Importance of MCP Gateway in Modern Architecture

We Never Needed an API Gateway. Why Do We Suddenly Need an MCP Gateway?

As organizations adopt AI agents and convert APIs into MCP tools, a common debate is emerging between development teams and security leaders. The developer's question is simple - "Our APIs have been running securely for years without an API Gateway. Why is Security now insisting that all MCP tools must go through an MCP Gateway?" At first glance, this appears to be a reasonable challenge. If direct API access was acceptable yesterday, why should exposing the same functionality through MCP require an additional control layer today? The answer lies in understanding what has actually changed. and surprisingly, it is not the API.

The API Is Not the Problem

Many enterprises successfully operate thousands of APIs without a dedicated API Gateway where typical architecture looks like - 

  

These environments often rely on:

  • Application authentication
  • Network segmentation
  • Service-level authorization
  • Secure coding practices
  • Monitoring and logging

For years, these controls have been sufficient because the consumer was predictable. The API was being accessed by applications designed, tested, and governed by the organization. Security teams understood the workflows, business logic, and expected behavior. The risk model was stable.

What Changed? The Consumer Changed.

With MCP, organizations are no longer exposing capabilities solely to applications. They are exposing them to AI agents.

Unlike traditional applications, AI agents:

  • Make decisions dynamically
  • Select tools at runtime
  • Interpret natural language instructions
  • Chain multiple actions together
  • Process untrusted inputs
  • Operate with varying levels of autonomy

The API remains the same but the consumer does not and that changes everything.

The Question Security Teams Are Really Asking

The debate should not be "Is the API secure?" but the more important question is "Are we comfortable allowing AI systems to directly invoke enterprise capabilities without centralized oversight?" For most organizations, the answer is no and that is where the MCP Gateway becomes important.

What Happens Without an MCP Gateway?

Imagine an organization creates hundreds of MCP tools directly connected to backend APIs.

Agent → Tool A → API
Agent → Tool B → API
Agent → Tool C → API
Agent → Tool D → API

Now Security must answer:

  • Which agents can access which tools?
  • Which tools expose regulated data?
  • How do we implement DLP?
  • How do we monitor tool usage?
  • How do we detect prompt injection attacks?
  • How do we disable risky tools quickly?
  • How do we produce audit reports?

Without a centralized control point, every team must solve these problems independently. The result is inconsistent security and fragmented governance.

Risks That Did Not Exist Before

Prompt Injection

Traditional applications are not influenced by prompts but AI agents are. An attacker can attempt to manipulate an agent into performing actions it was never intended to perform. Without a gateway, every MCP tool becomes responsible for defending itself.

Data Leakage

AI systems routinely process sensitive business information. Without centralized inspection, organizations will not  have any visibility into PII exposure, financial data leakage, Intellectual property disclosure or Excessive data retrieval. 

Tool Sprawl

As MCP adoption grows, organizations often move from a handful of tools to hundreds. Without centralized governance:

Tool A → Custom Controls
Tool B → Different Controls
Tool C → No Controls
Tool D → Minimal Logging

Security posture becomes inconsistent and difficult to audit.

Agent Abuse

Applications generally follow predictable workflows whereas agents do not. A poorly configured agent can trigger excessive API calls, create runaway automation loops, generate unexpected operational costs or access data beyond intended business needs. Traditional API controls rarely provide visibility into these behaviors.

Why the MCP Gateway Exists

The purpose of the MCP Gateway is not to replace API security. The purpose is to provide AI-specific governance as demonstrated in diagram below - 

The gateway becomes the centralized enforcement point for Agent authorization, Tool authorization, Prompt inspection, Data loss prevention, Audit logging, Rate limiting, Governance policies and/or Compliance monitoring. These controls are difficult to implement consistently inside every individual MCP tool.

