Read enough agent-security documents and they blur together. There is always a list of ways an untrusted Model Context Protocol server can hurt you — a poisoned tool description, a rug-pulled schema, a confused-deputy proxy — and a list of controls that point straight back at that server. The OWASP MCP Top 10 is organized this way. So is the spec's own authorization guidance. The mental model is a castle wall, and every arrow slit faces outward at the servers trying to get in.

The NSA's May 2026 guidanceModel Context Protocol (MCP): Security Design Considerations for AI-Driven Automation, from its Artificial Intelligence Security Center — starts in the same familiar place. MCP, it says, shipped "flexible and underspecified," the way early web protocols did, and its adoption outran its security model. It names three risk families: serialization flaws, trust-boundary failures, and agent misuse. If you stopped reading there you'd file it next to every other checklist.

Don't stop there. The document's signature recommendation points the wrong way, and that is the entire reason it's worth your time.

The control that faces inward#

Buried in the CSI's defense-in-depth stack is an item you will not find on the OWASP list: put a filtering outgoing proxy — it names Squid and tinyproxy by name — or an enterprise DLP system on your external MCP connections, with resource URLs and access methods pinned tightly enough to limit unintended leakage.

Sit with the direction of that arrow. A filtering outgoing proxy does not protect you from a malicious server. It protects you from your own agent — from the moment a prompt-injected model, doing exactly what MCP invites it to do, decides to call a tool that ships your data somewhere it shouldn't go. The threat being modeled is not "the server attacks the client." It's "the client, once confused, becomes an exfiltration pipe." That is the insider-threat model, and it is the oldest reflex in enterprise network security: you cannot vouch for everyone inside the perimeter, so you inspect what crosses it on the way out.

Every other MCP defense assumes the danger is outside trying to get in. The NSA's assumes the danger is already inside, holding your credentials, and about to walk out the front door with your data.

This is not a small stylistic difference. It follows from a premise the rest of the field keeps flinching from: you cannot make the model trustworthy. A model steered by prompt injection will follow the injection every time; that is a property of how the thing works, not a bug awaiting a patch. If the agent is permanently confusable and you still have to run it, the only place left to enforce a boundary is the wire. So the NSA draws one there — with 1990s plumbing, because MCP itself offers nothing to draw it with.

Why the plumbing, and not the protocol#

The deeper claim under all of this is that MCP has no trust boundary of its own. A tool response is serialized data that gets deserialized straight into the model's context — where it stops being data and starts being instructions the model may act on. The request channel and the control channel are the same channel. That's why the NSA's list pairs the egress proxy with message integrity and output filtering: it's trying to police a response path that the protocol treats as trusted by construction. You can't put a boundary inside a design that collapses the distinction, so you wrap one around it.

That framing also explains what the document is not. It is not a ranked, severity-scored bug list like OWASP's, and it is not a mandate. It is design considerations, addressed to the architect standing up agentic automation in a bank or a law firm — someone who already owns a proxy fleet, a DLP deployment, an identity provider, and a SOC, and whose real question is "which of my existing controls do I point at this new thing?" The answer the NSA gives is: most of them. Sandbox the tool execution. Segregate any tool that touches regulated data. Bind the agent to enterprise identity. Log every call. Scan and inventory the MCP servers on your network the way you'd inventory any other service. None of it is novel; the novelty is insisting that MCP is not special enough to escape it.

The honest limit#

It's worth saying plainly what this guidance does and doesn't buy you, because the perimeter framing has a famous failure mode. An outgoing proxy inspects destinations and payloads; a sufficiently clever exfiltration path — data smuggled out through an allowed destination, encoded inside a legitimate-looking API call — walks right past it, exactly as DLP has always struggled with the determined insider. The NSA's stack raises the cost of a confused agent leaking data. It does not reduce that cost to zero, and it does not repair the protocol-level hole that makes the agent confusable in the first place. Equixly's mapping of the NSA controls onto the OWASP items is the useful next step precisely because neither document is complete alone: OWASP tells you how the server attacks you, the NSA tells you how to contain your own agent when it turns, and you need both walls.

The one idea to take from the CSI is the reversal itself. For a year the MCP security conversation has been a conversation about other people's servers. The first government document on the subject quietly changes the subject to your own agent — and once you've read the threat model that way, the outgoing proxy stops looking paranoid and starts looking overdue.