WisdomPrompt checklist
MCP Server Security Evidence Checklist
Use this checklist to turn MCP server security review into retained evidence instead of a one-time architecture conversation.
Server identity
- Server name, environment, owner, and business purpose
- Connected systems, tools, APIs, and data classes
- Production, staging, and development separation
- Deployment and disable/rollback owner
Permission evidence
- Authentication method and credential owner
- Least-privilege tool scopes
- Read-only and write-capable tools separated
- Human approval for external or destructive actions
Monitoring evidence
- Tool-call logs with timestamp and outcome
- Blocked, failed, and escalated actions retained
- Incident response path and owner
- Periodic access review evidence
Governance mapping
- Risk treatment record
- Control mapping for ISO 42001, SOC 2, or internal review
- Open findings and remediation tasks
- Auditor-ready export with evidence status
WisdomPrompt treats MCP servers as auditable AI access surfaces with owners, permissions, risk, and evidence.