---
title: "Shadow MCP: The Ungoverned AI Agent Tools Putting Your APIs at Risk"
description: "Nearly half of enterprise AI agents run without oversight. Learn what shadow MCP is, why ungoverned MCP servers are more dangerous than shadow IT, and how centralized gateway governance fixes it."
canonicalUrl: "https://zuplo.com/learning-center/shadow-mcp-ungoverned-ai-agent-security"
pageType: "learning-center"
authors: "nate"
tags: "Model Context Protocol, API Security"
image: "https://zuplo.com/og?text=Shadow%20MCP%3A%20Ungoverned%20AI%20Agent%20Tools%20Putting%20Your%20APIs%20at%20Risk"
---
Your teams are deploying MCP servers right now. The question is whether you know
about it.

A
[February 2026 study by Gravitee](https://www.gravitee.io/state-of-ai-agent-security),
surveying 750 CIOs, CTOs, and engineering leaders across US and UK enterprises,
found that 47% of the roughly 3 million AI agents deployed by those firms are
not actively monitored or secured. That's an estimated 1.5 million agents at
risk of "going rogue." Worse, 88% of the organizations surveyed have already
experienced — or suspected — an AI agent-related security or data privacy
incident in the last twelve months.

The culprit behind many of these incidents has a name: **shadow MCP**.

- [What Is Shadow MCP?](#what-is-shadow-mcp)
- [Why Shadow MCP Is More Dangerous Than Shadow IT](#why-shadow-mcp-is-more-dangerous-than-shadow-it)
- [The Numbers: MCP Vulnerabilities Are Surging](#the-numbers-mcp-vulnerabilities-are-surging)
- [How Shadow MCP Servers Get Deployed](#how-shadow-mcp-servers-get-deployed)
- [Detection: Finding Shadow MCP Servers in Your Environment](#detection-finding-shadow-mcp-servers-in-your-environment)
- [Centralized MCP Governance with an API Gateway](#centralized-mcp-governance-with-an-api-gateway)
- [Implementing Centralized MCP Governance with Zuplo](#implementing-centralized-mcp-governance-with-zuplo)
- [Moving from Shadow to Governed](#moving-from-shadow-to-governed)

## What Is Shadow MCP?

Shadow MCP refers to
[Model Context Protocol](https://zuplo.com/docs/mcp-server/introduction) servers
deployed by employees without IT or security review — analogous to the "shadow
IT" problem that enterprises have battled for decades, but with significantly
higher stakes.

Here's what it looks like in practice. A developer spins up an MCP server to let
their AI coding assistant interact with an internal database. A product manager
connects Claude to a customer analytics tool via a community MCP server they
found on GitHub. A data scientist wires up a LangChain workflow that calls
production APIs through an unapproved MCP endpoint. None of these deployments
went through security review. None have authentication configured. None are
logged.

This pattern is accelerating fast. According to Gravitee's report, 80.9% of
technical teams have moved past the planning phase for AI agents into active
testing or production — but only 14.4% report that all AI agents going live have
full security and IT approval.

## Why Shadow MCP Is More Dangerous Than Shadow IT

Traditional shadow IT — an employee signing up for an unauthorized SaaS tool or
spinning up an unmanaged cloud instance — primarily creates data exposure risk.
Sensitive information might leak to an unmonitored service or sit in an
unpatched server.

Shadow MCP is fundamentally different because MCP servers don't just serve data.
They enable **autonomous action**.

When an AI agent connects to an MCP server, it gains the ability to execute
operations on behalf of users: triggering workflows, writing to databases,
calling external APIs, and chaining actions across multiple systems. A
compromised or misconfigured MCP server doesn't just expose information — it
hands attackers a remote control for your infrastructure.

Consider the difference:

- **Shadow IT risk**: An employee stores customer data in an unapproved cloud
  spreadsheet. If breached, attackers can _read_ the data.
- **Shadow MCP risk**: An employee deploys an MCP server that gives AI agents
  write access to a production database. If compromised, attackers can _modify,
  delete, or exfiltrate_ data at machine speed — autonomously.

