Model Context Protocol (MCP) is the fastest-moving standard in enterprise AI right now. Introduced by Anthropic in November 2024, MCP has quickly become the default way AI agents connect to external tools — databases, APIs, file systems, SaaS apps, and more. By early 2026, thousands of MCP servers are in production across organizations of every size.
The problem: almost none of them have data security controls.
When an AI agent queries your Postgres database, pulls documents from Google Drive, or reads Slack messages through an MCP server, sensitive data flows directly into the model's context window — and from there, potentially to an external AI provider. Traditional DLP tools were not built for this. They watch email attachments and endpoint file transfers. They have no visibility into what your AI agents are doing at runtime.
This post covers what MCP DLP means, what risks MCP creates, and how to protect sensitive data flowing through Model Context Protocol deployments.
Model Context Protocol is an open standard that gives AI models a structured way to call external tools and retrieve data at runtime. Think of it as a universal API layer between an LLM and everything else in your stack.
An MCP server exposes a set of "tools" — functions the AI can call. A database MCP server might expose query_database. A file system MCP server exposes read_file. A Slack MCP server exposes search_messages. The AI model decides which tools to call based on the user's request, calls them, and uses the results as context to generate a response.
This is powerful. It is also a significant data security gap.
Before MCP, AI agents operated mostly on text the user typed. With MCP, they operate on live data pulled from your most sensitive systems. Every tool call is a data retrieval event, and in the default configuration, nothing monitors what gets retrieved or whether it contains PII, PHI, credentials, or confidential business data.
The core risk is straightforward: MCP servers have broad access to sensitive data, and the AI models they serve have no data security controls applied to what they receive.
There are four specific ways MCP creates data loss exposure:
1. Sensitive data in tool responses
When an MCP server queries a database or fetches a document, the response often contains far more sensitive data than the task requires. A query for "customer contact info" might return SSNs, payment details, and medical history alongside the email address the agent actually needed. All of it flows into the model's context window.
2. Data sent to external AI providers
If the MCP-connected agent uses a hosted model (GPT-4, Claude API, Gemini), the context window — including all tool responses — is transmitted to that provider's infrastructure. Sensitive data retrieved through MCP tool calls leaves your environment with every API call.
3. Prompt injection through MCP tool responses
Attackers can embed instructions inside data that an MCP server retrieves. A malicious document stored in your file system might contain hidden text instructing the AI to exfiltrate data through a subsequent tool call. Invariant Labs demonstrated this in 2025: a poisoned MCP server exfiltrated an entire WhatsApp message history through a chained tool call. The user saw nothing unusual.
4. Shadow MCP servers
Developers spin up MCP servers locally or in staging environments without security team visibility. These servers often have direct database or API access with no audit trail. Shadow MCP is the new shadow IT — except the blast radius is larger because AI agents can act autonomously.
The answer depends on which tools your MCP servers expose, but in practice the risk surface is broad:
PII — names, emails, phone numbers, addresses — from CRM or database MCP servers (Salesforce, Postgres, DynamoDB)
PHI — patient records, diagnoses, insurance IDs — from healthcare application MCP servers
Payment data — card numbers, bank accounts — from billing system MCP servers
API keys and credentials — from code repositories, config files, or secrets manager MCP servers (GitHub, AWS)
Source code — proprietary logic and embedded secrets — from code assistant MCP servers
Internal communications — Slack messages, email threads — from productivity MCP servers
Any of these can appear in a model's context window during normal agent operation. None of them are visible to traditional endpoint or email DLP tools.
DLP for MCP operates at the data flow layer — monitoring what goes into model context windows and what comes back out through tool calls.
Strac monitors what employees send to AI tools and redacts sensitive data before it reaches the model — the same capability needed for MCP environments.
A proper MCP DLP approach requires four capabilities:
Discovery — identifying which MCP servers exist across your environment, what tools they expose, and what data sources they have access to. You cannot protect what you cannot see.
Classification — detecting sensitive data in MCP tool responses before it reaches the model context. This means running PII, PHI, PCI, and credential detection against the content flowing through each tool call in real time.
Redaction — masking or removing sensitive data from tool responses before the AI model processes them. The agent still gets a useful response; it just does not get the credit card number or SSN it did not need.
Alerting and audit — logging what data was retrieved through which MCP server, by which agent, in response to which user request. This creates the audit trail required for HIPAA, PCI DSS, SOC 2, and GDPR compliance.
