Cloudflare Just Defined Enterprise MCP Architecture. Here's the Security Layer That's Still Missing.

Two weeks ago, Cloudflare published a reference architecture for deploying the Model Context Protocol at an enterprise scale. It is the most comprehensive enterprise MCP governance framework any infrastructure company has released to date. And it deserves serious attention.

‍

Cloudflare's architecture addresses three problems that have plagued every enterprise MCP deployment: centralized access control through MCP Server Portals, cost management through AI Gateway and Code Mode, and visibility into unauthorized usage through Shadow MCP Discovery. For enterprises that have been running MCP servers on individual developer laptops with no oversight, this is a meaningful step forward.

‍

But governance is not security. And the gap between the two is where enterprise risk lives.

‍

This post examines what Cloudflare's architecture solves, then maps the security boundaries it does not cross. These are not criticisms. They are the next layer that enterprises need to build on top of whatever governance infrastructure they deploy.

‍

What Cloudflare Gets Right

‍

Cloudflare's reference architecture solves the "Wild West" problem of unmanaged MCP connections. Before centralized governance, enterprises faced a familiar pattern: individual teams spinning up their own MCP servers, each implementing its own authorization, with no central visibility, no audit trail, and no way to revoke access when something went wrong.

‍

The architecture introduces three key controls.

‍

MCP Server Portals provide a single endpoint for all authorized MCP servers. Instead of developers configuring connections to dozens of individual servers, they connect to one portal that handles discovery, authentication, and policy enforcement. Administrators define who can access which portal and which tools from each server are exposed. A finance team might get read-only access to a code repository server while engineers get full read-write access.

‍

Shadow MCP Discovery uses Cloudflare Gateway to inspect HTTPS traffic for JSON-RPC markers that indicate MCP communication. This lets security teams find MCP servers that employees are connecting to outside the governed portal. It is the MCP equivalent of shadow IT discovery, and it fills a gap that most enterprises do not even know they have.

‍

Code Mode addresses the practical cost problem of MCP at scale. The traditional approach of exposing every API operation as a separate tool consumes enormous amounts of context window tokens. Cloudflare reports collapsing 52 tools from four internal MCP servers (approximately 9,400 tokens of tool definitions) down to just two portal tools consuming roughly 600 tokens. That is a 94% reduction that stays fixed as more servers are added.

‍

Internally, Cloudflare runs 13 production MCP servers exposing 182+ tools across GitLab, Jira, Sentry, Elasticsearch, Prometheus, and Google Workspace for 3,000+ employees. This is not a theoretical architecture. It is production-tested at meaningful scale.

‍

The Security Boundaries Governance Does Not Cross

‍

Enterprise governance answers the question: "Who is allowed to access what?" Enterprise security answers a different question: "Is the content flowing through those authorized connections actually safe?"

‍

Cloudflare's architecture assumes that once access is governed, the interactions themselves are trustworthy. In an agentic AI environment, that assumption breaks in five specific ways.

1. Tool Poisoning in Approved Servers

‍

Governance controls which MCP servers an employee can access. It does not validate whether an approved server has been compromised. When OX Security published their MCP vulnerability research in April 2026, they documented 14 CVEs across widely used MCP servers including LiteLLM, LangFlow, Flowise, and others. These are servers that enterprises would approve and register in their MCP Server Portal. Governance makes them accessible. It does not make them safe.

‍

A compromised MCP server that is registered in an enterprise portal is more dangerous than a rogue server outside the perimeter. It carries the implicit trust of organizational approval, meaning agents and users interact with it without suspicion. The attack surface is not at the perimeter. It is inside the governed boundary.

‍

What is needed: continuous automated scanning of every registered MCP server for known vulnerabilities, tool description manipulation, and behavioral anomalies. This scanning must run on an ongoing basis, not just at the point of initial registration.

‍

2. Prompt Injection Through Tool Responses

‍

Cloudflare's architecture includes Data Loss Prevention rules that can detect sensitive data like PII leaving the enterprise through MCP connections. DLP inspects outbound content. But the more dangerous attack vector in agentic systems flows inbound: malicious instructions embedded in tool responses that manipulate the agent's behavior.

‍

When an MCP server returns a response to an agent's tool call, that response enters the agent's context and influences every subsequent action. An attacker who controls or compromises a tool response can embed instructions that cause the agent to exfiltrate data through a different tool, modify its own system prompt, or take actions the user never intended.

‍

This is not a theoretical concern. Anthropic's Claude Code source code leak in March 2026 revealed that MCP tool results are never compacted in the context pipeline. They persist indefinitely and are treated as high-trust content by the agent. A single poisoned tool response can influence an entire session.

‍

What is needed: runtime content inspection on every tool response before it enters the agent's context. This inspection must detect instruction injection patterns, anomalous response structures, and content that attempts to influence agent behavior beyond the scope of the original tool call.

‍

3. Context Poisoning Across Multi-Agent Chains

‍

Modern enterprise deployments increasingly involve multi-agent architectures where a primary agent spawns or delegates to child agents, each making their own MCP tool calls. In this model, a poisoned tool response to one agent can propagate through the chain, affecting agents that never directly interacted with the compromised tool.