As Ariel Parnes, COO at Mitiga and former IDF 8200 cyber unit colonel,
[warned](https://www.securityweek.com/cyber-insights-2026-api-security/): "The
next major cloud-scale breach won't start in a misconfigured bucket — it'll
start in an MCP API."

## The Numbers: MCP Vulnerabilities Are Surging

The
[Wallarm 2026 API ThreatStats report](https://lab.wallarm.com/inside-modern-api-attacks-what-we-learn-from-the-2026-api-threatstats-report/)
puts hard data behind the concern. Their analysis of API attack telemetry and
published vulnerabilities from 2025 revealed:

- **315 MCP-related vulnerabilities** were published in 2025, accounting for
  14.4% of all AI-related vulnerabilities
- MCP vulnerabilities **increased 270%** from Q2 to Q3 2025 alone
- A **top-10 breach** involved thousands of exposed MCP servers, where a single
  path-traversal vulnerability gave attackers access to production AI agent
  infrastructure
- **65% of assessed breaches** originated from authentication issues — weak
  tokens, scope problems, reused credentials, and no runtime enforcement

The common root causes across all MCP-related incidents are consistent:
over-permissioned tools, direct API access without authentication, and the
absence of runtime enforcement. These are exactly the problems that arise when
MCP servers are deployed outside governance frameworks.

## How Shadow MCP Servers Get Deployed

Understanding the pathways helps you know what to look for. Shadow MCP
deployments typically happen through four channels:

### Developer productivity shortcuts

Developers discover that connecting their AI coding assistant to internal tools
via MCP dramatically boosts productivity. They deploy a quick MCP server locally
or on a dev instance, then share it with teammates. It works great — so it stays
running, unmonitored, sometimes with hardcoded credentials.

### Community MCP servers

Open-source MCP servers for popular services proliferate on GitHub and npm. They
are easy to install and often work immediately. But many have not been
security-audited, may request excessive permissions, and could contain
vulnerabilities or even malicious code.

### Department-level deployments

A team lead decides their department needs AI agent access to a specific tool.
Rather than going through IT procurement and security review — which might take
weeks — they deploy an MCP server themselves. Authentication is either missing
or uses shared API keys that never get rotated.

### Legacy API wrapping

Existing internal APIs get wrapped in MCP servers to make them accessible to AI
agents. The MCP layer is treated as "just another interface" without recognizing
that it fundamentally changes the threat model — because now autonomous agents,
not just humans, are calling those APIs.

## Detection: Finding Shadow MCP Servers in Your Environment

Before you can govern MCP deployments, you need to discover them. Here are
practical strategies for identifying unauthorized MCP servers in your
organization:

### Network traffic analysis

MCP servers using the Streamable HTTP transport communicate over standard HTTP.
Monitor your network for JSON-RPC 2.0 traffic patterns — specifically, look for
requests with the `jsonrpc` field and MCP-specific methods like `tools/list`,
`tools/call`, and `initialize`. These patterns are distinctive and can be
flagged by network monitoring tools.

### API inventory audits

Cross-reference your API inventory with known MCP endpoints. Any API receiving
traffic from AI agent user agents (like Claude, Cursor, or custom LangChain
applications) that isn't in your approved inventory is a candidate for shadow
MCP activity.

### Developer environment scanning

Survey your development teams about their MCP usage. You may be surprised — the
Gravitee study found that the average enterprise has 36.9 AI agents deployed.
Many of those connect to MCP servers that IT has never seen.

### Cloud resource auditing

Review cloud deployments for services matching MCP server patterns — lightweight
HTTP services that proxy to internal APIs, running on developer accounts or
personal cloud projects.

## Centralized MCP Governance with an API Gateway

Once you've discovered your organization's MCP landscape, the next step is
bringing every MCP interaction under centralized governance. The most effective
approach is routing all MCP traffic through an API gateway that enforces
consistent policies on every tool call.

