MCP Vendor Contracts: The Governance Gap No One Is Negotiating

Brandon Sneider · April 2026

The MCP security research file in this corpus (Pass 588) documents the five confirmed attack vectors, two real-world breaches, and three technical controls that address them.

Executive Summary

Every major AI vendor with an MCP-enabled product — Anthropic Claude, Microsoft Copilot, GitHub Copilot, Cursor — offers platform-level admin controls for MCP server governance. None of those controls are contractual obligations. When enterprises sign enterprise agreements today, the contract says nothing about which MCP servers the AI can connect to, whether server definitions can change post-signature, or who bears liability when a third-party server causes a breach.
The MCP protocol itself provides no native security enforcement. Authentication is optional in the current specification. Audit trails, SSO-integrated authentication, and gateway behavior standards are listed on the official MCP 2026 roadmap as planned features — not yet available. Enterprises deploying MCP-enabled AI tools today are doing so before the enterprise governance layer exists.
Third-party MCP servers represent a supply chain risk with no contractual backstop. Over 13,000 MCP servers were published on GitHub in 2025 — roughly 75% by individual developers with no centralized review. A server that passed security review can silently update its tool definitions post-deployment (“rug pull” attack), and no vendor agreement currently requires notification when this occurs.
Four contract clauses address the governance gap: MCP server allowlist as a contractual obligation (not just an admin option), server-definition-change notification requirements, third-party server liability allocation, and audit-log delivery SLAs. None of these appear in standard enterprise agreements with Anthropic, Microsoft, OpenAI, or Cursor as of April 2026.
The window to negotiate these terms is now. Once an enterprise deploys MCP-enabled workflows and builds operational dependencies, renegotiating the security posture becomes a production change — not a legal edit.

What the Contracts Don’t Cover

The MCP security research file in this corpus (Pass 588) documents the five confirmed attack vectors, two real-world breaches, and three technical controls that address them. This file covers a different problem: the gap between what the vendor’s admin console allows and what the signed agreement requires.

Enterprises negotiate AI vendor agreements for data retention, training-data opt-outs, liability caps, and IP indemnification. They do not negotiate MCP governance because MCP is too new, too technical, and typically invisible to the legal team that reviews the contract. The result is a structural mismatch: the platform allows governance controls to be configured, but nothing in the agreement requires them to be used, enforced, or maintained.

The four specific gaps in current enterprise agreements:

Gap 1: No server allowlist obligation. Every enterprise-tier MCP product (GitHub Copilot, Cursor, Microsoft Azure API Management, Anthropic admin console) offers an allowlist or registry control that restricts which MCP servers the AI can connect to. These are platform features. The enterprise agreement does not require the vendor to enforce an allowlist, does not define a default “allowlist only” posture, and does not create liability if the vendor ships a product update that changes which servers are accessible without notice.

Gap 2: No server-definition-change notification. MCP servers can update their tool definitions post-deployment without user notification. This is the “rug pull” attack vector — a server that passed initial security review changes what it does after installation. No standard enterprise agreement currently includes a clause requiring the AI vendor or MCP server publisher to notify the customer when tool definitions change. Enterprises have no contractual right to review server updates before they take effect.

Gap 3: Third-party server liability is unallocated. When a third-party MCP server causes a data breach — prompt injection through an external server, tool poisoning, or unauthorized data exfiltration — current enterprise agreements are silent on who bears liability. The AI vendor’s standard liability cap (typically 12 months of fees) was drafted for model behavior, not for damage caused by third-party software the model connects to via an open protocol. No vendor has published guidance on whether its liability cap applies to third-party MCP server incidents, and law firm client alerts reviewed for this file confirm no precedent exists.

Gap 4: No audit-log delivery SLA. The MCP 2026 roadmap lists audit trails as a planned enterprise feature — not yet shipped. For enterprises that have deployed MCP-enabled tools already, no standard agreement specifies when audit logging will be available, at what granularity (tool invocation, data accessed, action taken), or what the vendor’s obligation is to deliver logs to the customer’s SIEM. A CISO who needs to investigate an incident involving an MCP-enabled tool today cannot reliably reconstruct what happened without vendor cooperation that is not contractually guaranteed.

What Each Vendor Platform Offers Today (and Doesn’t)

The platform landscape is moving fast. Admin controls exist and, where configured, do meaningfully reduce risk. The problem is that platform availability is not the same as contractual enforcement.