‍

Cloudflare's architecture governs access at the portal level but does not track identity lineage or content integrity across agent delegation chains. When Agent A calls a tool, gets a poisoned response, and then delegates to Agent B with that poisoned context, Agent B has no way to know that part of its context was injected by an attacker rather than provided by the user.

‍

What is needed: content integrity tracking across agent chains. Each tool response should carry provenance metadata that downstream agents can verify. Runtime inspection should flag when tool-sourced content is being passed across agent boundaries without validation.

‍

4. Supply Chain Risk in Third-Party MCP Servers

‍

OX Security's research revealed that 9 out of 11 MCP marketplace registries could be poisoned with malicious packages. An enterprise that registers a third-party MCP server in its governed portal is importing supply chain risk into its trusted environment.

‍

Cloudflare's portal model centralizes access but does not validate the integrity of the servers being accessed. A malicious package published to npm or PyPI that masquerades as a legitimate MCP server will pass through the portal's access controls without triggering any security response. The portal authenticates the user. It does not authenticate the server's content or behavior.

‍

What is needed: supply chain scanning of every third-party MCP server before and after registration. This includes static analysis of server code, behavioral analysis of tool responses, and continuous monitoring for updates that introduce malicious functionality.

‍

5. No Adversarial Validation of Governance Policies

‍

Governance policies define what should happen. Adversarial testing validates whether policies hold under attack conditions. These are fundamentally different activities, and the second cannot be derived from the first.

‍

An enterprise might configure its MCP Server Portal with careful access controls, DLP rules, and tool exposure policies. But without continuous red teaming against that configuration, there is no way to know whether an attacker can bypass those controls through prompt injection, tool description manipulation, or multi-step attack chains that individually appear benign but collectively achieve unauthorized access.

‍

The OX Security research demonstrated this directly: Flowise implemented an allowlist that only permitted commands like "python" or "npx." Researchers bypassed it by embedding malicious commands in the arguments. The governance policy existed. It did not hold under adversarial conditions.

‍

What is needed: continuous automated red teaming that tests governance configurations against evolving attack techniques. This includes testing tool poisoning resistance, DLP bypass attempts, privilege escalation through multi-tool chains, and identity propagation failures across agent boundaries.

‍

The Architecture Enterprises Actually Need

‍

Cloudflare's reference architecture represents the governance control plane for enterprise MCP. It answers: who can access what, through which portal, with what cost controls, and with visibility into unauthorized usage.

‍

The missing layer is the security validation plane. It answers: is the content flowing through those governed connections safe, are the approved servers trustworthy, do the governance policies hold under adversarial conditions, and can an attacker achieve unauthorized outcomes despite the controls in place.

‍

These two planes are complementary, not competing. Every enterprise deploying MCP at scale needs both. The governance plane without security validation creates a false sense of safety. Security validation without governance creates an unmanageable attack surface. Together, they provide the defense-in-depth that enterprise security teams require.

‍

The practical architecture looks like this:

For enterprises evaluating their MCP security posture, the question is not whether to deploy governance infrastructure. That decision is already made. The question is who independently validates that your governed MCP deployment is actually secure.

‍

What the MCP Community Is Doing About This

‍

The MCP Enterprise Interest Group, which I co-facilitate in the MCP Contributor community, is documenting these exact gaps. With participants from major financial institutions, healthcare organizations, enterprise integration platforms, and identity providers, the group is building an Enterprise Pain Points Catalog that maps unsolved enterprise MCP problems, including the security dimensions described in this post.

‍

The 2026 MCP roadmap lists Enterprise Readiness as one of four top priorities. The protocol's governance structure is evolving. But the specification process moves at the pace of consensus, and enterprises deploying MCP today cannot wait for the spec to solve their security problems.

‍

The security validation layer needs to exist now, built on top of whatever governance infrastructure each enterprise deploys, and continuously updated as both the protocol and the attack landscape evolve.

‍

Raghu Chandra is co-facilitator of the MCP Enterprise Interest Group in the MCP Contributor community. He advises companies building enterprise AI infrastructure and security solutions.

‍

Enkrypt AI provides MCP Scanner for supply chain security, Secure MCP Gateway for runtime protection, and Agent Red Teaming for continuous adversarial validation of agentic AI deployments. Learn more at enkryptai.com.

‍

References

‍

Cloudflare: Scaling MCP Adoption, Enterprise Reference Architecture (April 14, 2026)

‍

Cloudflare: Securing MCP Server Portals, Zero Trust Architecture (2025)

‍

Cloudflare: The AI Engineering Stack We Built Internally (April 2026)

‍

OX Security: The Mother of All AI Supply Chains, MCP STDIO Vulnerability (April 15, 2026)

‍

InfoQ: Cloudflare Outlines MCP Architecture as Enterprises Confront Security and Governance Risks (April 2026)

‍

CIS: MCP Companion Guide, CIS Controls v8.1 Applied to MCP Systems (April 20, 2026)

‍

Anthropic: Claude Code Source Leak Analysis (March 2026)

‍

OWASP Top 10 for Agentic Applications (2026)

‍

Invariant Labs: MCP Security Notification, Tool Poisoning Attacks