This approach works because MCP is built on standard web protocols. Every MCP
interaction — whether it's an agent listing available tools, calling a function,
or reading a resource — flows through HTTP. An API gateway sitting in front of
your MCP servers can intercept, authenticate, validate, and log every one of
those interactions.

The gateway model gives you several key capabilities:

- **Authentication on every call**: No MCP tool call proceeds without a verified
  identity, even if the underlying MCP server has no authentication configured
- **Authorization at the tool level**: Different teams and agents get access
  only to the specific tools they need — not everything on the server
- **Rate limiting**: Prevent runaway agents from hammering your APIs with
  unbounded requests
- **Input validation**: Inspect tool call parameters before they reach your
  backend services
- **Complete audit trail**: Every tool call is logged with the caller's
  identity, the tool invoked, the parameters passed, and the response returned
- **PII detection and redaction**: Sensitive data can be caught and masked
  before it leaves your perimeter

## Implementing Centralized MCP Governance with Zuplo

[Zuplo's MCP Gateway](https://zuplo.com/mcp-gateway) is purpose-built for
exactly this problem. It provides a single control plane for all MCP servers
accessed across your organization, whether they're internal services,
third-party integrations, or those shadow deployments you just discovered.

Here's how to bring your MCP servers under governance:

### Step 1: Register your MCP servers

Add your organization's MCP servers — both the ones you knew about and the ones
you found during discovery — to Zuplo's MCP Gateway. This creates a centralized
registry of every MCP server in your environment. The gateway supports internal
first-party services, third-party integrations like GitHub or Stripe, and any
vendor-provided MCP servers.

### Step 2: Create virtual MCP servers for each team

Rather than giving every team access to every tool, create
[virtual MCP servers](https://zuplo.com/blog/zuplo-mcp-gateway) that expose only
what each team needs. Your finance team gets Stripe tools. Engineering gets
GitHub and Linear. Customer success gets support and CRM tools. Same source
servers, team-specific configurations.

### Step 3: Configure access policies

Zuplo's MCP Server Handler runs every tool call through the gateway's
[policy pipeline](https://zuplo.com/docs/handlers/mcp-server). This means you
can stack authentication, authorization, rate limiting, and validation policies
on every MCP interaction:

- Use [API key authentication](https://zuplo.com/docs/policies/api-key-inbound)
  to issue scoped, per-consumer credentials. Each AI agent or team gets a unique
  identity with access limited to authorized tools.
- Apply [rate limiting](https://zuplo.com/docs/policies/rate-limit-inbound) to
  prevent any single agent from overwhelming your services.
- Enable
  [prompt injection detection](https://zuplo.com/blog/essential-security-policies-for-mcp-and-ai)
  to block malicious inputs before they reach your tools.

### Step 4: Monitor and enforce

With all MCP traffic flowing through the gateway, you gain full observability
into your organization's AI agent activity. Track which teams are using which
tools, identify unusual access patterns that might indicate compromised
credentials, and generate the audit data you need for compliance reviews.

## Moving from Shadow to Governed

The shadow MCP problem isn't going away — it's accelerating. As AI agents become
more capable and more deeply integrated into daily workflows, the number of MCP
connections across your organization will only grow.

The organizations that navigate this well will be the ones that make governed
MCP access _easier_ than the ungoverned alternative. If the official path to
connecting an AI agent to a business tool involves weeks of procurement review,
developers will route around it. If it takes five minutes to register an MCP
server with a gateway that handles authentication, logging, and access control
automatically, they'll use it.

The goal isn't to block productivity. It's to provide a path to productivity
that doesn't create blind spots. Centralized MCP governance through an API
gateway gives you that path — visibility and control without friction.

Ready to bring your organization's MCP servers under governance?
[Explore Zuplo's MCP Gateway](https://zuplo.com/mcp-gateway) to see how you can
deploy centralized MCP governance in minutes, not weeks. Or start with the
[MCP Server documentation](https://zuplo.com/docs/mcp-server/introduction) to
understand how Zuplo handles MCP traffic at the gateway level.