Access Control & Security

Resource-level access control determines which data an AI model can see based on the user's identity and permissions. This is not optional in enterprise environments — a sales rep's AI assistant should see their own pipeline, not the entire company's revenue data. MCP does not define an authorization framework; the server must implement it. The standard pattern is to extract the user identity from the MCP client connection (passed during initialization or via an auth token) and apply permission checks on every resource read.

Data masking adds a second layer. Even when a user has access to a resource, certain fields may need to be redacted or masked — Social Security numbers, credit card numbers, salary data, medical records. The MCP server applies masking rules before returning resource content: replace SSNs with *--1234, redact email addresses for non-admin users, or omit entire columns based on the user's role. Masking rules should be centralized in a policy file, not scattered across individual resource handlers.

Audit logging is the third pillar. Every resource read should be logged with the user identity, resource URI, timestamp, and response size. This creates an immutable trail of what data the AI accessed, which is essential for compliance (SOC 2, HIPAA, GDPR) and incident investigation. Log to an append-only store — a dedicated logging service, a write-only database table, or an immutable cloud log stream. Never log the actual resource content, only the metadata.