SkillAudit

Blog · Policy & Governance

How to write an MCP server security policy for your organization

Most organizations have a software procurement policy and a vendor security questionnaire. Almost none have thought through what those processes look like when the "software" is an MCP server that will be installed inside an LLM agent with ambient access to production systems. This post is a template you can adapt: who approves new MCP server adoptions, what grade threshold is the floor, how CI enforces the gate, and what happens when an engineer needs an exception.

2026-06-05 · 10 min read

Why MCP servers need their own policy track

When an engineer installs an npm package, the blast radius of a vulnerability is broadly contained: the package runs in a sandboxed Node.js process, with access to whatever the process user can access. When an engineer installs an MCP server, the blast radius is fundamentally different. The MCP server becomes a tool the LLM can invoke autonomously — it can read files, call APIs, execute database queries, and in some configurations, spawn subprocesses. A single prompt-injection vulnerability in an MCP server you adopt can turn your LLM agent into a credential exfiltrator.

Standard software procurement processes miss this because they evaluate the software's direct capabilities, not what those capabilities look like when mediated by a language model. An MCP server that technically only reads from a Postgres database is dangerous if it doesn't parameterize queries, because the LLM can be induced to supply a malformed query string that achieves SQL injection. Your security team's questionnaire doesn't ask "does this server parameterize all database queries?" — but it should.

A purpose-built MCP server security policy plugs this gap. It defines the assessment process, the grade floor, the CI gate that enforces it, the exception workflow, and the re-audit schedule.

Policy scope and ownership

Section 1

Scope

This policy applies to all MCP servers, Claude skills, and Model Context Protocol plugins installed in any LLM agent operated by [Organization Name] in any environment: development, staging, and production. It applies regardless of whether the MCP server is open source, commercially sourced, developed internally, or provided by a cloud vendor.

Excluded from scope: Toy/demo environments with no access to production credentials, internal data, or customer-facing systems. Any such environment must be explicitly tagged as out-of-scope in the infrastructure catalog and reviewed quarterly.

Section 2

Policy owner and review cadence

Policy owner: Head of Security (or designated delegate).
Approving authority: Head of Security + CTO jointly, for any policy exception or grade-floor change.
Review cadence: This policy is reviewed quarterly. The MCP security landscape is evolving rapidly — a policy frozen for 18 months will be dangerously out of date.

The MCP server registry (see Section 4) is reviewed monthly by the security team and weekly by the platform team.

Grade thresholds by environment

Every MCP server adopted by [Organization Name] must have a current SkillAudit report no older than 90 days. The minimum grade required depends on the environment and the sensitivity of data the agent can access.

Environment Data sensitivity Minimum grade Note
Production — customer PII or financial data High A No exceptions. An A-grade server with a documented F-sub-score in any axis is blocked regardless of overall grade.
Production — internal data, no PII Medium B C allowed only with approved exception (see Section 6). Any F-sub-score is an automatic block.
Staging — mirrors production schema Medium B Staging with real data snapshots is treated as production-equivalent.
Development — dev credentials only Low C Developer machines may install C-grade servers with manager approval. No D or F.
CI — no persistent credentials Low C CI environments with ephemeral credentials only. Isolated from production network.

Sub-score logic: The SkillAudit report card grades six axes individually: Security, Permissions hygiene, Credential exposure, Maintenance, Client compatibility, and Documentation completeness. An overall B-grade server can have a D in Credential exposure — and that sub-score alone is enough to block production adoption under this policy. Each axis has an independent floor equal to the overall grade threshold for the environment.

The MCP server registry

Section 4

Registry requirements

Every approved MCP server must have an entry in the organization's MCP server registry before it can be deployed in any non-development environment. The registry is a simple CSV or Notion database with these fields:

  • server_id — GitHub URL or npm package + pinned version
  • display_name — human-readable name
  • current_grade — letter grade from the most recent audit
  • audit_url — permalink to the SkillAudit report
  • audit_date — ISO date of the audit (triggers re-audit workflow when >90 days old)
  • environments_approved — list of environments (prod, staging, dev, ci)
  • data_access_summary — one sentence: what systems does this server read/write?
  • exception_id — if applicable (see Section 6)
  • owner_team — team responsible for monitoring this server

The registry is version-controlled and reviewed in the security team's monthly rotation. Any server missing from the registry that is discovered in a production agent deployment is treated as a policy violation and escalated to the security manager.

The CI enforcement gate

Checking grades manually before every deploy is not sustainable. The grade check must be automated. Here is the reference GitHub Action that enforces the grade threshold at deploy time:

# .github/workflows/mcp-grade-gate.yml
name: MCP server grade gate

on:
  pull_request:
    paths:
      - '.mcp/**'
      - 'mcp.json'
      - 'claude_desktop_config.json'

jobs:
  grade-gate:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Check MCP server grades
        env:
          SKILLAUDIT_API_KEY: ${{ secrets.SKILLAUDIT_API_KEY }}
          MIN_GRADE: ${{ vars.MCP_MIN_GRADE || 'B' }}
        run: |
          # Parse MCP server list from config
          servers=$(jq -r '.mcpServers | to_entries[] | .value.url // .value.command' mcp.json 2>/dev/null || echo "")

          for server in $servers; do
            result=$(curl -sf "https://skillaudit.dev/api/grade?server=${server}" \
              -H "Authorization: Bearer $SKILLAUDIT_API_KEY")

            grade=$(echo "$result" | jq -r '.overall_grade')
            min_sub=$(echo "$result" | jq -r '[.sub_scores[]] | min')

            echo "Server: $server  Overall: $grade  Min sub-score: $min_sub"

            # Block if overall grade is below threshold or any sub-score is F
            if [[ "$grade" < "$MIN_GRADE" ]] || [[ "$min_sub" == "F" ]]; then
              echo "::error::$server does not meet grade requirement (got $grade, min sub $min_sub)"
              exit 1
            fi
          done

          echo "All MCP servers meet grade requirements."

