MCP servers give AI agents access to your most sensitive systems. Learn how DLP for Model Context Protocol works and how to protect PII, PHI, and credentials from AI data leaks.
.webp)
Model Context Protocol (MCP) is the fastest-moving standard in enterprise AI right now. Introduced by Anthropic in November 2024, MCP has quickly become the default way AI agents connect to external tools — databases, APIs, file systems, SaaS apps, and more. By early 2026, thousands of MCP servers are in production across organizations of every size.
The problem: almost none of them have data security controls.
When an AI agent queries your Postgres database, pulls documents from Google Drive, or reads Slack messages through an MCP server, sensitive data flows directly into the model's context window — and from there, potentially to an external AI provider. Traditional DLP tools were not built for this. They watch email attachments and endpoint file transfers. They have no visibility into what your AI agents are doing at runtime.
This post covers what MCP DLP means, what risks MCP creates, and how to protect sensitive data flowing through Model Context Protocol deployments.
Model Context Protocol is an open standard that gives AI models a structured way to call external tools and retrieve data at runtime. Think of it as a universal API layer between an LLM and everything else in your stack.
An MCP server exposes a set of "tools" — functions the AI can call. A database MCP server might expose query_database. A file system MCP server exposes read_file. A Slack MCP server exposes search_messages. The AI model decides which tools to call based on the user's request, calls them, and uses the results as context to generate a response.
This is powerful. It is also a significant data security gap.
Before MCP, AI agents operated mostly on text the user typed. With MCP, they operate on live data pulled from your most sensitive systems. Every tool call is a data retrieval event, and in the default configuration, nothing monitors what gets retrieved or whether it contains PII, PHI, credentials, or confidential business data.
The core risk is straightforward: MCP servers have broad access to sensitive data, and the AI models they serve have no data security controls applied to what they receive.
There are four specific ways MCP creates data loss exposure:
1. Sensitive data in tool responses
When an MCP server queries a database or fetches a document, the response often contains far more sensitive data than the task requires. A query for "customer contact info" might return SSNs, payment details, and medical history alongside the email address the agent actually needed. All of it flows into the model's context window.
2. Data sent to external AI providers
If the MCP-connected agent uses a hosted model (GPT-4, Claude API, Gemini), the context window — including all tool responses — is transmitted to that provider's infrastructure. Sensitive data retrieved through MCP tool calls leaves your environment with every API call.
3. Prompt injection through MCP tool responses
Attackers can embed instructions inside data that an MCP server retrieves. A malicious document stored in your file system might contain hidden text instructing the AI to exfiltrate data through a subsequent tool call. Invariant Labs demonstrated this in 2025: a poisoned MCP server exfiltrated an entire WhatsApp message history through a chained tool call. The user saw nothing unusual.
4. Shadow MCP servers
Developers spin up MCP servers locally or in staging environments without security team visibility. These servers often have direct database or API access with no audit trail. Shadow MCP is the new shadow IT — except the blast radius is larger because AI agents can act autonomously.
The answer depends on which tools your MCP servers expose, but in practice the risk surface is broad:
Any of these can appear in a model's context window during normal agent operation. None of them are visible to traditional endpoint or email DLP tools.
DLP for MCP operates at the data flow layer — monitoring what goes into model context windows and what comes back out through tool calls.
Strac monitors what employees send to AI tools and redacts sensitive data before it reaches the model — the same capability needed for MCP environments.
A proper MCP DLP approach requires four capabilities:
Discovery — identifying which MCP servers exist across your environment, what tools they expose, and what data sources they have access to. You cannot protect what you cannot see.
Classification — detecting sensitive data in MCP tool responses before it reaches the model context. This means running PII, PHI, PCI, and credential detection against the content flowing through each tool call in real time.
Redaction — masking or removing sensitive data from tool responses before the AI model processes them. The agent still gets a useful response; it just does not get the credit card number or SSN it did not need.
Alerting and audit — logging what data was retrieved through which MCP server, by which agent, in response to which user request. This creates the audit trail required for HIPAA, PCI DSS, SOC 2, and GDPR compliance.
The best way to understand MCP DLP is to see it working. Strac built a working MCP server — strac-m365-dlp — that connects Claude directly to Microsoft 365 (SharePoint and OneDrive) with automatic DLP redaction on every document retrieval.
Here is the architecture:
How it works end to end:
get_file tool on the strac-m365-dlp MCP server[Strac DLP] Redacted: 2 SSN, 1 CREDIT_CARD, 3 EMAILThe MCP server exposes four tools:
get_filesearch_fileslist_siteslist_filesRedaction happens on every response, not just flagged files. File names containing sensitive data patterns are redacted too — because metadata leaks are still leaks.