The best way to understand MCP DLP is to see it working. Strac built a working MCP server — strac-m365-dlp — that connects Claude directly to Microsoft 365 (SharePoint and OneDrive) with automatic DLP redaction on every document retrieval.
Here is the architecture:
Strac was built for exactly this problem. It monitors what employees and AI agents send to GenAI tools — ChatGPT, Microsoft Copilot, Google Gemini, and Claude — and redacts sensitive data inline before it is submitted to the model.
The core architecture maps directly to MCP security needs:
Data discovery across your stack — Strac scans 50+ integrations including AWS S3, Google Drive, Slack, GitHub, Salesforce, and Snowflake. These are the exact data sources MCP servers connect to. Strac builds a live map of where sensitive data lives — so you know what MCP servers could potentially access.
Inline detection and redaction — Strac detects PII, PHI, PCI, and credentials with custom ML models trained for accuracy. It redacts sensitive data before it reaches the AI model, not after. Redaction happens on the content itself — not just a flag that something was found.
Image and document detection — Strac is the only data security platform that detects sensitive data inside images (JPEG, PNG) and documents (PDF, Word, Excel, ZIP) using OCR. MCP file system servers frequently surface these file types; traditional regex-based tools miss them entirely.
Agentless deployment — no endpoint agents, no proxies. Strac connects via API in under 10 minutes. For teams moving fast on MCP deployments, this matters.
To see Strac's full catalog of detectable sensitive data elements, including all PCI, HIPAA, and GDPR data types, visit the Strac detector catalog.
The MCP DLP pattern in this post is implemented across every SaaS surface AI agents reach via Model Context Protocol. Each guide below covers the same architecture — AI agent → Strac MCP DLP gateway → SaaS — with the specific tool calls, real security risks, and deployment steps for that platform.
For the broader integration catalog — native DLP for every SaaS, cloud, browser, and endpoint — see strac.io/integrations.
Related: MCP security, MCP integrations, Gen AI DLP.
MCP DLP (Model Context Protocol Data Loss Prevention) refers to data security controls applied to data flowing through MCP servers and AI agent tool calls. It involves discovering MCP servers across an environment, classifying sensitive data in tool responses, and redacting or blocking that data before it reaches an AI model's context window or is transmitted to an external AI provider.
Traditional DLP monitors email, endpoint file transfers, and web uploads. It has no visibility into AI agent runtime behavior — it cannot see what an MCP server returns when an AI agent queries a database, nor can it monitor what enters a model's context window. MCP DLP operates at the AI data flow layer: it monitors tool calls, classifies content in real time, and acts before the sensitive data reaches the model.
The same regulations that apply to sensitive data everywhere. HIPAA requires protecting PHI regardless of whether it is accessed by a human or an AI agent — an MCP server querying patient records triggers the same PHI protection requirements as a human database query. PCI DSS requires protecting cardholder data in transit and at rest, including in AI context windows. GDPR and CCPA apply to any processing of personal data, including retrieval through automated AI agents. SOC 2 CC6.7 requires data transmission controls that cover AI data flows.
Yes. This is one of the most serious MCP security risks in 2025-2026. An attacker who can place malicious content in a data source that an MCP server retrieves can embed instructions that cause the AI agent to exfiltrate data through subsequent tool calls. Strac's real-time content classification detects suspicious patterns in tool responses and can block or alert on anomalous data flows before exfiltration occurs.
Strac monitors ChatGPT, Microsoft Copilot, Google Gemini, Claude, and other GenAI tools for sensitive data in submissions. It detects what employees type into these tools and redacts sensitive data before it is sent. For MCP-connected AI agents, Strac's DSPM capabilities provide visibility into what sensitive data exists in the systems those agents connect to. Book a demo to see the full scope of coverage for your environment.
Strac detects all major sensitive data categories: PII (names, emails, phone numbers, SSNs, addresses), PHI (patient names, MRNs, diagnoses, insurance IDs), PCI data (credit card numbers, CVVs, bank account numbers), credentials (API keys, passwords, tokens, private keys), and custom data elements defined by your organization. Critically, Strac detects these not just in plain text but inside images, PDFs, Word documents, Excel files, and ZIP archives — file types that MCP file system servers routinely surface.
Yes. Strac built a working MCP server (strac-m365-dlp) that connects Claude to SharePoint and OneDrive via the Microsoft Graph API. It supports DOCX, XLSX, PPTX, CSV, TXT, and JSON document types. Every file retrieval passes through Strac's redaction engine before the content reaches Claude's context window — SSNs, credit cards, emails, phone numbers, AWS keys, and other sensitive data are replaced inline. The server authenticates via an Azure AD service principal and runs over stdio, so it works with Claude Desktop and any MCP-compatible client out of the box.
