Skip to main content
Technical Research · Published March 28, 2026

Cryptographic Governance Evidence for MCP Security

An Analysis of the CoSAI WS4 Threat Taxonomy

The Coalition for Secure AI (CoSAI) published a comprehensive MCP security white paper in January 2026, identifying 12 threat categories and nearly 40 distinct threats across all-local, single-tenant hybrid, and multi-tenant cloud deployments. This analysis examines the enforcement evidence gap across all 12 categories and maps how cryptographic governance mechanisms (sealed policy artifacts, signed enforcement receipts, and offline-verifiable evidence bundles) address each gap.

View the CoSAI WS4 white paper on GitHub

Core Finding

Across all 12 CoSAI threat categories, the mitigations recommended are sound. The common gap is identical: the white paper names no standard mechanism for producing cryptographic proof that the recommended mitigations were continuously enforced during operation. Every category recommends controls. No category specifies how to prove those controls were active at the time of every agent decision.

Enforcement Evidence Across 12 Threat Categories

Each category maps a CoSAI-identified threat to the specific cryptographic mechanism that closes the enforcement evidence gap.

T1

Improper Authentication and Identity Management

Subject Identifier binding; Portal seals a signed decision per-invocation; SPIFFE/SPIRE complementarity; TTL-based continuous re-attestation

T2

Missing or Improper Access Control

Sealed artifact enumerates authorized tools via allowlist; Portal seals a DENY decision for tools outside the allowlist; blocking before forwarding is a per-deployment property

T3

Input Validation/Sanitization Failures

Portal validates required parameters per sealed policy; phantom execution captures attack sequences

T4

Execution and Sandboxing

Behavioral drift detection against sealed baseline; phantom execution for forensic capture

T5

Inadequate Data Protection and Confidentiality

Payload-blind hashing: receipts carry only a payload_hash; tiered disclosure

T6

Missing Integrity/Verification Controls

Runtime hash comparison against sealed reference on every measurement cycle

T7

Session and Transport Security Failures

Per-session sealed artifacts with TTL; expiry seals a safe-state (deny-by-default) decision, effecting the transition is per-deployment wiring; per-session chains

T8

Network Binding/Isolation Failures

Portal as sole network path; sealed upstream identity validation; admission webhook for Kubernetes

T9

Trust Boundary and Privilege Design Failures

Constrained sub-mandates: derived artifacts with TTL <= parent, scope <= parent

T10

Resource Management/Rate Limiting Absence

Rate limits sealed in artifact; Portal seals a DENY receipt specifying the violated limit; proxy-layer enforcement is per-deployment wiring

T11

Supply Chain and Lifecycle Security Failures

Continuous runtime binary hash verification extending build-time SBOMs; per-tenant isolation

T12

Insufficient Logging, Monitoring, and Auditability

Hash-linked signed receipt chain; Merkle inclusion proofs; offline evidence bundles

Detailed Analysis: Key Categories

T1: Identity and Access Management

CoSAI recommends end-to-end request traceability, SPIFFE/SPIRE workload identities, OIDC providers, and short-lived tokens with DPoP. These mitigations authenticate the agent at the point of entry. The gap: no mechanism proves that least-privilege constraints were evaluated and enforced for every individual tool invocation throughout the session.

The sealed Policy Artifact binds the agent's Subject Identifier, comprising cryptographic hashes of normalized bytes and canonicalized metadata, to authorized tools, rate limits, and temporal bounds. The Portal evaluates every tools/call request against this binding and produces a signed receipt per invocation.

SPIFFE/SPIRE integration: SPIRE handles transport-layer identity (node-to-workload via SVID). AGA handles accountability-layer enforcement (workload-to-intent governance). Continuous authentication: TTL-based re-attestation renews authorization on a fixed interval; each interval requires fresh attestation.

T4: Execution and Sandboxing

CoSAI recommends process isolation, container boundaries, and guardrails. The gap: container isolation produces no cryptographic evidence of continuous operation. When isolation is breached, current approaches provide no forensic capture mechanism.

The Portal operates as a Policy Enforcement Point (NIST SP 800-207). Wired in path, it evaluates every I/O against sealed constraints. The agent holds no signing keys and cannot self-authorize. For high-consequence deployments, the Portal can ingest TEE attestations where present (SGX/TrustZone).