The server runs over stdio transport (standard input/output), which means it works directly with Claude Desktop, Claude Code, and any MCP-compatible AI client without a proxy or additional infrastructure.
Strac was built for exactly this problem. It monitors what employees and AI agents send to GenAI tools — ChatGPT, Microsoft Copilot, Google Gemini, and Claude — and redacts sensitive data inline before it is submitted to the model.
The core architecture maps directly to MCP security needs:
Data discovery across your stack — Strac scans 50+ integrations including AWS S3, Google Drive, Slack, GitHub, Salesforce, and Snowflake. These are the exact data sources MCP servers connect to. Strac builds a live map of where sensitive data lives — so you know what MCP servers could potentially access.
Inline detection and redaction — Strac detects PII, PHI, PCI, and credentials with custom ML models trained for accuracy. It redacts sensitive data before it reaches the AI model, not after. Redaction happens on the content itself — not just a flag that something was found.
Image and document detection — Strac is the only data security platform that detects sensitive data inside images (JPEG, PNG) and documents (PDF, Word, Excel, ZIP) using OCR. MCP file system servers frequently surface these file types; traditional regex-based tools miss them entirely.
Agentless deployment — no endpoint agents, no proxies. Strac connects via API in under 10 minutes. For teams moving fast on MCP deployments, this matters.
To see Strac's full catalog of detectable sensitive data elements, including all PCI, HIPAA, and GDPR data types, visit the Strac detector catalog.
MCP DLP (Model Context Protocol Data Loss Prevention) refers to data security controls applied to data flowing through MCP servers and AI agent tool calls. It involves discovering MCP servers across an environment, classifying sensitive data in tool responses, and redacting or blocking that data before it reaches an AI model's context window or is transmitted to an external AI provider.
Traditional DLP monitors email, endpoint file transfers, and web uploads. It has no visibility into AI agent runtime behavior — it cannot see what an MCP server returns when an AI agent queries a database, nor can it monitor what enters a model's context window. MCP DLP operates at the AI data flow layer: it monitors tool calls, classifies content in real time, and acts before the sensitive data reaches the model.
The same regulations that apply to sensitive data everywhere. HIPAA requires protecting PHI regardless of whether it is accessed by a human or an AI agent — an MCP server querying patient records triggers the same PHI protection requirements as a human database query. PCI DSS requires protecting cardholder data in transit and at rest, including in AI context windows. GDPR and CCPA apply to any processing of personal data, including retrieval through automated AI agents. SOC 2 CC6.7 requires data transmission controls that cover AI data flows.
Yes. This is one of the most serious MCP security risks in 2025-2026. An attacker who can place malicious content in a data source that an MCP server retrieves can embed instructions that cause the AI agent to exfiltrate data through subsequent tool calls. Strac's real-time content classification detects suspicious patterns in tool responses and can block or alert on anomalous data flows before exfiltration occurs.
Strac monitors ChatGPT, Microsoft Copilot, Google Gemini, Claude, and other GenAI tools for sensitive data in submissions. It detects what employees type into these tools and redacts sensitive data before it is sent. For MCP-connected AI agents, Strac's DSPM capabilities provide visibility into what sensitive data exists in the systems those agents connect to. Book a demo to see the full scope of coverage for your environment.
Strac detects all major sensitive data categories: PII (names, emails, phone numbers, SSNs, addresses), PHI (patient names, MRNs, diagnoses, insurance IDs), PCI data (credit card numbers, CVVs, bank account numbers), credentials (API keys, passwords, tokens, private keys), and custom data elements defined by your organization. Critically, Strac detects these not just in plain text but inside images, PDFs, Word documents, Excel files, and ZIP archives — file types that MCP file system servers routinely surface.
Yes. Strac built a working MCP server (strac-m365-dlp) that connects Claude to SharePoint and OneDrive via the Microsoft Graph API. It supports DOCX, XLSX, PPTX, CSV, TXT, and JSON document types. Every file retrieval passes through Strac's redaction engine before the content reaches Claude's context window — SSNs, credit cards, emails, phone numbers, AWS keys, and other sensitive data are replaced inline. The server authenticates via an Azure AD service principal and runs over stdio, so it works with Claude Desktop and any MCP-compatible client out of the box.
MCP is moving faster than most security teams can track. The organizations that get ahead of this now — with visibility into what their AI agents access and redaction controls on what reaches the model — will avoid the data breaches that are already happening to those who do not.
Book a demo with Strac to see how it applies to your MCP and GenAI deployment.
.avif){kind=icon}
.gif)
