MCP 2.0 Security: 3 Questions for AI Agent Deployment

Why Enterprise AI Agent Security Requires a New Approach

Vernell, Principal Security and AI Intelligence at Commvault, delivers a masterclass on securing enterprise AI agent deployments. While most MCP discussions focus on capabilities, this conversation tackles what happens when things go wrong—and how the new 2.0 specification changes the security calculus.

On the evolution from MCP 1.x to 2.0: The shift represents a fundamental change in philosophy. "1.x was really about onboarding us, our technology to move forward to using AI. Step two is really securing those models." This isn't incremental improvement—it's the industry acknowledging that adoption without security creates unacceptable risk.

The three foundational changes in MCP 2.0: First, OAuth support brings what Vernell calls "Active Directory for the internet"—finally allowing enterprises to assign permissions and privileges to cryptographic keys. Second, structured schemas act like parameterized SQL queries, creating whitelists that define exactly what actions tools can take. "These structures allow you to define specifically what actions a tool is able to do and anything else it will just ignore." Third, the elicitation flow introduces pause points for human oversight.

On the remaining gaps: Even with 2.0, enterprises cannot cryptographically verify that an MCP server is legitimate. "Clones and copies exist, tools are modified, tools are added, and we have no way of verifying today cryptographically that this is our original MCP server we're interfacing with." This is a significant trust problem that won't be solved by protocol updates alone.

The three-question risk framework: Vernell's practical approach cuts through complexity: (1) What authority does my agent have? Read-only with guardrails is low risk; destroy/edit/move capabilities need lockdown. (2) How big is the blast radius? One user, entire app, or lateral movement across the enterprise? (3) How reversible is the action? Reading information versus deleting it changes everything.

On future direction and visibility: "We spent 20 years trying to secure how software is developed securely. And AI is not going to get a shortcut to this because it's new to the party." The focus moving forward will be on runtime visibility, audit logging, and compliance—enterprises need to prove their AI agents operated correctly, especially when third-party supply chain attacks occur.

6 Insights From Commvault on Securing AI Agents

• MCP 2.0 is security-first - Unlike 1.x which focused on adoption, 2.0 introduces OAuth, structured schemas, and elicitation flows specifically to secure AI agent deployments
• Server trust remains unsolved - No cryptographic way to verify MCP servers are legitimate; organizations must implement network isolation and tool signing independently
• Three questions for risk assessment - Authority level, blast radius, and action reversibility form a simple but effective framework for evaluating any AI agent deployment
• Human-in-the-loop is essential - High-impact actions should trigger approval workflows; the elicitation flow enables pause points that didn't exist before
• Runtime visibility is critical - Enterprises need meaningful audit logs that can prove compliance and defend against supply chain attack accusations
• Expect more security vendors - Similar to cloud security evolution, third-party tools will emerge to bolster native AI agent security capabilities

What This Means for Enterprise Security Teams

MCP 2.0 represents the industry's first serious attempt to secure AI agents in production, but it's just the beginning. For organizations deploying agents that can take real actions—editing files, moving data, interacting with systems—the protocol provides guardrails, not guarantees. The practical takeaway: treat AI agent security like you did cloud security a decade ago, and budget for the specialized tooling that will inevitably be required.