Skip to Content
Back to blog

AI & MCP

Where Claude Code falls short in AI security

Cameron McClellan

Cameron McClellan

May 15, 2026 - 9 min read

Where Claude Code falls short in AI security

Claude’s enterprise plan is a genuine step forward compared with unmanaged AI tool usage. It ties developer identity to a corporate SSO provider, gives compliance teams programmatic access to conversation logs, and lets administrators publish an approved list of MCP servers. For organizations that were previously running Claude Code against personal Anthropic accounts with no oversight, that’s a meaningful baseline.

The problem is that a baseline is not a posture.

Claude Enterprise was designed to give security teams visibility into how developers use AI. It wasn’t designed to govern what AI agents do after the model responds — tool calls, MCP server invocations, data reads, and system actions that happen at machine speed, often without a human reviewing them before they execute. That distinction mattered less when AI was answering questions. It matters a great deal when it’s running agentic workflows in production.

This is a precise look at where Claude’s native controls end, what threat categories live in that gap, and what the compliance window looks like for security teams asking whether they can afford to wait.

What Claude Enterprise actually gives you

Claude Enterprise includes SSO and identity via SAML 2.0 and OIDC, with SCIM for automated provisioning and deprovisioning. Developers log in with corporate credentials and SCIM means a departing employee’s Claude access is revoked with their Anthropic workspace seat.

The Compliance API gives compliance teams real-time programmatic access to conversation content — prompts and completions — with selective deletion. This covers what went into the model and what came out. The MCP server allowlist lets administrators publish approved servers and deploy them to developer machines. Spend controls and zero data retention (under the Enterprise agreement) round out the package.

Where those controls stop

Anthropic’s own documentation makes the boundary explicit: as of May 2026, Cowork and agent activity is excluded from all three compliance mechanisms — Audit Logs, Compliance API, and Data Exports — across every plan tier, including Enterprise.

That exclusion has a direct consequence: the moment an AI agent makes a tool call, the audit trail ends.

Consider what a typical agentic Claude Code workflow looks like in practice. A developer asks the agent to investigate a failing test. The agent reads the test file, queries the database for related records, checks the Git log for recent changes, runs the test suite, and posts a summary to Slack. Five tool calls. None appear in the Compliance API. If a customer record was leaked through that Slack message, the audit log would only show the conversation (the prompt in, the model’s text response out). The actual tool call that sent data to Slack happened after the model responded and wouldn’t appear anywhere in the log.

The MCP server allowlist has a similar structural limit. It’s a configuration file deployed to employee laptops. Claude reads it and presents those servers as available. What it cannot do is enforce that list at the protocol layer — blocking an employee who adds a server to their local ~/.claude/settings.json, revoking access in real time when an employee changes teams, or detecting when a registered server has been modified to include malicious tool descriptions.

Decentralized config files on employee laptops are not an enterprise security control. They are the absence of one.

The threats that live in that gap

Claude’s controls were designed for the conversation layer. In the gap between a model response and the tool calls that follow it, several attack surfaces have no coverage:

  • Prompt injection — an attacker embeds hidden instructions in content the agent reads (documents, issues, tickets); the agent follows them as legitimate tasks, and neither the injected instructions nor the resulting tool calls appear in audit logs (demonstrated against the GitHub MCP server, May 2025 )
  • Tool poisoning — MCP server descriptions can include hidden instructions that redirect agent behavior on every invocation, whether through shadow AI installs outside IT approval or post-approval rug pulls on registered servers; the MCP gateway inspects tool descriptions at the protocol layer on every call, a config-file allowlist does not
  • Supply chain compromise — MCP packages can be malicious before installation; in early 2026 LiteLLM (3.4M daily downloads) was compromised on PyPI, harvesting cloud credentials and SSH keys from every affected system
  • Environment and config injection — repository config and environment variables can redirect agent traffic before trust mechanisms activate (CVE-2025-59536, CVE-2026-21852; both patched, the structural pattern has not)
  • Multi-agent propagation — in chained agent pipelines, a compromised agent can pass injected instructions to downstream agents with broader permissions

We cover these threats in more detail in What is AI security?.

The compliance clock

Enterprise security teams asking “can we wait on this?” are doing the math in a regulatory environment that is moving faster than most AI governance programs.

EU AI Act , August 2026. The Annex III enforcement deadline requires organizations using AI in high-risk categories — employment decisions, financial services access, law enforcement, and others — to have documented oversight, audit trails covering AI decision-making, and the ability to intervene in AI system operation. Article 25 makes a deployer responsible for provider-level obligations when they modify an AI system’s intended purpose, which includes connecting it to internal data sources through MCP. Tool-call audit logs are not optional under this framing — they are the documentation that satisfies the oversight requirement.

