NSA warning on Model Context Protocol raises AI testing concerns for banks

TL;DR:

  • The US National Security Agency has issued fresh guidance warning that security for the Model Context Protocol (MCP) — now the de facto standard for connecting AI agents to external tools — is lagging adoption.
  • The NSA highlights weak authentication, insufficient approval controls, insecure data handling, missing audit logs and instruction-injection risks, and notes MCP introduces “not well-traced attack paths”.
  • For UK banks operating under DORA and the FCA’s operational resilience regime, the warning lands as several institutions are scaling agentic AI into fraud, KYC, compliance and customer-service workflows.

The guidance arrives at a politically awkward moment for UK financial-services AI rollouts. The protocol that has made agentic AI commercially viable — by letting models reach external systems through a standardised interface — is the same protocol the NSA is now describing as a promising but immature foundation.

Context and Background

MCP was originally proposed by Anthropic and has been rapidly adopted across financial services, software development and legal services as the connective tissue for agentic workflows. Where earlier AI deployments centred on chatbots producing text, MCP-connected agents can query databases, invoke APIs and chain actions across tools, often with limited per-step human review.

The NSA’s risk taxonomy will be familiar to anyone running operational technology in a regulated UK firm: weak authentication, missing approvals, poor logging, insufficient segmentation. The novelty is that, as the agency notes, AI agents now traverse these surfaces dynamically at runtime — not as fixed deterministic workflows pre-validated before deployment. That breaks a core assumption of traditional change-control and QA practice in banking.

The UK regulatory backdrop sharpens the urgency. DORA’s ICT third-party rules require demonstrable observability of critical functions; the FCA has publicly pushed banks to evidence AI testing in practice rather than describe it on paper; and operational resilience rules require firms to identify important business services and stress-test them. An autonomous AI agent operating across fraud, KYC and customer systems sits inside most banks’ important business service perimeters by default.

Looking Forward

UK QA and AI assurance teams should expect MCP-specific testing requirements — adversarial probes, runtime behavioural validation, agentic workflow simulation — to become a standard line item in 2026 supervisory engagement. Vendors selling MCP servers into UK financial institutions should anticipate sharper procurement scrutiny on authentication, tool-validation provenance and audit-log completeness. Resultsense expects FCA and PRA supervisory teams to begin asking specific MCP questions during ICT and AI thematic reviews through the second half of the year.