Securing the agentic future: Where MCP fits and where it doesn’t

Securing the agentic future: Where MCP fits and where it doesn’t

Anand Srinivas by Anand Srinivas on

AI agents are rapidly transforming how software is accessed, operated, and integrated, such as automating workflows, calling APIs, and interacting with tools and SaaS platforms on behalf of users. This paradigm unlocks powerful new capabilities, but it also raises urgent questions about how sensitive data, especially credentials and secrets, should be managed.

At 1Password, we’re building for this future with security at the center. As we explore protocols like the Model Context Protocol (MCP), we are defining clear boundaries. MCP enables AI agents to efficiently interface with APIs, but these data flows often rely on non-deterministic components such as LLMs, whereas authentication requires deterministic, auditable flows. In fact, MCP specifies OAuth 2.1 for authorization, separate from the MCP data protocol interaction with the actual resource servers. Mixing these two modes, secrets and probabilistic inference, violates the model’s integrity and creates unnecessary risk. This is why we are establishing boundaries such as:

  • Certain types of data, like credentials and secrets, should not be exchanged over a non-deterministic channel driven by an AI agent or LLM

  • Access must remain tightly controlled and adhere to the principle of least privilege by design.

MCP is powerful for the right use cases

MCP is a promising interoperability layer for AI agents, enabling them to discover, understand, and interact with structured data and APIs through a declarative interface. It’s especially useful when agents need real-time access to contextual information.

That’s exactly how we’re using MCP in our new MCP Server for Trelica by 1Password. With MCP Server for Trelica by 1Password, AI agents can securely access lower-risk, read-only organizational metadata, such as:

  • A list of SaaS applications used within the company

  • Application owners and point-of-contact metadata

  • User-to-application mappings

  • License assignment and utilization metrics

This type of information is incredibly valuable for agent-based workflows like:

  • Generating usage reports

  • Recommending application rationalization

  • Identifying app owners to initiate approval workflows

  • Mapping access and app sprawl across departments

This data is not inherently sensitive, and MCP offers a clean, declarative method to expose it. This is the ideal use case for MCP: high value to the agent, low risk to the organization. The MCP Server for Trelica by 1Password is included with a Trelica subscription at no additional charge and is available in the new AI Agents and Tools category of AWS Marketplace.

Why we will not expose raw credentials via MCP

Despite MCP’s strengths, 1Password draws a firm line: we will not use MCP to expose raw credentials or secrets. Here’s why:

  • Our security model requires that secrets remain secure even if systems are compromised. MCP’s server-based delivery model cannot meet this bar.

  • Agent behavior is non-deterministic. Authorization and credential exchange should take place over a well-defined deterministic channel, with a separation of concerns from the non-deterministic data flow of the MCP protocol driven by an AI agent or LLM.

  • Credential leakage risk increases. Prompt injection and hidden tool instructions can cause agents to inadvertently exfiltrate secrets. In particular, if credentials are passed into the AI models context, unintended retention and uncontrolled usage become very real threats.

  • No strong revocation model exists once secrets are passed into context. Agents may cache, store, or share them with downstream tools.

That’s why 1Password has never exposed raw credentials via public APIs, and we won’t start doing it with MCP.

A better way: secure agentic access, designed by 1Password

Our approach to agent-based access is rooted in access without exposure:

  • When possible, credentials should be injected on behalf of the agent, without handing them over

  • Human users should explicitly authorize any access to sensitive data

  • If credentials must be delivered:

    • They must be short-lived, revocable, and scoped to minimum privilege
    • All access must be auditable and traceable

We’re building toward this model with tools and patterns designed to make agentic access secure, scalable, and enterprise-ready, giving security, IT, and development teams the confidence they need to deploy AI agents safely.

The bottom line

Agentic AI is changing the shape of work. Protocols like MCP are critical infrastructure for enabling this evolution, but only when used with care.

At 1Password, we’re embracing the agentic future without compromising the principles that have made us a trusted steward of credentials for over 20 years across more than 165,000 companies and millions of individuals. Our mission is to safeguard people’s most important data, wherever they use it. When it comes to AI, this includes helping IT, security, and developers build and implement the next generation of intelligent, autonomous software securely, responsibly, and without shortcuts.

Stay tuned. More is coming.

VP, Product & AI

Anand Srinivas - VP, Product & AI Anand Srinivas - VP, Product & AI

Tweet about this post