadow MCP Servers in Your Environment
Before you can govern MCP deployments, you need to discover them. Here are practical strategies for identifying unauthorized MCP servers in your organization:
Network traffic analysis
MCP servers using the Streamable HTTP transport communicate over standard HTTP.
Monitor your network for JSON-RPC 2.0 traffic patterns — specifically, look for
requests with the jsonrpc field and MCP-specific methods like tools/list,
tools/call, and initialize. These patterns are distinctive and can be
flagged by network monitoring tools.
API inventory audits
Cross-reference your API inventory with known MCP endpoints. Any API receiving traffic from AI agent user agents (like Claude, Cursor, or custom LangChain applications) that isn’t in your approved inventory is a candidate for shadow MCP activity.
Developer environment scanning
Survey your development teams about their MCP usage. You may be surprised — the Gravitee study found that the average enterprise has 36.9 AI agents deployed. Many of those connect to MCP servers that IT has never seen.
Cloud resource auditing
Review cloud deployments for services matching MCP server patterns — lightweight HTTP services that proxy to internal APIs, running on developer accounts or personal cloud projects.
Centralized MCP Governance with an API Gateway
Once you’ve discovered your organization’s MCP landscape, the next step is bringing every MCP interaction under centralized governance. The most effective approach is routing all MCP traffic through an API gateway that enforces consistent policies on every tool call.
This approach works because MCP is built on standard web protocols. Every MCP interaction — whether it’s an agent listing available tools, calling a function, or reading a resource — flows through HTTP. An API gateway sitting in front of your MCP servers can intercept, authenticate, validate, and log every one of those interactions.
The gateway model gives you several key capabilities:
- Authentication on every call: No MCP tool call proceeds without a verified identity, even if the underlying MCP server has no authentication configured
- Authorization at the tool level: Different teams and agents get access only to the specific tools they need — not everything on the server
- Rate limiting: Prevent runaway agents from hammering your APIs with unbounded requests
- Input validation: Inspect tool call parameters before they reach your backend services
- Complete audit trail: Every tool call is logged with the caller’s identity, the tool invoked, the parameters passed, and the response returned
- PII detection and redaction: Sensitive data can be caught and masked before it leaves your perimeter
Implementing Centralized MCP Governance with Zuplo
Zuplo’s MCP Gateway is purpose-built for exactly this problem. It provides a single control plane for all MCP servers accessed across your organization, whether they’re internal services, third-party integrations, or those shadow deployments you just discovered.
Here’s how to bring your MCP servers under governance:
Step 1: Register your MCP servers
Add your organization’s MCP servers — both the ones you knew about and the ones you found during discovery — to Zuplo’s MCP Gateway. This creates a centralized registry of every MCP server in your environment. The gateway supports internal first-party services, third-party integrations like GitHub or Stripe, and any vendor-provided MCP servers.
Step 2: Create virtual MCP servers for each team
Rather than giving every team access to every tool, create virtual MCP servers that expose only what each team needs. Your finance team gets Stripe tools. Engineering gets GitHub and Linear. Customer success gets support and CRM tools. Same source servers, team-specific configurations.
Step 3: Configure access policies
Zuplo’s MCP Server Handler runs every tool call through the gateway’s policy pipeline. This means you can stack authentication, authorization, rate limiting, and validation policies on every MCP interaction:
- Use API key authentication to issue scoped, per-consumer credentials. Each AI agent or team gets a unique identity with access limited to authorized tools.
- Apply rate limiting to prevent any single agent from overwhelming your services.
- Enable prompt injection detection to block malicious inputs before they reach your tools.
Step 4: Monitor and enforce
With all MCP traffic flowing through the gateway, you gain full observability into your organization’s AI agent activity. Track which teams are using which tools, identify unusual access patterns that might indicate compromised credentials, and generate the audit data you need for compliance reviews.
Moving from Shadow to Governed
The shadow MCP problem isn’t going away — it’s accelerating. As AI agents become more capable and more deeply integrated into daily workflows, the number of MCP connections across your organization will only grow.
The organizations that navigate this well will be the ones that make governed MCP access easier than the ungoverned alternative. If the official path to connecting an AI agent to a business tool involves weeks of procurement review, developers will route around it. If it takes five minutes to register an MCP server with a gateway that handles authentication, logging, and access control automatically, they’ll use it.
The goal isn’t to block productivity. It’s to provide a path to productivity that doesn’t create blind spots. Centralized MCP governance through an API gateway gives you that path — visibility and control without friction.
Ready to bring your organization’s MCP servers under governance? Explore Zuplo’s MCP Gateway to see how you can deploy centralized MCP governance in minutes, not weeks. Or start with the MCP Server documentation to understand how Zuplo handles MCP traffic at the gateway level.