Join our Community Call: Agent Skills, Explained: An Open Standard Meets Graph Engineering in Memgraph
Memgraph logo
Memgraph on DiscordMemgraph on GitHub
Back to blog
The Security Gap in MCP: The Hidden Risks No One Is Talking About
Product Graph Tech

The Security Gap in MCP: The Hidden Risks No One Is Talking About

By Dominik Tomicevic
6 min readFebruary 5, 2026

There’s a lot of excitement around the Model Context Protocol right now, and I understand why. MCP finally gives teams a standardized way for LLMs to access tools, query systems, and interact with the real world in ways that were complicated before. It removes many of the integration headaches developers have dealt with for years. It makes agents far more capable. It feels like the missing connector we’ve been waiting for.

But here’s the part people are not saying out loud. If you use MCP without strong guardrails and without a proper contextual grounding layer, it becomes a security problem. And not a small one.

I keep seeing teams rush to wire up email tools, SQL tools, webhooks, authentication flows, and internal APIs. They hand these capabilities to an LLM and hope the model will figure out how to use them responsibly.

Hope is not a strategy.

The Illusion of Safety

On paper, MCP sounds perfectly safe. Tools are listed and made available. Capabilities are described. Everything is explicit. In practice, the moment you expose an LLM to multiple systems the blast radius grows. That’s the phrase I keep coming back to when I talk to CTOs and CISOs.

When you use the LLM’s output to:

  • send an email
  • write to a production database
  • trigger a workflow in finance
  • access CRM data

you’d better be sure it understands what it’s doing.

The reality is that LLMs don’t understand your schema or your business rules. They don’t know the difference between a harmless query and a dangerous one. They don’t know which fields contain personal data. They don’t understand permission models unless you explicitly give them that context.

Providing an LLM with your CRM and other enterprise tools without explaining the structure of the database is not far from giving someone access to a filing cabinet the size of a warehouse and asking them to find the right document. They’ll pick something, but it might not be the thing you intended.

Why MCP Accessing Tools Without Context is Negligent

Most security failures I see with early MCP prototypes fall into one of three buckets:

  1. Tool misuse. The model executes the right tool for the wrong purpose.
  2. Privilege escalation. The model selects a tool that should not have been available for the current user.
  3. Schema confusion. The model makes up a query pattern because it cannot reason about table relationships or policies.

This is not an MCP flaw. It’s an architectural flaw.

Teams give the model power before they give it understanding.

And this is the part where I need to be blunt. You cannot expect a model to behave responsibly when you haven’t given it a grounded representation of the world it’s operating in. Tools without understanding is the enterprise AI version of handing car keys to someone who doesn’t know how to drive.

The Missing Layer is Context

In the security world, you’ll often hear the phrase "least privilege." Only give an entity the minimal set of capabilities required for the task. MCP lets you define this. But MCP has no idea which tool is appropriate for which situation.

The agent must know:

  • who is making the request
  • what business rules apply
  • which entity is allowed to interact with which other entity
  • which relationships matter for the current task

This is context. Not text. Not embeddings. Not a prompt hack.

Context is structured knowledge about how your specific world works.

Without this, the model has no concept of appropriateness. It cannot distinguish a safe operation from a harmful one.

Why GraphRAG is Becoming Essential for Safe MCP Adoption

This is where graph-based approaches enter.

A knowledge graph encodes the relationships, constraints, and semantics that your LLM cannot infer. It tells the model what entities are related. It tells it which data belongs together. It tells it what’s allowed, what’s prohibited, and what’s irrelevant.

GraphRAG builds on this by retrieving not just text but structured meaning.

When you pair context retrieved from GraphRAG with MCP:

  • The model narrows its search space.
  • The model selects tools aligned with policy.
  • The model avoids actions outside its permission scope.
  • The model gains an understanding of which data is sensitive.
  • The model’s blast radius decreases dramatically.

This is the safest approach we’ve found for building agentic workflows at scale.

You don’t rely on the model’s guesswork. You constrain it with structure. You make it operate inside a map rather than inside a fog.

What Happens if MCP is Adopted Without Graph-Powered Context

I’ll make a prediction for 2026. The bottleneck for MCP adoption will not be technical maturity. It will be security.

Enterprises will discover that wiring LLMs into live production systems without a contextual grounding layer creates too many risks. I expect at least one very public incident will force the industry to reconsider its assumptions.

And the fix will be the same one we’ve used in software engineering for decades. You model your domain. You constrain choices. You limit the surface area of failure.

In other words, you build context before you build capabilities.

MCP is Valuable But Only When Grounded in Context

MCP is no doubt valuable. At Memgraph, we use it. We build with it. We see its potential. Not only have we created the Memgraph MCP Server, but we have also created a Memgraph MCP Client in Memgraph Lab to help you create an interoperable AI workflow.

But MCP is not a silver bullet. It is a doorway.

What you connect behind that doorway determines whether your agent behaves like a reliable assistant or a loose cannon.

If you’re serious about adopting MCP, the first step is not deciding which tools to expose. The first step is deciding how the model will understand your business world.

And the most effective way we’ve found is grounding it in a graph.

Ready to build safer agentic workflows?

Start with the MCP Client inside Memgraph Lab and give your LLM the grounded context it needs to act responsibly. You can try it instantly on Memgraph Cloud which requires no setup. Simply sign up, launch a new project, and open Memgraph Lab from your dashboard.

Join us on Discord!
Find other developers performing graph analytics in real time with Memgraph.
Join now
© 2026 Memgraph Ltd. All rights reserved.
Terms & Privacy