The MIN_GRADE variable is set per-environment in your GitHub repository variables. You set B for production deployments and C for development branches. The gate fails the PR if any server falls below the threshold or if any sub-score is an F — the audit trail and compliance implications of allowing an F-sub-score into production are too high to make it a warning.

The vendor assessment process for new adoptions

Section 5

New MCP server adoption checklist

When an engineer wants to add a new MCP server, the following process applies before the server is added to any non-development environment:

  1. Run a SkillAudit scan on the server's GitHub URL or npm package. Record the report permalink.
  2. Check the grade against the target environment threshold. If it fails, stop here — the server cannot be adopted without an exception or remediation by the server author.
  3. Review the sub-scores. Any axis at D or F requires a detailed review of the finding, even if the overall grade passes.
  4. Confirm pinned version. MCP servers must be adopted at a specific pinned version. Using @latest in production is a policy violation — a supply-chain compromise can change the behaviour of your agent overnight.
  5. Document data access. Write one sentence in plain English describing what systems this server can read or write. If you cannot write this sentence without hedging, the server's permissions scope is too broad.
  6. Set re-audit reminder. Add a calendar reminder for 85 days from the audit date (5 days before the 90-day expiry) to re-run the audit. If the server has not been updated in 90 days, it will still get a fresh audit — advisories and CVE databases are checked at audit time, not at first-scan time.
  7. Add to registry and open a PR. The registry entry is the paper trail. No registry entry means no approval.

The exception workflow

Sometimes a team needs a server that doesn't meet the grade threshold. The exception process exists to make this a deliberate, documented, time-bounded decision — not a handshake in Slack.

Section 6

Exception requirements

An exception requires:

  • Business justification — why does this team need this specific server? What is the cost of not using it?
  • Risk analysis — what findings did SkillAudit flag, and what is the realistic impact in this team's deployment context? (A SSRF finding in a server that only has access to an internal read-only API is lower risk than the same finding with outbound internet access.)
  • Compensating controls — what controls reduce the risk? Examples: network egress restrictions, read-only credential scope, additional monitoring, shorter re-audit interval.
  • Expiry date — all exceptions expire in 60 days. The team must either remediate (work with the server author to fix the finding and re-audit) or renew the exception with updated justification.
  • Approval chain — exceptions require sign-off from the requesting engineer's manager and the Head of Security. Exceptions for production environments with PII access also require CTO sign-off.

Exceptions are stored in the registry under exception_id and linked to the approval artifact (email thread, Jira ticket, or signed PDF). No exception is valid without a stored artifact.

Re-audit triggers

The 90-day calendar reminder handles routine re-audits. Four additional triggers require an immediate re-audit regardless of when the last audit ran:

Internal MCP servers

Internally developed MCP servers are not exempt from this policy. They must:

Incident response integration

Your incident response runbook should explicitly name MCP servers as a possible actor in any LLM agent incident. When an incident is declared involving an agent, the first diagnostic step is to pull the audit reports for all MCP servers in the agent's tool chain. This immediately scopes whether a known finding could explain the observed behaviour — before you spend hours debugging the LLM prompt.

SkillAudit's Team plan exports the full registry and audit history as a structured JSON — useful for feeding into your SIEM or for evidence requests during incident review. If your incident response process requires producing a timeline of which servers were active in which agents during the incident window, the registry's audit_date and environments_approved fields are the starting point for that reconstruction.

Using this template

This is a starting point, not a finished document. Adapt it to your organization's:

The SkillAudit Team plan includes policy export (a structured JSON of your registry and all audit reports) and a minimum-grade CI webhook that handles the enforcement gate described in Section 3. If you'd like to see a demo of how the policy integrates with your CI pipeline, start a free audit and the team plan trial includes a 30-minute onboarding session.

The full policy template

Below is a condensed version of the policy sections above, formatted as a document you can drop into your internal wiki. Replace the bracketed fields with your organization's specifics.

MCP Server Security Policy v1.0
Owner: Head of Security
Last reviewed: [DATE]
Next review due: [DATE + 90 DAYS]

1. SCOPE
All MCP servers installed in any LLM agent in any [Organization] environment.
Excludes: demo environments explicitly tagged as out-of-scope in infrastructure catalog.

2. GRADE THRESHOLDS
- Production (PII/financial): A minimum, no F sub-scores
- Production (internal, no PII): B minimum, no F sub-scores
- Staging: B minimum (if mirrors production data)
- Development: C minimum, manager approval required
- CI (ephemeral creds): C minimum

3. ADOPTION CHECKLIST
1. Run SkillAudit scan; record permalink.
2. Verify overall grade and each sub-score meets threshold.
3. Confirm pinned version (no @latest in prod).
4. Document data access scope in one plain-English sentence.
5. Set 85-day re-audit reminder.
6. Add to registry; open PR.

4. EXCEPTIONS
Required: business justification + risk analysis + compensating controls
Expiry: 60 days
Approval: manager + Head of Security; add CTO for prod-PII environments.
Storage: exception_id in registry linked to approval artifact.

5. RE-AUDIT TRIGGERS (immediate, in addition to 90-day cadence)
- Server version bump
- CVE disclosure against a dependency
- Security incident involving the server
- New tool definitions or permission claims

6. INTERNAL SERVERS
Same grade thresholds and re-audit cadence as external servers.
Must have an assigned owner team in the registry.