In a nutshell 

The APIs may not have changed but the consumers have and that is exactly why the architecture must evolve. The risk model has changed. Our APIs were designed for applications operating within controlled workflows. MCP tools are designed for AI agents that make decisions dynamically based on user input. The API itself is not less secure than before. However, AI-driven access introduces new governance, monitoring, and security requirements. The MCP Gateway provides a centralized control point for managing those risks consistently across the enterprise.  Organizations did not suddenly discover that their APIs were insecure.  What changed is that enterprise capabilities are now being exposed to a new class of consumer “AI agents”. That shift introduces risks that traditional application architectures never had to address. An MCP Gateway is not a replacement for API security. It is the control plane that allows organizations to safely scale AI adoption while maintaining visibility, governance, and trust. 

Article by Hemil Shah & Rishita Sarabhai

Labels:

AI Agent Traps - Attack vectors and Vulnerabilities

Artificial intelligence agents are becoming increasingly autonomous, but Google DeepMind's new paper "AI Agent Traps" reveals a critical vulnerability: the open web itself can be weaponized against them. The researchers introduce the first systematic framework identifying six distinct categories of adversarial attacks specifically designed to exploit autonomous agents navigating digital environments. Unlike traditional LLM vulnerabilities, these traps exploit the gap between what humans see and what agents parse, allowing attackers to embed malicious instructions in HTML comments, hidden CSS, image metadata, or accessibility tags that are invisible to users but directly processed by agents.

The DeepMind taxonomy reveals particularly alarming attack success rates: hidden prompt injections in HTML already commandeer agents in up to 86% of scenarios, while latent memory poisoning achieves 80%+ attack success with less than 0.1% data contamination. The six trap categories include Content Injection Traps (perception attacks), Semantic Manipulation Traps (corrupting reasoning), Cognitive State Traps (poisoning memory/RAG databases), Behavioural Control Traps (hijacking actions), Systemic Traps (targeting multi-agent dynamics), and Human-in-the-Loop Traps (using agents to attack humans). These aren't theoretical—every trap type has documented proof-of-concept attacks, and the attack surface is cooupled, meaning traps can be chained or distributed across multi-agent systems.

For security professionals building agentic AI systems, DeepMind's research demands a fundamental shift in defensive strategy. Traditional protections like input validation or human monitoring are inadequate when scaled, as tainting one data source can propagate harmful instructions downstream. The researchers propose mitigations including training data augmentation, runtime defenses, content governance frameworks, and standardized evaluation benchmarks to detect these threats. As DeepMind notes, securing agents against environmental manipulation is "a prerequisite for realizing the benefits of a trustworthy agentic ecosystem"—making this research essential for anyone developing AI agents for security scanning, autonomous workflows, or multi-agent orchestration.

Reference Paper - Read here  [ https://papers.ssrn.com/sol3/papers.cfm?abstract_id=6372438 ]

AI for Security and Securing AI: The Two Fronts Every CISO Must Lead

Artificial Intelligence is rapidly changing enterprise security - not just in how organizations defend themselves, but also in what they must defend. For CISOs, this has created two parallel priorities that can no longer operate independently:

  1. Using AI to strengthen security programs
  2. Securing the organization’s own AI ecosystem

Organizations that focus on only one side are discovering major gaps either inefficient security operations or uncontrolled AI risk exposure.

The future of security is no longer just “security for applications.” It is now AI-enhanced security operations combined with AI governance and AI defense.

AI for Security: Transforming Application Security Programs

Traditional application security programs have matured over the years with practices such as SAST in CI/CD pipeline, DAST, Manual Penetration Testing, Manual Secure Code Review and VDP. 

These do remain critical. However, modern development velocity and AI-assisted coding have fundamentally changed the threat landscape. Applications are now larger, faster-changing, AI-generated in parts, micro-service driven and increasingly dependent on third-party components.  

This means traditional AppSec processes alone are no longer sufficient. The next generation of AppSec requires two major AI-driven additions:


 The AppSec lifecycle is evolving from: 

“Find vulnerabilities” to “Find, validate, and understand business impact.”

2. Securing AI: The New Enterprise Security Program

While organizations are using AI to improve security, they are simultaneously deploying AI across business functions internal copilots, customer support bots, AI-enabled workflows, AI-assisted development, document intelligence systems, AI agents and RAG-based enterprise platforms and so on. This introduces an entirely new attack surface and many organizations are discovering a dangerous misconception. Out-of-the-box AI security controls are not enough.

