To use LLMs beyond chat applications, they must be connected to organizational data and processes. The Model Context Protocol (MCP) enables LLMs to access application data, prompts, and functions. However, giving an AI direct access to enterprise systems introduces security risks and can lead to unintended actions.
This article explains how an AI or API gateway can expose systems to LLMs in a controlled manner while reducing security risks.
Imagine a user wants to change their utility contract to a different plan. They log into a customer self-service portal and ask about the details of their contract. The agent passes the question to the LLM (1). The LLM then asks the agent to call an MCP server to retrieve that customer's contract details (2). The agent then invokes a tool on the MCP server (3). The MCP server is integrated with the ERP system and can call its internal getContracts(userId) function. The answer goes back to the agent (6), which passes the data to the LLM (7).
Using the contract data, the LLM can send a qualified answer back to the agent for the user (8). The user then decides to upgrade to a more comprehensive plan and asks the agent to make the change. This request is handled in the same way as the previous one, but this time a function to update the plan is called.

The agent's system prompt describes which functions the LLM may call and how to call them. However, unless additional restrictions are in place, the LLM can potentially access everything the MCP server exposes. This may include all the data and functions of the ERP system.
A malicious user could trick the LLM into deleting a neighbor's utility plan or accessing unauthorized information. Even without malicious intent, the LLM itself may perform unexpected or unintended actions using the available resources.
For this reason, it is a best practice to limit the resources that the LLM can access through MCP to only those required for the task and block everything else.
A gateway placed in front of an MCP server can control what an LLM is allowed to do. MCP supports the discovery of tools, resources, and prompts. During this discovery phase, the MCP server tells the LLM which capabilities are available. An MCP protection gateway can already enforce restrictions at this stage by filtering what the LLM is allowed to discover. Instead of exposing all tools, resources, and prompts, it can present only the subset required to fulfill a specific task.
When the LLM later invokes an MCP tool or accesses a resource, the gateway can decide whether to forward the request to the MCP server. For example, it can reject calls to a deleteUser() tool. The gateway can also inspect the request parameters and the returned data. Using JSON Schema validation, it can verify both the structure and, if required, the content of requests and responses against defined security policies. For example, it can block requests containing specific IDs or prevent responses that expose sensitive values.

MCP uses JSON-RPC as its underlying protocol. JSON-RPC is an API protocol and an alternative to REST. Many API gateways already provide JSON-RPC security features that can be used to protect MCP, or they extend these capabilities with MCP-specific protection features.
The following configuration shows how to configure MCP protection in the Membrane API Gateway. It allows access only to the getContracts and upgradePlan tools while blocking all other tools.
- mcpProtection:
methods:
toolsList: true
toolsCall: true
tools:
- allow: getContracts
- allow: upgradePlan
- deny: ".*"
- mcpProtection:
methods:
toolsList: true
toolsCall: true
tools:
- allow: getContracts
- allow: upgradePlan
- deny: ".*"
References:
The Model Context Protocol (MCP) enables LLMs to move beyond simple chat by giving them access to enterprise data, prompts, and application functions. While this greatly expands their capabilities, it also introduces significant security risks if LLMs are given unrestricted access to backend systems.
An MCP protection gateway addresses these risks by enforcing the principle of least privilege. It can limit which tools, resources, and prompts an LLM is allowed to discover, authorize or reject individual MCP requests, and validate request and response data against security policies. These controls are implemented by modern API gateways, allowing organizations to integrate AI safely without exposing their systems to unnecessary risk.