Cryptographic Governance Evidence for MCP Security
An Analysis of the CoSAI WS4 Threat Taxonomy
The Coalition for Secure AI (CoSAI) published a comprehensive MCP security white paper in January 2026, identifying 12 threat categories and nearly 40 distinct threats across all-local, single-tenant hybrid, and multi-tenant cloud deployments. This analysis examines the enforcement evidence gap across all 12 categories and maps how cryptographic governance mechanisms (sealed policy artifacts, signed enforcement receipts, and offline-verifiable evidence bundles) address each gap.
View the CoSAI WS4 white paper on GitHubCore Finding
Across all 12 CoSAI threat categories, the mitigations recommended are sound. The common gap is identical: the white paper names no standard mechanism for producing cryptographic proof that the recommended mitigations were continuously enforced during operation. Every category recommends controls. No category specifies how to prove those controls were active at the time of every agent decision.
Enforcement Evidence Across 12 Threat Categories
Each category maps a CoSAI-identified threat to the specific cryptographic mechanism that closes the enforcement evidence gap.
Improper Authentication and Identity Management
Subject Identifier binding; Portal seals a signed decision per-invocation; SPIFFE/SPIRE complementarity; TTL-based continuous re-attestation
Missing or Improper Access Control
Sealed artifact enumerates authorized tools via allowlist; Portal seals a DENY decision for tools outside the allowlist; blocking before forwarding is a per-deployment property
Input Validation/Sanitization Failures
Portal validates required parameters per sealed policy; phantom execution captures attack sequences
Execution and Sandboxing
Behavioral drift detection against sealed baseline; phantom execution for forensic capture
Inadequate Data Protection and Confidentiality
Payload-blind hashing: receipts carry only a payload_hash; tiered disclosure
Missing Integrity/Verification Controls
Runtime hash comparison against sealed reference on every measurement cycle
Session and Transport Security Failures
Per-session sealed artifacts with TTL; expiry seals a safe-state (deny-by-default) decision, effecting the transition is per-deployment wiring; per-session chains
Network Binding/Isolation Failures
Portal as sole network path; sealed upstream identity validation; admission webhook for Kubernetes
Trust Boundary and Privilege Design Failures
Constrained sub-mandates: derived artifacts with TTL <= parent, scope <= parent
Resource Management/Rate Limiting Absence
Rate limits sealed in artifact; Portal seals a DENY receipt specifying the violated limit; proxy-layer enforcement is per-deployment wiring
Supply Chain and Lifecycle Security Failures
Continuous runtime binary hash verification extending build-time SBOMs; per-tenant isolation
Insufficient Logging, Monitoring, and Auditability
Hash-linked signed receipt chain; Merkle inclusion proofs; offline evidence bundles
Detailed Analysis: Key Categories
T1: Identity and Access Management
CoSAI recommends end-to-end request traceability, SPIFFE/SPIRE workload identities, OIDC providers, and short-lived tokens with DPoP. These mitigations authenticate the agent at the point of entry. The gap: no mechanism proves that least-privilege constraints were evaluated and enforced for every individual tool invocation throughout the session.
The sealed Policy Artifact binds the agent's Subject Identifier, comprising cryptographic hashes of normalized bytes and canonicalized metadata, to authorized tools, rate limits, and temporal bounds. The Portal evaluates every tools/call request against this binding and produces a signed receipt per invocation.
SPIFFE/SPIRE integration: SPIRE handles transport-layer identity (node-to-workload via SVID). AGA handles accountability-layer enforcement (workload-to-intent governance). Continuous authentication: TTL-based re-attestation renews authorization on a fixed interval; each interval requires fresh attestation.
T4: Execution and Sandboxing
CoSAI recommends process isolation, container boundaries, and guardrails. The gap: container isolation produces no cryptographic evidence of continuous operation. When isolation is breached, current approaches provide no forensic capture mechanism.
The Portal operates as a Policy Enforcement Point (NIST SP 800-207). Wired in path, it evaluates every I/O against sealed constraints. The agent holds no signing keys and cannot self-authorize. For high-consequence deployments, the Portal can ingest TEE attestations where present (SGX/TrustZone).
Phantom execution: When behavioral drift is detected, the Portal seals a decision to transition the agent into a sandboxed phantom-execution state in which its connections to protected resources are severed; effecting that severing is a per-deployment property of how the Portal is wired in path. The agent receives no signal that it has been transitioned. Unauthorized actions reaching the interception point are captured as signed forensic receipts.
T5: Confidentiality and Data Protection
A fundamental tension exists between comprehensive governance auditing and data confidentiality. Logging every interaction for compliance potentially exposes sensitive outputs, proprietary logic, or PII. Current approaches force a choice: comprehensive audit or privacy protection.
The architecture resolves this by carrying only hashes of the data. Each receipt records a payload_hash, a SHA-256 of the event, never the payload itself, and the bundle's leaf hashes the canonical receipt. A third-party auditor can verify chain integrity end to end, where any added, altered, reordered, or truncated entry fails verification, without seeing any agent interaction contents. Completeness of capture is bounded by the interception point: the bundle proves the record, not that every action was recorded.
Evidence bundles support tiered disclosure: integrity verification from the hashes alone (shareable with any auditor) and payload confirmation against those hashes (authorized parties only). This enables compliance verification without confidentiality compromise in multi-tenant deployments.
T8: Network Binding and Isolation
CoSAI recommends network segmentation, localhost binding, and DNS rebinding protection. The gap: network isolation is enforced by infrastructure and produces no application-layer governance evidence. If an agent connects to a shadow MCP server through DNS rebinding, the legitimate server's logs show nothing.
The Portal is deployed as the sole network path between the agent and MCP servers. The sealed artifact specifies the authorized upstream by identity (URL, TLS certificate fingerprint, service mesh identity). The Portal validates upstream identity on every connection. Even if network isolation fails, the Portal seals a DENY decision for any server not matching the sealed reference; refusing that traffic in path is a per-deployment property of how the Portal is wired.
For Kubernetes, when wired as an admission webhook (failurePolicy: Fail), pods are refused without a sealed artifact. Combined with Envoy ext_authz gRPC, the sealed-decision-and-receipt path spans the application layer (Portal) and service mesh layer (sidecar), producing signed receipts at both. These admission-webhook and proxy-layer behaviors are per-deployment wiring.
T12: Logging, Monitoring, and Auditability
The most direct enforcement evidence gap. CoSAI recommends comprehensive logging and immutable audit records, but standardized audit logging across MCP implementations does not yet exist. More fundamentally: logs are mutable, passive, and producer-controlled.
Signed enforcement receipts replace mutable logs with a cryptographic proof structure. Each receipt is signed with Ed25519 over SHA-256 of JCS-canonicalized content. Receipts are hash-linked via SHA-256 of the canonical receipt including its signature. Merkle inclusion proofs detect omissions. Periodic checkpoints via Merkle roots anchor the chain.
The evidence bundle is a portable verification unit requiring only standard Ed25519 and SHA-256 operations. No network callbacks. No proprietary tooling. Verification produces the same PASS/FAIL result regardless of where or when it is executed.
Standards Alignment
This alignment is architectural. These mechanisms support the objectives these standards describe, without claiming certification.
Algorithm agility: Ed25519 and SHA-256 are the operational defaults. The ML-DSA-65 + Ed25519 post-quantum composite is implemented and cross-verified as a first-class selectable profile, and the artifact and receipt structures accommodate further schemes (such as SLH-DSA) as drop-in replacements.