GitGuardian CTO shares lessons from launching an MCP server—how guardrails, simplicity, and namespace security are key to safe AI agent adoption.
The security world is racing to adapt to the rise of Agentic AI. Many organizations are exploring the Model Context Protocol (MCP) as a framework for enabling intelligent, autonomous agents to interact with tools and APIs.
At GitGuardian, we didn’t just watch the ecosystem evolve. By launching our own MCP server, we gained deep insights into its transformative potential and unspoken dangers.
This isn’t just a story of innovation. This reflects our new responsibilities when giving machines more agency. Here’s what we learned.
Agents Are Helpful—Sometimes Too Helpful
Early in our internal testing, we discovered an uncomfortable truth: agents cannot be fully trusted (yet). We observed scenarios where an AI agent, acting through our MCP server, initiated actions like closing all incidents in the workspace, not just the ones related to the context it was given.
These weren’t malicious behaviors. The agent was simply trying to be helpful, based on a vague prompt. But the consequences could have been severe. This prompted a fundamental design change: we defaulted our MCP server to read-only access.
This decision was about more than risk mitigation. It was a step toward building trust, both in the tools we expose to agents and the agents themselves. Future iterations may implement more dynamic guardrails at the API or MCP level, similar to sandboxed environments in IDEs, to detect, halt, or reverse undesirable behavior.
More Tools ≠ More Intelligence
One of the earliest design mistakes we almost made was mapping our public API directly into the MCP server, endpoint by endpoint. At first glance, this is an efficient way to provide broad functionality. In practice, it overwhelmed the agent.
MCP agents are not omniscient. They rely on clear signals and finite toolsets to accomplish goals. They became confused or ineffective when given too many tools without explicit instruction. The lesson? Design your MCP server with curated workflows, not raw endpoints.
In our final design, we focused on two high-impact use cases: hardcoded secrets remediation and honeytoken insertion. Each action was tied to a deliberate user outcome, making the tools easier to use and far more valuable in practice.
MCP Server Namespaces Are a New Security Frontier
Like many fast-moving open ecosystems, MCP has a hidden risk: namespace squatting. Anyone can publish an MCP server, so if your company doesn’t secure its namespace early, someone else might, maliciously or otherwise.
This is more than a branding problem. Rogue MCP servers can impersonate legitimate services and mislead agents. In the worst case, they could exfiltrate sensitive data, inject malicious output, or undermine the trust model of agent-based systems.
We responded by publishing our official MCP server not just as a utility for developers but also as a defensive security measure. By owning our namespace, we created a safe, verified environment that users could trust and preempted potential impersonation attacks.
Building Trust in the Age of Agents Requires Transparency
One of our guiding principles in this release was ensuring that agents, even autonomous ones, operate within auditable, reversible systems. This is why our MCP server integrates with GitGuardian’s existing incident workflows, and every action is logged and traceable.
The broader lesson is that AI agents need more than data access. They need ethical architecture. That means minimizing permissions, limiting scope, and building infrastructure where mistakes are reversible and behavior is observable.
Final Thoughts: Building Secure Foundations for Autonomous Agents
MCP is still in its infancy. As one of the first security vendors to launch an MCP server, we’ve seen firsthand both the promise and peril of giving agents more autonomy. These tools will be transformative, but only if we build them with security, clarity, and accountability at their core.
Our journey wasn’t just about launching a product. It was about learning how to participate responsibly in a fast-moving AI ecosystem.
For anyone building MCP infrastructure today, we offer this advice:
- Start with read-only defaults.
- Prioritize simplicity over completeness.
- Secure your namespace early.
- Monitor agent behavior and stay ready to intervene.
Because in the world of agentic systems, it’s not just about what agents can do.
It’s about what they should do. And it’s up to us to draw that line.
