Need MCP Data Leak Prevention
MCP servers must be prevented from letting sensitive data out of the enterprise when someone on the implementation side didn't pay enough attention to egress controls.
Take Control Of Your Signals — Become a Naftiko Design Partner Today!
Persona Story:
Morgan watches MCP servers proliferate inside the enterprise and worries about the same scenario every time: an MCP server quietly exposing a field, a row, or a whole dataset that was never supposed to leave a controlled boundary, because the developer who built it didn’t realize how the underlying API mapped to enterprise data classifications. The risk isn’t malicious — it’s inattention at the moment the MCP got wired up.
Problem Context
- The same governance practitioner who owns enterprise data classification is now being asked to also own MCP egress, with no purpose-built controls
- Practitioner framing for the worry is direct: a way is needed “so that it doesn’t let any kind of data out, because somebody didn’t pay attention”
- Existing enterprise data-protection tooling is built around databases, files, and HTTP APIs — not around MCP tool calls and their response payloads
- Upstream consumption policy and MCP-server-side egress policy are two different problems; only the first is partially covered today
Problem Impact
- Sensitive data quietly leaves the enterprise through MCP responses without the data office being able to see or stop it
- A single inattentive MCP build can defeat years of careful API governance and data classification work
- Compliance posture becomes unprovable: the data office cannot tell auditors what MCPs return to what consumers
- Incident-driven shutdowns become the only available control once a leak is discovered
Naftiko Today
- Capability YAML declares exactly what fields and shapes an MCP exposes, so egress is governed at spec-review time rather than at incident time
- outputParameters with JSONPath, field renaming, and nested-object support let governance teams strip or transform sensitive fields before they ever reach an MCP response
- Spectral ruleset (15 rules) and JSON Schema validation block capability deployments whose declared egress shape violates organizational rules
- External bindings keep upstream credentials, query parameters, and headers off the MCP server itself, reducing the blast radius if behavior drifts
Naftiko Tomorrow
- Tool annotations for readOnly / destructive / idempotent (Second Alpha) will let policy distinguish data-returning tools from action tools and apply egress rules per category
- MCP auth support (Second Alpha) will gate egress on caller identity so sensitive payloads only flow to authorized consumers
- Enterprise security with Keycloak and OpenFGA (v1.1) will deliver fine-grained access control on a per-field basis through the Naftiko governance layer
- Webhook adapter (Second Alpha) will extend egress controls to outbound event flows so the egress story covers more than synchronous MCP responses