As highlighted in the recent case study “Building an AI Security Program for a Global Investment Firm”, securing AI requires a dedicated organizational process, not simply enabling default protections. AI systems introduce different risks and require different level of customization:


The Emerging CISO Reality

The modern CISO now operates two security transformation programs simultaneously:


Organizations that mature in only one area will remain exposed in the other.
 

Blueinfy’s Approach

At Blueinfy, we are working closely with CISOs to help establish both dimensions of this transformation:


The organizations that succeed over the next few years will not simply “adopt AI.”
They will:
  • Use AI to improve security effectiveness
  • Secure AI systems with the same rigor as critical enterprise applications

That combination will define the next generation of cybersecurity maturity.

Article by Hemil Shah

Labels: , , ,

[Case Study] Building an AI Security Program for a Global Investment Firm

A multinational investment firm started adopting AI across the organization - through enterprise platforms like Google Gemini enterprise and independently within business units for vibe coding, data analytics, and customer facing use cases. This did help teams move faster but it also created a need to bring consistency, visibility, and security around how AI was being used.

Blueinfy was engaged to support the organization in setting up a structured AI Security Program that could scale with this adoption without slowing down innovation. The approach focused on creating a correct balance between governance and flexibility ensuring that AI could grow across the organization, but in a more controlled and visible manner.

Challenges

The key challenge was the way AI adoption had expanded in the organization - fast, scattered, and largely independent across teams. While enterprise tools provided scale, business units were along-side experimenting with different AI solutions, making it difficult to maintain a consistent security approach. 

There was limited visibility into how AI was being used, what kind of data was being shared, and which external tools were involved. At the same time, emerging risks such as overly permissive AI agents, unrestricted integrations, and unintended data exposure through prompts and workflows were becoming harder to track. 

From an execution standpoint, aligning multiple teams, ensuring the right access and prerequisites, and bringing everyone to a common approach required continuous coordination and validation. 

The organization’s AI adoption approach created distinct risk areas:

  • AI usage was growing without a single view of where and how it was being used
  • Different business units were following their own approaches, leading to inconsistency
  • Sensitive user and enterprise data was being shared with AI systems without clear guardrails
  • There was limited validation of AI use cases from a security standpoint
  • Third-party AI tools as well as code generated by AI were not reviewed in detail

Overall, the challenge was less about lack of intent, and more about the absence of a structured approach.

Solution / Approach

Blueinfy aligned the overall approach around a single ownership model, supported by targeted and continuous activities.


 At a high level, a dedicated AI Security Program Lead was introduced to take comprehensive responsibility for AI security across the organization. This role acted as the central coordination point ensuring visibility, consistency, and alignment across security, IT, and business units.

For Business Units, the focus was on enablement. Teams were supported with clear guidance, practical do's and don'ts, and secure usage patterns. This allowed them to continue building and experimenting with AI without unnecessary resistance.

As part of this enablement, Blueinfy also helped define and roll out standardized documentation and guidelines, including:

  • AI implementation guidelines covering architecture, integrations, and connectivity
  • Access control and permission models for AI tools, agents, and APIs
  • Guardrails for safe data usage, prompt handling, and output validation
  • Responsible use of AI guidelines for end users (what can and cannot be shared with AI systems)
  • Lightweight review and approval processes for new AI use cases

These documents provided a consistent baseline for teams, reducing ambiguity and improving adoption of secure practices.

For Enterprise AI platforms, a structured validation approach was followed. A threat simulation exercise was conducted to identify potential risks such as data exposure, misuse scenarios, and integration weaknesses.
Based on these insights, a continuous validation model was introduced:

  • Agent security reviews to assess workflows, permissions, and integrations
  • AI red teaming for new models and high-risk use cases
  • Penetration testing for AI-driven customer-facing implementations

This ensured that AI security was not a one-time activity, but an ongoing process embedded into how new AI capabilities were introduced.

Outcome

With this model in place, the organization was able to bring more structure to its AI adoption without slowing down innovation.

