In May 2026 the National Security Agency issued design guidance for the Model Context Protocol.
In its conclusion, NSA writes that MCP’s security posture “remains uneven and highly dependent on implementation discipline rather than protocol guarantees.” That is the sentence. It is correct, it is reached at protocol depth, and what follows it is a recommendation set that lives almost entirely one tier below — in the operational controls that, by the conclusion’s own logic, mitigate the gap without closing it.
The diagnosis is right, and it is structural
NSA does not treat MCP’s problems as endpoint defects. The guidance locates the failure in the protocol’s design — the inversion in which servers query and execute on behalf of clients, the absence of mandated authentication, the optional and unenforced authorization model — and states that these are not patchable at the interface. It cites MCP’s own specification conceding that the protocol cannot enforce these guarantees at its own level, and it calls for reworking the full lifecycle rather than hardening the seams.
That framing is the surface-versus-enforcement distinction introduced in the Series 11 teaser and carried through The Standards Layer — the separation between a control that describes what a compliant system should do and a control the architecture is structurally incapable of bypassing. The distinction is Luminity’s analytical contribution: grounded in the research literature, but the surface/enforcement axis and its application to standards guidance is our framing, not a finding drawn from any single external source. NSA arrives at the same boundary from the national-security side. That convergence is why this document is worth a dispatch.
Where the prescription lands
The recommendations are sound operational engineering. Align tools to data-classification zones. Validate parameters against schemas. Sandbox tool execution. Filter and inspect output pipelines. Instrument for logging. Scan the network for unmanaged servers. Every one of these reduces exposure.
Every one of them also sits in the probabilistic tier of defense — the controls that are necessary but not sufficient, as distinct from the deterministic controls that hold by construction. That deterministic-versus-probabilistic axis is also ours: a way of sorting agentic defenses by whether they mitigate a failure mode or structurally foreclose it. NSA’s recommendation set is almost entirely the first kind. The guidance diagnoses dependence on discipline as the failure, then equips the reader with more discipline. That is the river’s edge — the point at which guidance names what must be done at protocol depth and hands the reader the tools to work around it.
Two places the gap shows
Sandboxing is treated as a boundary that holds. NSA recommends OS-level isolation — seccomp, AppArmor, SELinux, AppContainers — to contain tool execution and block lateral movement. The recommendation assumes the boundary is stable. SandboxEscapeBench finds it is not: escape success scales log-linearly with available compute. The containment line does not fail — it degrades, predictably, as the adversary’s capability grows. Series 6 was built around this distinction. The guidance offers no account of it.
Output filtering is recommended and disclaimed in the same passage. NSA advises inspecting each tool’s output for indirect prompt injection before it reaches the next stage of the pipeline — and then notes, in the same section, that MCP-aware security proxies remain limited, are still maturing, and should be used with caution. The disclaimer is correct, and it is the whole problem. Indirect injection rides inside semantically valid content; a probabilistic filter inspecting probabilistic output inherits the ceiling it is meant to defend against. This is the argument from Series 2 and Series 3. NSA recommends the control and concedes its limits in one breath.
The mechanism that crosses, offered as optional
One recommendation does reach the enforceable bank. NSA proposes extending MCP messages with cryptographic signatures bound to time and context — replay protection, expiration, integrity. That is a deterministic control: a forged or replayed message either verifies or it does not. But the guidance frames it as an optional extension the implementer may add, and it is the only structural mechanism in the set.
The compile-time tier is absent entirely. NSA’s enforcement lifecycle runs from runtime validation to post-deployment scanning; there is no pre-runtime path of the kind VeriGuard demonstrates — offline policy synthesis paired with formal contracts that constrain behavior before the agent runs. The strongest control NSA names is the one it makes least binding.
The reading is right. The distance is the point.
The NSA read the protocol correctly. That is not faint praise — it is the point. A Tier-1 national-security body diagnosed MCP’s exposure as a protocol-level property and said so in plain language, and its recommendations are exactly the operational controls an enterprise should run today.
The gap is not in the reading. It is in the distance between a diagnosis pitched at protocol depth and a prescription pitched at the operational tier — the distance this corpus has mapped since Series 1. Implementation discipline is the right answer to the question the recommendations actually address. It is not an answer to the one the conclusion raises. Adopt the controls; hold the assurance claim to what the controls can structurally guarantee, which is less than the deployment will be asked to carry.
A protocol that cannot enforce its own guarantees does not become enforceable because the operator is disciplined. Discipline mitigates the gap. It does not close it.
NSA named the gap at protocol depth and prescribed across it. The controls are correct. The assurance they can carry ends where the protocol’s enforcement does.