Phantom execution: When behavioral drift is detected, the Portal seals a decision to transition the agent into a sandboxed phantom-execution state in which its connections to protected resources are severed; effecting that severing is a per-deployment property of how the Portal is wired in path. The agent receives no signal that it has been transitioned. Unauthorized actions reaching the interception point are captured as signed forensic receipts.

T5: Confidentiality and Data Protection

A fundamental tension exists between comprehensive governance auditing and data confidentiality. Logging every interaction for compliance potentially exposes sensitive outputs, proprietary logic, or PII. Current approaches force a choice: comprehensive audit or privacy protection.

The architecture resolves this by carrying only hashes of the data. Each receipt records a payload_hash, a SHA-256 of the event, never the payload itself, and the bundle's leaf hashes the canonical receipt. A third-party auditor can verify chain integrity end to end, where any added, altered, reordered, or truncated entry fails verification, without seeing any agent interaction contents. Completeness of capture is bounded by the interception point: the bundle proves the record, not that every action was recorded.

Evidence bundles support tiered disclosure: integrity verification from the hashes alone (shareable with any auditor) and payload confirmation against those hashes (authorized parties only). This enables compliance verification without confidentiality compromise in multi-tenant deployments.

T8: Network Binding and Isolation

CoSAI recommends network segmentation, localhost binding, and DNS rebinding protection. The gap: network isolation is enforced by infrastructure and produces no application-layer governance evidence. If an agent connects to a shadow MCP server through DNS rebinding, the legitimate server's logs show nothing.

The Portal is deployed as the sole network path between the agent and MCP servers. The sealed artifact specifies the authorized upstream by identity (URL, TLS certificate fingerprint, service mesh identity). The Portal validates upstream identity on every connection. Even if network isolation fails, the Portal seals a DENY decision for any server not matching the sealed reference; refusing that traffic in path is a per-deployment property of how the Portal is wired.

For Kubernetes, when wired as an admission webhook (failurePolicy: Fail), pods are refused without a sealed artifact. Combined with Envoy ext_authz gRPC, the sealed-decision-and-receipt path spans the application layer (Portal) and service mesh layer (sidecar), producing signed receipts at both. These admission-webhook and proxy-layer behaviors are per-deployment wiring.

T12: Logging, Monitoring, and Auditability

The most direct enforcement evidence gap. CoSAI recommends comprehensive logging and immutable audit records, but standardized audit logging across MCP implementations does not yet exist. More fundamentally: logs are mutable, passive, and producer-controlled.

Signed enforcement receipts replace mutable logs with a cryptographic proof structure. Each receipt is signed with Ed25519 over SHA-256 of JCS-canonicalized content. Receipts are hash-linked via SHA-256 of the canonical receipt including its signature. Merkle inclusion proofs detect omissions. Periodic checkpoints via Merkle roots anchor the chain.

The evidence bundle is a portable verification unit requiring only standard Ed25519 and SHA-256 operations. No network callbacks. No proprietary tooling. Verification produces the same PASS/FAIL result regardless of where or when it is executed.

Standards Alignment

This alignment is architectural. These mechanisms support the objectives these standards describe, without claiming certification.

NIST SP 800-207 (Zero Trust)
Portal as Policy Enforcement Point; sealed artifact as PDP payload
NIST SP 800-218 (SSDF)
Automated runtime integrity verification; forensic data collection during incidents
NIST AI RMF
Operationalizes Measure (continuous verification) and Manage (sealed, signed governance decisions)
SLSA
Extends build-time provenance to runtime governance; receipt chains extend attestation post-deployment
in-toto Framework
Governance receipts expressible as in-toto attestations with runtime predicate type
OWASP MCP Top 10
Addresses MCP02, MCP03, MCP07, MCP08, MCP09 with cryptographic enforcement evidence

Algorithm agility: Ed25519 and SHA-256 are the operational defaults. The ML-DSA-65 + Ed25519 post-quantum composite is implemented and cross-verified as a first-class selectable profile, and the artifact and receipt structures accommodate further schemes (such as SLH-DSA) as drop-in replacements.

Related

Attested Intelligence Holdings LLC · USPTO App. No. 19/433,835 (patent-pending)