The deployment of AI agents connected to enterprise systems via the Model Context Protocol (MCP) is accelerating across Swiss organisations — and security review is largely absent. MCP, originally developed to allow large language models to interact with tools and data sources through standardised interfaces, has become the architectural backbone of a growing class of enterprise AI applications: agents that can query databases, send emails, access code repositories, and execute actions across business systems. The OWASP LLM Top 10 2025 and current threat research identify MCP-connected agents as an emerging attack surface with distinct exploitation patterns. This article provides a practical security framework for Swiss enterprises that are deploying — or evaluating — agentic AI workflows.
The MCP Attack Surface — Why Agents Are Different from Chatbots
A standard LLM chatbot receives a user prompt and produces a text response. An MCP-connected agent does more: it invokes tools, reads and writes files, queries APIs, accesses databases, and chains these operations autonomously to complete multi-step tasks. Each tool invocation is a potential attack vector. The attack surface introduced by agentic AI differs from conventional application security in ways that defenders accustomed to web application or endpoint security need to understand before they can apply appropriate controls.
Prompt injection is the foundational attack class. In an agentic context, an attacker-controlled input — embedded in a document the agent processes, a web page it retrieves, or data returned by an API call — can redirect the agent's actions entirely. A practical example: an agent instructed to summarise emails reads a malicious message containing hidden instructions telling it to forward all calendar items and contacts to an external address. The agent, having no mechanism to distinguish legitimate instructions from injected ones, complies. Unlike SQL injection, there is no parameterised query equivalent for natural language. Mitigation requires architectural controls, not input sanitisation alone.
Tool abuse exploits the permissions granted to the agent's available tools. If an agent has write access to a file system or the ability to execute code, a successful prompt injection that redirects its actions can lead to data destruction, exfiltration, or lateral movement. The principle of least privilege applies here with particular force: agents should hold the minimum tool set necessary for their intended task, and each tool's permissions should be scoped as narrowly as technically possible.
Credential and token exfiltration via agent pipelines is the third major vector. MCP-connected agents often hold authentication credentials for the systems they interact with — OAuth tokens, API keys, database connection strings. An agent redirected to exfiltrate these credentials provides an attacker not just with the agent's own capabilities but with persistent credentials that outlast the agent session entirely.
Swiss Enterprise Threat Landscape for Agentic AI
Swiss financial institutions, healthcare organisations, and professional services firms are among the early adopters of agentic AI workflows. Each sector's threat profile differs in ways that shape the controls required.
In financial services, agents connected to banking platforms, trading systems, or client relationship management tools operate in environments regulated by FINMA. A compromised agent in this context may be able to initiate transactions, extract client data subject to financial secrecy obligations under the Swiss Banking Act, or manipulate records in ways that create both operational and compliance exposure. FINMA Circular 2023/1 on operational resilience classifies algorithmic systems affecting critical business processes as requiring documented risk management — a requirement that most current MCP deployments do not satisfy and that security teams should flag proactively.
In healthcare, agents processing clinical documentation, referrals, or imaging reports handle data classified as sensitive under nDSG. A successful prompt injection attack exfiltrating patient records is simultaneously a breach reportable to the FDPIC and a potential violation of cantonal health data protection frameworks. The IT attack surface in Swiss medical networks is already under pressure from ransomware groups — agentic AI introduces a new and less-understood vector into the same ecosystem.
In professional services — law, consulting, accounting — agents with access to client communications and document repositories create confidentiality risks that extend beyond data protection law into professional obligation frameworks. A single exfiltration event in a legal context may constitute a breach of attorney-client privilege with consequences under cantonal bar regulations.
A Security Framework for MCP Agent Deployments
There is no dedicated standard for securing MCP-connected agents, but a practical framework can be derived from established principles and adapted to Swiss regulatory expectations.
Before any agent is deployed, produce a tool permission inventory that documents every tool available to the agent, its permission scope, the data it can access, and the actions it can execute. This inventory is the foundation for least-privilege enforcement and is also a required artifact under FINMA Circular 2023/1 for any agent classified as an algorithmic system affecting critical business processes.
Implement input validation at tool boundaries. Agents should validate that tool inputs conform to expected schemas and reject anomalous or unexpected parameter values. Tool execution should operate within a sandboxed context where architecturally feasible, preventing tool calls from accessing resources outside their defined scope.
Apply human oversight gates for high-impact actions. Any action with financial impact, external communication capability, or data exfiltration risk should require human confirmation before execution. This is both a security control and an EU AI Act Article 14 requirement for any agent classified as a high-risk AI system under Annex III. For Swiss financial institutions considering or deploying AI systems in regulatory scope, this requirement is not optional.
Log all agent interactions at the tool-call level. Standard application logging captures request and response. Agent security requires logging what tool was invoked, with what parameters, and what was returned — for every tool call in every session. This log is necessary for forensic analysis following a compromise and for demonstrating governance to FINMA, FDPIC, or EU AI Act supervisory authorities.
◆ Key Takeaway
MCP-connected agents are not chatbots. They hold credentials, invoke tools, and take actions — all of which are exploitable attack vectors once prompt injection redirects their behaviour. Swiss enterprises deploying agents without a tool permission inventory, input validation, and tool-call level audit logging are operating with an unaudited execution environment inside their regulated infrastructure.
Regulatory Alignment — FINMA, nDSG, and the EU AI Act
Swiss regulatory frameworks do not yet contain MCP-specific guidance, but several existing obligations apply to agent deployments now. FINMA Circular 2023/1 requires documented risk management for algorithmic systems affecting critical business processes — a definition that encompasses any agent with write access to banking, insurance, or trading infrastructure. The documentation must cover the system's risk identification, assessment, and mitigation measures, and must be available for supervisory review.
nDSG imposes privacy-by-design obligations on any system processing personal data, requiring that data processing be minimised and that access controls be proportionate to the sensitivity of the data. An MCP agent with broad tool access to systems containing personal data violates the minimisation principle unless access is explicitly scoped to what the agent's function requires.
For Swiss companies deploying agents in EU market contexts or within EU subsidiaries, EU AI Act Annex III may classify certain agentic systems — particularly those making or influencing decisions with legal effect — as high-risk AI systems subject to the Act's full conformity assessment and documentation requirements.
- Inventory all MCP-connected agent deployments across the organisation and document tool permission scopes before any further rollout.
- Apply least-privilege tool access: scope each tool to the minimum data and action set necessary for the agent's intended function, and revoke permissions that are not actively required.
- Implement human oversight gates for agent actions with financial, external communication, or data access implications — this is both a security control and an EU AI Act Article 14 requirement.
- Log all agent interactions at the tool-call level and route these logs to your SIEM for anomaly detection alongside application and infrastructure logs.
- Include prompt injection scenarios in your next red-team or penetration testing engagement — traditional application security testing does not cover agentic attack paths.
- Assess whether any production agent deployment falls within FINMA Circular 2023/1's algorithmic system scope and initiate risk documentation if so; do not wait for a supervisory enquiry to trigger this work.
- For any agent processing personal data, document the data minimisation rationale under nDSG and verify that tool access cannot exfiltrate personal data outside its intended processing context.
Swiss organisations that treat agent security as a subset of their existing application security programme — adapted for the specific attack patterns of agentic AI rather than waiting for a dedicated regulatory framework — will establish both a defensible security posture and the documentation trail that regulators will eventually require. The controls are not novel: least privilege, audit logging, and human oversight are established principles. Applying them to agents is the work that most organisations have not yet started.