MCP server downloads grew from roughly 100,000 in November 2024 to over 8 million by April 2025, with 5,800+ servers now available. A single breached MCP server deployed without authentication controls gives attackers access to every integrated database, filesystem, and cloud service an AI assistant connects to. MCP abstracts away integration details, allowing model-centric applications to scale across heterogeneous systems, but traditional access control designed for human users does not apply to AI agents, which can hold context from multiple tool calls and carry permissions across a session. Risk accumulates across three areas: tool permissions are often set at the server level rather than scoped to individual use cases, with implementations relying on coarse, long-lived secrets exposed statically in configuration files; session context leakage occurs when context like tool results and prior queries persists longer than expected in multi-step agent workflows.