  • A clear ownership model improved coordination and decision-making
  • Better visibility into AI use cases reduced unmanaged or "shadow" AI risks
  • Business units were able to innovate with clearer guidance and fewer blockers
  • Standardized guidelines helped teams follow consistent and secure practices
  • Risks related to data exposure, integrations, and agent behavior were identified earlier
  • Continuous reviews ensured that new AI implementations were assessed as they were introduced

Overall, the shift from one-time assessments to a continuous validation approach, supported by clear documentation and ownership, helped the organization stay aligned with the pace at which AI was evolving internally.

Conclusion

AI adoption in large organizations will naturally be fast and distributed. The real challenge is not controlling it completely, but making sure it grows in a structured and secure way.

This engagement shows that with clear ownership, practical guidance, and ongoing validation, organizations can build a sustainable AI security program that supports both innovation and risk management.

Article by Hemil Shah and Rishita Sarabhai 

Labels: , ,

AI in Application Penetration Testing: It’s Time to Go with the Flow - But Not Blindly

Artificial Intelligence is no longer a "good to have" in cybersecurity—it’s rapidly becoming a force multiplier. From solving complex challenges in CTFs to automating reconnaissance, exploitation, and even report generation, AI-driven penetration testing is demonstrating measurable promise.

But enterprise security is not a playground. It’s a controlled, high-stakes environment where assumptions can translate into real risk. As organizations begin to evaluate AI as a replacement—or augmentation—for human-led penetration testing, it’s critical to pause and ask the right questions.

  • Is AI Penetration Testing Production Safe? - AI tools operate at speed and scale. Without strict guardrails, this introduces a real risk – unintended exploitation of live applications, service disruptions etc. Unlike human testers, AI does not inherently understand "safe boundaries" unless explicitly constrained.
  • Is AI Only as Good as Its Prompter? – A prompt-orchestrated testing raises a fundamental dependency - the quality of findings is directly tied to the operator’s expertise. In effect, we may not be replacing human intelligence—we’re reshaping it.
  • Can AI Replicate True Human Intelligence? - Some of the most critical vulnerabilities are not pattern-based—they are contextual (business logic flaws, privilege escalation chains etc.). These require situational awareness and integrated data flow understanding.
  • Enterprise Reality: Integrated Application Ecosystems – In large enterprises, applications are interconnected - data flows across APIs, services, and third-party platforms. Security issues often emerge between systems—not within them. AI tools, unless specifically architected for this, may miss this integration.
  • The False Positive Problem - AI can generate large volumes of findings quickly but is there still a need for manual triage? Are we shifting effort from "finding vulnerabilities" to "filtering noise"? Without a robust validation layer, organizations risk drowning in output with limited actionable intelligence.
  • Data Privacy and Model Risk – AI thrives on data. By using AI penetration testers, are we risking data leakage and could this data be used to train third-party models? For many enterprises, this alone could be a blocker.
  • Where Does the AI Pen Tester Sit in Your Network? - Deploying AI testing introduces architectural questions – does it require internet exposure? Is it deployed with full network access? What controls prevent lateral misuse if compromised?

The Way Forward: A Controlled, Measurable Approach

We are clearly at a turning point. AI in penetration testing is not a question of if—it’s a question of how and when. But premature adoption without structured evaluation can weaken, rather than strengthen, security posture. Organizations should resist binary thinking (AI vs Human) and instead focus on comparative validation:

  • Conduct PoCs on real enterprise applications
  • Benchmark AI-driven vs human-led testing
  • Evaluate across:
  • Depth of findings
  • False positive rates
  • Coverage of business logic vulnerabilities
  • Time-to-deliver and cost efficiency 

AI is accelerating. Agent creation is becoming effortless. Automation is redefining scale. But security has never been about speed alone—it’s about precision, context, and judgment. We need to engineer the right balance between human intelligence and machine capability. 

We certainly should use AI in application security - it brings scale, speed, and the ability to uncover patterns that would otherwise take significant manual effort but the need of human intelligence cannot be completely written off. AI can accelerate discovery. Humans ensure relevance, accuracy, and real-world impact. Together, they create a security model that is not only efficient, but also resilient and trustworthy. Organizations that recognize this balance early will not just keep up with the shift—they will define it.

