With protocols like MCP, models are no longer just responding to prompts. They are actively reasoning about the tools and steps needed to complete a task.
One of the biggest promises of deploying AI was the chance to offload mentally demanding, error-prone tasks from human teams. Early models showed potential, but they often required more oversight than expected. Producing results that demanded constant correction or human review. Now, a new generation of agentic AI is changing that equation. Systems built on Anthropic’s Model Context Protocol (MCP) can dynamically choose and execute tools to carry out complex, multistep workflows. However, as recent research from Tenable reveals, this added autonomy raises new questions about how these agents make decisions and what happens when things don’t go as planned.
What Model Context Protocol Brings to AI
The Model Context Protocol, or MCP, is a framework developed by Anthropic that enables large language models (LLMs) to interact with external tools and services in a modular, context-aware way.
Before frameworks like MCP, most AI systems interacted with external tools through tightly coupled code or predefined API calls. These integrations had to be explicitly programmed, meaning the model didn’t actually “understand” what each tool did. It simply executed what it was told. This rigidity made it difficult for AI to make independent decisions or adapt to changing tasks without significant developer intervention.
MCP changes that by treating tools as contextual inputs, not static instructions. Instead of relying on hard-coded logic or rigid decision trees, the AI receives metadata about each tool, such as its name, purpose, and parameters, and uses that to reason about which tool to call, when to call it, and how to handle the output. This shift from control to contextual understanding is what enables true agentic behavior.
In practice, this means an AI agent can complete a task like generating a report, querying a database, and sending an email without needing pre-written scripts for every combination of actions. It can plan its steps dynamically, choosing tools as required based on the context it’s given. Developers don’t need to anticipate every possible workflow in advance. Instead, the model reads descriptions and infers the best sequence of tools to accomplish a task.
See also: MCP: Enabling the Next Phase of Enterprise AI
A Look at the Research
But that same flexibility introduces new complexity: the model’s understanding of what each tool does and how it should be used is entirely dependent on the language in the description. It’s here that recent research begins to reveal how fragile and powerful this design can be.
In agentic AI systems using the Model Context Protocol, tool descriptions are more than documentation; they guide decision-making. Each tool comes with a natural language description that the model reads and interprets to decide how and when to use it.
Tenable’s research showed just how influential these descriptions can be. By embedding specific instructions into a logging tool’s description, researchers were able to prompt the model to call that tool first before executing any others. Essentially, they used prompt injection to simulate a policy enforced not by code but by carefully crafted language.
The models responded differently. Claude Sonnet 3.7 and Gemini 2.5 Pro consistently followed the intended sequence, while GPT-4o produced more inconsistent results, sometimes hallucinating logging data or misinterpreting parameters. This highlights a key vulnerability: even within a shared protocol, models don’t interpret context the same way.
That inconsistency introduces risk. If an AI agent is responsible for sequencing sensitive actions like logging, alerting, or data retrieval, slight variations in tool descriptions could lead to unpredictable or unintended behavior.
Observability, Introspection, and Security
Tenable’s experiments also demonstrated how MCP can be utilized to influence agent behavior beyond task execution. In one case, they created a filtering tool that blocked access to certain MCP tools by name. When called first, this tool acted like a policy firewall, simulating access control through prompt logic alone.
Other tools were designed for introspection, asking the model to list tools likely to run first. Some models responded with internal tool names, suggesting that parts of the agent’s internal process can be inferred through well-crafted prompts. In another test, researchers embedded a request to reveal the system prompt, and while results varied, the responses offered hints about the AI’s operational context.
These techniques blur the line between observability and exploitation. The same prompt-driven mechanisms that enable transparency and control can also expose sensitive behavior if misused.
The Stakes of Agentic AI
The rise of agentic AI marks a turning point, not just in what AI can do but in how it does it. With protocols like MCP, models are no longer just responding to prompts; they’re actively reasoning about the tools and steps needed to complete a task. That shift is powerful, but as Tenable’s research shows, it also creates new layers of complexity and risk.
The good news? These exact mechanisms, when understood and applied carefully, can improve transparency, control, and even compliance. As we build more autonomous systems, we’ll need to rethink security, observability, and governance from the inside out. In the world of agentic AI, language isn’t just a medium of instruction. It’s the interface, the control layer, and the potential vulnerability all at once.