SOC 2  and ISO 27001  audit scrutiny. Auditors are not yet requiring tool-call logs by name, but they are asking about AI systems in scope and what controls govern their access to in-scope data. An organization that can show conversation-level logs but not what data an AI agent read or wrote through tool calls is leaving a gap that a reasonable auditor will treat as a finding.

The incident rate. A 2025 Gravitee survey  of over 900 executives and practitioners found that 88% of organizations reported confirmed or suspected AI agent security incidents in the prior 12 months. Seventy-two percent of S&P 500 companies disclosed at least one material AI risk in 2025. Only 26% have comprehensive AI governance policies in place.

The companies treating AI tool governance as a future-quarter project are in the majority. So are the companies reporting incidents.

What actually closes the gap

The gap between Claude’s native controls and enterprise security requirements is the gap the AI control plane closes. The MCP gateway is the enforcement point at the tool-call layer.

Control
SSO and user identity
Claude Enterprise
AI control plane
Conversation audit logs
Claude Enterprise
AI control plane
MCP tool-call logs (arguments + results)
Claude Enterprise
AI control plane
PII redaction at the tool layer
Claude Enterprise
AI control plane
Prompt injection blocking
Claude Enterprise
AI control plane
Per-tool access control (not just per-server)
Claude Enterprise
AI control plane
Shadow MCP detection and blocking
Claude Enterprise
Allowlist only
AI control plane
Protocol enforcement
Dynamic access revocation (identity-based)
Claude Enterprise
AI control plane
Tool description inspection against poisoning
Claude Enterprise
AI control plane
Cross-session incident reconstruction
Claude Enterprise
AI control plane

The difference in architecture is fundamental. Claude’s controls live in configuration files on employee machines, enforced by the client. A control plane runs as infrastructure: a gateway through which every tool call is routed, inspected, and logged, with policy enforced server-side and not dependent on the state of any individual employee’s laptop.

The practical effect: when a developer connects an unapproved MCP server, it’s blocked at the protocol layer — not just missing from a config file. When a developer changes teams, their tool-call permissions update the moment their group membership changes in the identity provider. When an auditor asks what data an agent accessed last quarter, there’s a structured log of every tool call: tool name, arguments, result, duration, and the identity behind it.

Claude Code is a capable AI coding assistant with a reasonable set of enterprise controls. Those controls were designed for the conversation layer. Agentic workflows in production need governance at the tool-call layer. The two aren’t in conflict — they’re different layers of the same stack, and right now only one of them is covered.

If you’re a security team trying to understand what your organization’s exposure looks like before the August 2026 compliance deadline, the Speakeasy AI control plane is where that conversation starts.

Frequently asked questions

Does Claude Enterprise log MCP tool calls?

No. As of May 2026, Anthropic’s own documentation explicitly excludes Cowork and agent activity from all three compliance mechanisms — Audit Logs, Compliance API, and Data Exports — across every plan tier, including Enterprise. When an AI agent makes a tool call, the audit trail ends. The Compliance API captures what went into the model and what the model returned as text. It does not capture the tool calls that follow from that response.

What is the difference between an MCP server allowlist and protocol-level enforcement?

An MCP server allowlist is a configuration file deployed to employee machines. Claude reads it and presents those servers as available options. It cannot block an employee who adds a server to their local ~/.claude/settings.json alongside the approved list, and it cannot detect when an approved server has been modified after deployment. Protocol-level enforcement routes every tool call through a gateway that applies policy server-side — the block happens at the network layer regardless of what’s configured on the employee’s laptop.

Can I use Claude Code for production agentic workflows without additional security controls?

You can, but the native controls cover only the conversation layer. If your workflows involve tool calls to internal databases, APIs, or external services — which most production agentic workflows do — there is no audit trail for those actions, no way to enforce which tools a given user can call, and no detection for prompt injection or tool poisoning attacks targeting the tool layer. Whether that exposure is acceptable depends on the sensitivity of the data the agent can reach and your organization’s regulatory obligations.

What does the EU AI Act require for organizations deploying AI agents?

The Annex III enforcement deadline in August 2026 requires organizations using AI in high-risk categories to maintain documented oversight, audit trails covering AI decision-making, and the ability to intervene in AI system operation. Article 25 extends provider-level obligations to deployers who modify an AI system’s intended purpose — which includes connecting it to internal data sources through MCP. Conversation logs alone are unlikely to satisfy this requirement; the oversight documentation needs to cover what the agent did, not just what it was asked to do.

What is an AI control plane?

An AI control plane is the governing infrastructure layer between AI agents and the systems they’re allowed to reach. Rather than relying on configuration files on employee machines, a control plane routes every tool call through a central gateway that can inspect, log, redact, and block based on policy. It enforces access control at the protocol layer, integrates with identity providers for real-time permission updates, and produces a structured audit log of every tool call — arguments, results, duration, and the identity behind it. It operates independently of which AI client or model the employee is using.

Last updated on

AI everywhere.

Control here.

Talk to usLearn more