Article by Hemil Shah and Rishita Sarabhai 

Labels: ,

[Case Study] Threat Simulation of AI Agents in Microsoft Copilot Studio

Executive Summary

Blueinfy performed a focused, time-bound security review of Microsoft Copilot Studio and its implementation at ACME to assess the potential risks introduced by AI agents.

The objective of the engagement was to evaluate how AI agents both legitimate and malicious could be misused, intentionally or unintentionally, to 

  • Access sensitive enterprise data
  • Expose user specific information
  • Perform unauthorized actions
  • Enable data exfiltration

The assessment combined configuration review with hands on threat simulation, where custom agents were built to replicate realistic attack scenarios as well as instructions were passed to exploit legitimate agents. The results demonstrated that even with platform level controls enabled, significant risks can persist due to configuration gaps, excessive permissions, and agent behavior manipulation.

The environments given for testing had pre-configured policies and controls applied prior to the assessment. The scope included - 

  • AI agent configuration within Microsoft Copilot Studio
  • Data access patterns through agents
  • Connector usage and restrictions
  • Guardrails and safety configurations
  • Threat simulation using custom-built agents

Assessment Methodology

Blueinfy adopted a structured methodology combining configuration validation and adversarial testing.

1. AI Configuration Review

A focused configuration review was conducted to evaluate AI-specific settings. 

Areas Reviewed:
•    AI agent configuration settings
•    Connector policies and restrictions
•    Data access configurations
•    Prompt safety and guardrails
•    Logging and monitoring capabilities

Objective:
•    Identify risky configurations
•    Recommend controls to reduce exposure
•    Highlight configurations requiring governance before enablement

2. Agent Threat Simulation

Instead of testing existing agents, Blueinfy created custom agents within the allowed policy boundaries to simulate real world attack scenarios. This approach ensured:

  • No disruption to production agents
  • Realistic exploitation within permitted configurations
  • Validation of platform controls under adversarial conditions

Threat Simulation Approach

Agents were built using only approved connectors and policies within the environment. Two categories of agents were designed:

1. Misuse of Legitimate Agents

  • Agents behaving as intended but manipulated via inputs
  • Exploiting trust in user prompts

2. Malicious Agent Design

  • Agents intentionally designed to bypass safeguards
  • Leveraging allowed configurations to simulate abuse

Key Attack Scenarios Tested

Blueinfy executed multiple scenarios to evaluate risk exposure:

  • Prompt Injection and Instruction Override - Manipulating agent behavior using crafted inputs to override system instructions and cause unintended data access
  • Data Exfiltration via Allowed Channels - Extracting sensitive data through email connectors, API responses and structured outputs
  • Cross-Agent Interaction Risks - Simulating agent-to-agent communication and demonstrating potential lateral movement
  • Rouge Agents – Malicious agents built with system instructions to exfiltrate data, phish users for credentials and send application/user data to unintended servers
  • MCP Exposure – If MCP server and tools are accessible without correct authentication and authorization mechanisms

Key Observations

The assessment revealed several important findings:

  • Misconfigurations Create Hidden Risks – Users of the agents are completely unaware of the data risks since once published/shared, end users have limited visibility in the agent configuration. We were able to send emails of agent users including email attachments and employee feedback responses etc. to our third-party servers.
  • Agents Can Be Manipulated Through Inputs – Based on the guardrails, prompt injection enabled behavior override and agents could be influenced to exfiltrate data without changing configuration. This created a scenario where legitimate agents to summarize users emails, posting summary to Teams channels etc. could be exploited to share that summary data to third-party servers via malicious instructions received in email/submitted forms.
  • Unauthenticated MCP Exposure – MCP Tools connect the LLM's to organization data sources like databases, knowledge sources etc. With this engagement, we were able to use the MCP tools without authentication and gain full access to client sensitive data like contract financials.
  • Platform Controls Are Not Sufficient Alone - While Microsoft Copilot Studio provides robust built-in controls, their effectiveness depends heavily on configuration and usage. Sadly, they do not work without being configured per your needs.  