Vendor	Platform MCP Controls Available	Contractual Obligation	Gap
GitHub Copilot Enterprise	Registry-based allowlist (public preview, requires customer setup)	None	Allowlist is optional, not default; “public preview and subject to change”
Microsoft Azure / Copilot	Entra Agent ID, API Management gateway, Defender threat hunting	None	Controls distributed across multiple products; no single MCP governance contract clause
Cursor Enterprise	Admin allowlist/blocklist for MCP servers; Team Marketplaces with version control	None	SOC 2 Type II certified but no MCP-specific contract language
Anthropic Claude Enterprise	Granular MCP tool permissions in admin console (role-based, per-tool action scoping)	None	No MCP server governance clause in published enterprise agreement analysis
AWS Bedrock AgentCore	Cedar-based tool-call policies, down to parameter constraints	None	Strongest policy story but assumes fully AWS-native stack; N/A for mixed deployments
OpenAI	No documented enterprise MCP governance controls as of Q1 2026	None	MCP adoption for enterprise is recent; governance not yet established

The enterprise-grade governance features on the MCP 2026 official roadmap — audit trails, SSO-integrated authentication, gateway behavior standards, configuration portability — are explicitly listed as “least defined” of the four roadmap priorities. The protocol’s maintainers from Anthropic, AWS, Microsoft, and OpenAI confirmed at the MCP Dev Summit (early 2026) that “no single protocol will solve all security challenges” and that the governance ecosystem “must evolve alongside the protocol.” This is honest and accurate — and it means enterprises cannot rely on the protocol to solve a problem the protocol designers have acknowledged they have not yet solved.

The Supply Chain Problem Is Structural

The MCP server ecosystem is the upstream source of the contract gap. When an enterprise deploys an MCP-enabled AI product, it is implicitly trusting a supply chain of servers it did not vet, from publishers it did not contract with, whose definitions can change without notice.

Over 13,000 MCP servers were published on GitHub in 2025. The vast majority are individual-built with no centralized security review. Many legitimate-looking servers have not disclosed their full data access permissions in their published descriptions. A server granted access to a company’s Salesforce, GitHub, and email can exfiltrate data across all three with a single compromised prompt — the “lethal trifecta” documented in arXiv:2511.20920v1 and arXiv:2504.08623v2 (the latter April 2026, reviewed for this file).

The arXiv:2504.08623v2 paper (enterprise-grade MCP security frameworks, April 2026) establishes a formal vendor selection criterion that no standard enterprise agreement currently requires: vendors must provide security review documentation, clear data handling and permission specifications, evidence of secure development practices, and supply chain security compliance. These are what an enterprise should require contractually from any MCP server publisher it approves for its allowlist — and they are entirely absent from standard AI vendor MSAs.

Key Data Points

Data Point	Source	Date	Credibility
13,000+ MCP servers on GitHub in 2025; ~75% individual-built, no centralized review	Unit 42, Simon Willison synthesis	2025	HIGH
MCP roadmap enterprise features (audit trails, SSO, gateway) explicitly listed as “least defined” and “intentionally undefined”	MCP official roadmap	2026	HIGH
GitHub Copilot registry allowlist controls are “in public preview and subject to change”	GitHub Docs	April 2026	HIGH
Seven control domains for enterprise MCP security identified; none are currently contractual obligations	arXiv:2504.08623v2	April 2026	HIGH (academic)
MCP Dev Summit: “No single protocol will solve all security challenges — ecosystem must evolve alongside protocol”	The New Stack / Anthropic, AWS, Microsoft, OpenAI	2026	HIGH
No existing law firm guidance on liability allocation for third-party MCP server incidents	Redress Compliance, law firm review	April 2026	MEDIUM-HIGH
Standard AI enterprise liability cap: 12 months of fees (OpenAI, Microsoft, Google, Anthropic floor)	MSA standard terms comparison (Pass AI-vendor-contracts)	2025-2026	HIGH
Anthropic granular MCP tool permissions in admin console: admins can restrict which actions each tool performs	Anthropic admin console documentation	2026	HIGH (vendor)
Cursor Enterprise: admin allowlist/blocklist for MCP servers; SOC 2 Type II certified	Cursor Enterprise docs	2026	HIGH (vendor)

What This Means for Your Organization

If your organization uses any MCP-enabled AI product — which in 2026 means any enterprise deployment of Claude, GitHub Copilot, Cursor, or any agent that connects to external tools — your current vendor agreement almost certainly does not govern what those tools can connect to, when you’re notified of changes, or who pays when something goes wrong.

The practical implication is not that MCP is unsafe. It is that the governance layer is currently operating through voluntary platform configuration rather than contractual obligation. A future platform update, a vendor transition, or a security incident involving a third-party MCP server falls into a contractual void that standard enterprise agreement language was not written to address.

Four clauses close the gap without requiring complex negotiation. They can be added as a short amendment to any existing enterprise AI agreement:

Clause 1 — Server Allowlist as Default. Vendor must configure MCP connectivity to “allowlist-only” mode by default in enterprise deployments. Deviation from allowlist-only requires written authorization from enterprise security team. Vendor must notify enterprise within 24 hours of any change to its own MCP server definitions.