MCP is moving faster than most security teams can track. The organizations that get ahead of this now — with visibility into what their AI agents access and redaction controls on what reaches the model — will avoid the data breaches that are already happening to those who do not.
Book a demo with Strac to see how it applies to your MCP and GenAI deployment.
Strac Zoom MCP DLP protects every tool call between AI agents and Zoom — meetings, recordings, transcripts, chat, webinars, and contact center. It also enforces the corporate-vs-personal Zoom account policy at the browser layer, blocking personal-account use on work devices.
Strac SharePoint MCP DLP covers the densest regulated-data surface inside Microsoft 365 — document libraries, custom lists, public sharing links, and external-tenant guests. The same MCP gateway also runs continuous discovery of publicly and externally exposed SharePoint content, and surfaces remediation paths (revoke public links, remove external members, restrict over-permissive permissions) honouring your Microsoft Purview classification labels.
Yes — Strac's MCP DLP works with every MCP-compatible AI client, across every SaaS you connect. Because detection runs at the protocol level, the same configurable policy (redact, mask, block, or alert) and the same who-accessed-what audit log travel with your data no matter which assistant — Claude, ChatGPT, Gemini, Copilot, or Perplexity — fires the request.
Yes. Strac's MCP DLP works with Claude as a remote custom connector across Claude.ai on the web, Claude Desktop, Claude Code, and Cowork on every plan, since Anthropic's connectors run from its own cloud and reach your connected SaaS through the MCP server Strac governs. When an analyst asks Claude to summarize a Slack incident channel or pull a customer record from Salesforce, Strac inspects that tool response before it reaches the model and applies your configured policy — redact, mask, block, or alert — while logging the user, the tool, and the matched data type either way. Detection and the audit trail are always on; the enforcement action is yours to set, which is why MCP DLP behaves identically whether Claude is reading a Google Drive doc or writing a GitHub issue.
Yes. Strac's MCP DLP works with ChatGPT through Developer Mode, the beta path OpenAI provides for full MCP connectors on Plus, Pro, Business, and Enterprise — note that this is not the default consumer experience, so the connector is enabled deliberately by your admins. It also works with Codex, which connects to MCP servers over stdio or streaming HTTP from the CLI and IDE, so a developer asking Codex to fetch a Stripe customer or scan a private repo still has every response checked against your policy. Whether the action is redact, mask, block, or alert, Strac records the access in the same MCP security audit log, giving you one ledger across both ChatGPT and Codex.
Yes. Strac's MCP DLP works with Google Gemini where it is strongest as a client — the Gemini CLI and Gemini's agent and enterprise platform, which Google shipped with official MCP support — rather than the consumer chat app. A platform engineer using Gemini CLI to query a BigQuery export or read a Jira ticket triggers the same inspection: Strac evaluates the tool result and enforces your chosen action, with the detection event and the requesting identity captured every time. The policy you set once governs Gemini exactly as it governs any other client, so moving an agent from Drive to GitHub never changes how MCP DLP treats the data.
Yes. Strac's MCP DLP works with Microsoft Copilot through Copilot Studio and GitHub Copilot, both of which consume MCP servers under enterprise allowlist governance — so once an admin allowlists the Strac server, every agent built in Copilot Studio inherits your controls automatically. If a Copilot agent reads a SharePoint file, opens a Salesforce account, or pulls a GitHub pull request, Strac inspects that payload and applies your configured policy of redact, mask, block, or alert before the model sees it. The allowlist model pairs naturally with Strac's always-on audit log, giving security teams a single record of which agent touched which sensitive field across the Microsoft estate, consistent with how AI DLP treats every other connected source.
Yes. Strac's MCP DLP works with Perplexity, which added custom MCP connectors for Pro, Max, and Enterprise in March 2026; note that Perplexity supports MCP as a client even as it publicly steps back from MCP in its own backend, so we scope this to the connector capability rather than overstating it. The same governance extends to other MCP clients — Cursor, Windsurf, Cline, and Grok — meaning a developer in Cursor reading a private repo or an analyst in Perplexity pulling a CRM record both hit the same inspection point. Across all of them Strac keeps detection and the audit log always on and applies whichever action you configured, so adding a new MCP client never opens a new blind spot.
.avif){kind=icon}
.gif)
.webp)