Conclusion

Blueinfy’s assessment demonstrated that while platforms like Microsoft Copilot Studio do provide strong foundational controls, they must be complemented with:

  • Proper configuration
  • Risk-aware governance
  • Adversarial testing
  • Monitoring and logging

By moving from assumption based security to evidence driven validation, ACME established a stronger foundation for secure AI adoption. Blueinfy team worked with ACME to create a robust agent threat simulation and security review process to protect against such risks with scaling agents in parallel. Please read this blog for the three-tier risk methodology for an agent review process.

Article by Hemil Shah and Rishita Sarabhai 

Labels: , ,

The Rise of AI Agents and the urgent need for an Agent Security Review Process

Organizations today are rapidly embracing AI-powered agents. Platforms like Microsoft Copilot Studio and Google Gemini are enabling business users, not just developers, to create powerful agents that automate workflows, access enterprise data, and make decisions. This democratization is transformative. But it also introduces a new, largely ungoverned attack surface.

The Explosion of Agents

In many enterprises, the number of agents being deployed is growing exponentially from hundreds, sometimes thousands, within a short span of time. These agents:

  • Integrate with internal systems
  • Access sensitive enterprise data
  • Perform automated actions on behalf of users

Unlike traditional applications, these agents are often created outside formal development pipelines by business users, analysts, or developers. And that’s where the problem begins.

The Security Gap: No "AgentSec"

Organizations have matured practices for AppSec or InfraSec or Cloud Security but Agent Security (AgentSec) is still in its infancy.
There is typically:

  • No formal review process before agent deployment
  • Limited visibility into what agents are doing
  • No standardized threat modeling for agent behavior
  • Weak validation of platform-level security controls

This creates a dangerous blind spot.

Built-in Controls Are Not Enough

Platforms do provide security mechanisms at:

  • Data access controls
  • Authentication and authorization layers
  • Prompt filtering and safety guardrails
  • Activity monitoring

However, these controls are:

  • Complex to configure correctly
  • Highly dependent on implementation choices
  • Difficult to validate in real-world scenarios

Misconfigurations or misunderstandings can easily render these protections ineffective.

Visualizing the Risk: Agent Attack Flow


The Missing Piece: A Scalable Agent Review Process

At first glance, the solution seems straightforward: introduce agent design reviews, configuration assessments, and threat modeling for every agent. But in reality, this approach does not scale.

In large enterprises with hundreds or thousands of agents built on platforms, performing deep security reviews on every agent would:

  • Overwhelm security teams
  • Slow down innovation
  • Create operational bottlenecks

Instead, organizations must adopt a risk-based Agent Security (AgentSec) model. The three-tier risk model classifies agents based on their potential impact and exposure. 
 

  • High-risk agents are typically misconfigured or intentionally malicious, capable of unsafe actions such as exfiltrating data to external emails, interacting with unauthorized external URLs, or executing harmful embedded instructions. 
  • Medium-risk agents involve broader data interaction—often consuming sensitive or user-provided inputs through connectors, APIs, MCP integrations, or multi-agent communication—making them more prone to misuse or unintended data exposure. 
  • Low-risk agents operate within a constrained scope, relying on public or read-only data sources such as web search, uploaded files, SharePoint, or Dataverse, with minimal ability to cause harm.

Automation enables scale by classifying the agents into risk buckets and a focused review can then be performed only for high-risk and medium-risk agents to assess the business impact by building abuse/exploit scenarios. This approach ensures that security teams invest effort where it truly matters - prioritizing depth and accuracy over volume.

Why This Model Works

This approach delivers both speed and security: fast approvals for low-risk agents, strong scrutiny for higher-risk ones, reduced burden on security teams, and scalable governance across thousands of agents. Most importantly, it aligns security effort with actual risk - not perceived risk.

The organizations that succeed will not be those attempting to review every agent, but those that automate the baseline, enforce non-negotiable security gates, and escalate only what truly matters. Because in a world of thousands of agents, scalability itself becomes security.

Article by Hemil Shah and Rishita Sarabhai 

Labels: ,
Subscribe to: Posts (Atom)