I have seen a bunch of demos of this, often building on top of open standards like the SAFE-MCP MITRE ATT&CK analysis https://github.com/SAFE-MCP/safe-mcp

In general, the only way to make sure MCPs are safe is to limit which connections are made in an enterprise setting

Agreed. Only provide the servers and tools needed for that job.

It would be silly to provide every employee access to GitHub, regardless of whether they need it. It’s just distracting and unnecessary risk. Yet people are over-provisioning MCPs like you would install apps on a phone.

Principle of least access applies here just as it does anywhere else.

The MCP & DCR OAuth ecosystem was immature at the start, but has really evolved and become robust. E.g., WorkOS has some really robust OAuth that can act as a standalone proxy for MCP connecting to any existing auth infrastructure.

Metadata and resource indicators are solving the rest of the problems that came with the change to OAuth spec.

Everyone is down. Cloudflare has problems too. All auth providers broken.

And if not, why?

This might become the new soundtrack to my working days.