Approving an MCP server once for production is the first step in securing MCP. The real danger comes after that when the surface that the model is interacting with changes slowly but fundamentally.
A read-only customer lookup tool becomes an export tool. A database helper adds a required raw-SQL parameter. A local file search tool starts calling an external API. Same server. Same connection. Same green check from the original approval screen.
This agent does not remember the approval granted last Tuesday. All it sees at runtime is the current tool description, the current schema, the current return shape and current affordance (i.e. what the tool allows the model to do). The agent then acts accordingly.
This is the runtime security problem that MCP is walking into.
Tool metadata is runtime authority
