Back to resource library

WisdomPrompt checklist

MCP Server Security Evidence Checklist

Use this checklist to turn MCP server security review into retained evidence instead of a one-time architecture conversation.

Server identity

  • Server name, environment, owner, and business purpose
  • Connected systems, tools, APIs, and data classes
  • Production, staging, and development separation
  • Deployment and disable/rollback owner

Permission evidence

  • Authentication method and credential owner
  • Least-privilege tool scopes
  • Read-only and write-capable tools separated
  • Human approval for external or destructive actions

Monitoring evidence

  • Tool-call logs with timestamp and outcome
  • Blocked, failed, and escalated actions retained
  • Incident response path and owner
  • Periodic access review evidence

Governance mapping

  • Risk treatment record
  • Control mapping for ISO 42001, SOC 2, or internal review
  • Open findings and remediation tasks
  • Auditor-ready export with evidence status

WisdomPrompt treats MCP servers as auditable AI access surfaces with owners, permissions, risk, and evidence.