Clause 2 — Third-Party Server Change Notification. If vendor’s platform connects to or enables connectivity to third-party MCP servers, vendor must provide 7-day advance notice before any new server is made accessible to enterprise users, and must immediately notify enterprise if any approved third-party server modifies its tool definitions.

Clause 3 — Liability Allocation for Third-Party MCP Servers. Vendor’s standard liability cap does not apply to damages caused by third-party MCP servers approved through vendor’s platform without vendor’s explicit security attestation. Any third-party server included in vendor’s official catalog or recommended registry requires vendor to provide security attestation, and vendor accepts proportional liability for damages caused by undisclosed risks in its attested servers.

Clause 4 — Audit Log Delivery SLA. Vendor must deliver complete MCP tool invocation logs (including tool called, parameters passed, data accessed, and action taken) to enterprise’s designated SIEM within [X] hours of any security incident. For enterprises in regulated industries (healthcare, financial services, legal), continuous log delivery to enterprise-controlled storage is a minimum requirement.

None of these clauses require the vendor to build technology that does not exist. They require the vendor to use controls it already offers. The negotiation is about making the use of existing controls a contractual default rather than an optional configuration.

If these questions are coming up in the context of your AI vendor renewals or new negotiations, that’s the right time to raise them — before operational dependencies make renegotiation a production risk rather than a legal edit. If you’d like to work through what these clauses look like against a specific vendor’s standard agreement, I’m reachable at brandon@brandonsneider.com.

Sources

Redress Compliance — “Anthropic Claude Enterprise: 7 Contract Clauses to Negotiate Before You Sign” — Law-focused compliance firm analysis of Anthropic enterprise agreement terms. April 2026. URL: https://redresscompliance.com/anthropic-claude-enterprise-7-contract-clauses.html. Credibility: MEDIUM-HIGH — Redress Compliance is a third-party compliance firm, not a law firm; analysis is well-structured but does not cover MCP-specific terms.
DX Heroes — “MCP Governance in the Enterprise: What the Landscape Looks Like in Early 2026” — Vendor-by-vendor assessment of MCP governance controls available on major platforms. April 2026. URL: https://dxheroes.io/insights/mcp-governance-landscape-early-2026. Credibility: MEDIUM-HIGH — independent technical analysis; platform control descriptions corroborated by official documentation.
GitHub Docs — “Configure MCP Server Access for Your Organization or Enterprise” — Official GitHub documentation on enterprise MCP registry and allowlist controls. April 2026. URL: https://docs.github.com/en/copilot/how-tos/administer-copilot/manage-mcp-usage/configure-mcp-server-access. Credibility: HIGH — primary source from GitHub; explicitly flags “public preview and subject to change.”
arXiv:2504.08623v2 — “Enterprise-Grade Security for the Model Context Protocol (MCP): Frameworks and Mitigation Strategies” — Peer-reviewed academic paper establishing seven control domains for enterprise MCP security and vendor selection criteria. April 2026. URL: https://arxiv.org/html/2504.08623v2. Credibility: HIGH — academic, independent, Tier 1 publication date.
CIO.com — “Why Model Context Protocol Is Suddenly on Every Executive Agenda” — CIO-facing analysis of MCP governance gaps and procurement implications. 2026. URL: https://www.cio.com/article/4136548/why-model-context-protocol-is-suddenly-on-every-executive-agenda.html. Credibility: MEDIUM — trade press but well-sourced; procurement implications section is independently actionable.
MCP 2026 Official Roadmap — Anthropic/Linux Foundation published roadmap for MCP protocol development. 2026. URL: https://blog.modelcontextprotocol.io/posts/2026-mcp-roadmap/. Credibility: HIGH — primary source.
The New Stack — “MCP Maintainers from Anthropic, AWS, Microsoft, and OpenAI Lay Out Enterprise Security Roadmap at Dev Summit” — Coverage of MCP Dev Summit with direct quotes from protocol maintainers. 2026. URL: https://thenewstack.io/mcp-maintainers-enterprise-roadmap/. Credibility: HIGH — primary conference coverage with named speakers.
Cursor Enterprise Documentation — Admin MCP governance features including allowlist/blocklist and Team Marketplaces. April 2026. URL: https://cursor.com/docs/enterprise. Credibility: HIGH (vendor) — apply vendor self-interest caveat; SOC 2 Type II certification is independently verified.
arXiv:2511.20920v1 — “Securing the Model Context Protocol (MCP): Risks, Controls, and Governance” — November 2025 academic paper documenting attack surfaces, “lethal trifecta,” and governance recommendations. URL: https://arxiv.org/abs/2511.20920. Credibility: HIGH — academic, independent. Tier 1.

Brandon Sneider | brandon@brandonsneider.com April 2026