WisdomPrompt checklist

MCP Security Checklist

MCP servers can become privileged access paths for AI agents. Use this checklist before connecting a server to real business systems or approving it for production use.

Inventory and ownership

  • Server owner, environment, and business purpose
  • Connected systems, tools, files, databases, or APIs
  • Data sensitivity and user groups
  • Review cadence and approval status

Access controls

  • Authentication method and token rotation policy
  • Least-privilege tool permissions
  • Read-only vs write-capable tools separated clearly
  • Human approval for destructive or external write actions

Monitoring and evidence

  • Tool-call logs retained with actor, timestamp, and result
  • Failed and blocked actions captured as evidence
  • Change history for server configuration
  • Open risks and remediation tasks tracked to owner

Production readiness

  • Rollback or disable path tested
  • Sensitive outputs redacted where required
  • Incident response owner assigned
  • Mapped to AI governance and security controls

WisdomPrompt treats MCP servers as governed AI components with ownership, permissions, risk, evidence, and audit history.