2-week AI Audit
AI AuditVisibility, risk, outcomes.AI TransformationCapture AI value across workflows.AI GovernanceContinuous evidence for live AI.AI FluencyWorkforce that compounds.All servicesThe full service map.
Not sure where to start?Take the 5-min maturity assessment →Maturity modelOpen assessment
By industry
Private equityPortfolio-wide value capture.Regulated financeThe finance umbrella.Banks & capital marketsRegulator-defensible under SR 11-7.FintechShip trusted AI fast.Asset & wealthFor advisors and ops.REITs / real estateAI-driven NOI uplift.InsuranceUnderwriting + claims, instrumented.
Guides, templates, frameworks
Field notesEditorial reads on where AI work stalls.GuidesFinance AI systems, controls, and evidence.FrameworksLevers, maturity models, and control maps.TemplatesAudit memos and reusable eval artifacts.ScorecardsFast reads on adoption, strategy, and governance.Case studiesProof from AI work in finance.Golden datasetsReusable test sets for AI evaluation.NL-to-SQL evalsAudit-grade evidence for finance data agents.AI Audit resourcesInventory, Shadow AI, and board evidence.All resourcesBrowse the complete editorial library.
Featured field note
AI Fluency Is a Learning Curve.
What Anthropic's Economic Index means for workforce fluency.
Read more →
Field guide / AI Audit

Shadow MCP audit methodology for finance.

An 8-layer operating read for finding unmanaged MCP servers, agent connectors, OAuth grants, and AI delegation risk before the board asks.

Unmukt RaizadaJune 6, 202612 min readAI Audit
AI AuditAudit hidden connectors.

Finance firms are moving from AI tools to AI delegation. Model Context Protocol servers, local agent connectors, OAuth grants, and AI-native developer environments now let assistants reach files, code, SaaS apps, databases, and internal systems with a user's authority.

The operating question is no longer only which AI tools employees use. The sharper question is which agent connectors exist, what they can touch, who authorized them, and whether the evidence is good enough for a board, risk committee, or examiner. That is why Shadow MCP discovery belongs inside the AI Audit, not in a panic track next to it.

The visibility gap is not a vendor failure. It is an architectural mismatch.

The structural problem.

A CISO can usually ask for a list of approved applications, endpoint agents, network traffic, and identity events. Those lists still do not answer the Shadow MCP question. An MCP server can be a local connector installed through a package manager, a config file inside an AI client, a browser-authorized OAuth grant, or a developer workflow saved into a repository.

Traditional security tooling was built around human operators and predictable surfaces. MCP changes the shape of the work. An agent can inherit a human session, call a tool, pull context from a data source, and act inside a workflow that procurement never saw. The activity can look ordinary to one control layer while the delegation chain remains invisible to the operating owner.

That is the finance risk. Not that MCP is automatically bad. The risk is that useful AI work reaches client data, portfolio data, regulated records, code, reporting workflows, or production systems before the firm has mapped ownership, materiality, evidence, and review.

Why standard security tooling misses it.

01 The surface is wrong.

DLP and network controls inspect movement and egress. A local agent connector can read or act inside an approved session before a file leaves the environment.

02 The credential model is wrong.

The identity layer may see a normal user session. It does not automatically see the delegated agent path, tool scope, or downstream action.

03 The install record is wrong.

Endpoint inventory may find applications. MCP often appears as config, package residue, OAuth grants, repo history, or process behavior.

The NSA's May 2026 MCP security guidance names the same structural issue: MCP is increasingly present in business, finance, legal, and software-development deployments, and established cyber-defense strategies do not adequately cover the new risks created by dynamic tool invocation, implicit trust, and context sharing.

Audit workbench

Evidence becomes a findings memo.

Discovery is only useful when every signal routes into an owner, a data class, a workflow, a materiality read, and a stated coverage limit.

EndpointClient configs
IdentityUser and role
OAuthThird-party grants
GitCommitted configs
SurveyAttested usage
Risk heatmap
Department x data x action
Findings memo Opinion

Material findings, remediation, and coverage caveat.

Coverage stated

The 8-layer audit.

A Shadow MCP audit should produce artifacts, not anxiety. Each layer below has a job. Each layer also has a limit. The discipline is to state both.

Layer 1

Endpoint discovery.

Catches: AI client configs, local MCP entries, running agent-style processes, and package residue on managed machines.

Artifact: Endpoint evidence table with client, connector, path, owner, and scan time.

Layer 2

Identity correlation.

Catches: Which user, role, department, and business unit sit behind each finding.

Artifact: Owner map that converts technical findings into accountable operating surfaces.

Layer 3

OAuth grant inventory.

Catches: Persistent third-party app grants across Google Workspace, Microsoft 365, Slack, Notion, Salesforce, HubSpot, and adjacent systems.

Artifact: Grant table with scope, installer, application, expiry, and remediation route.

Layer 4

Git history scan.

Catches: MCP config files, package references, server-side connector code, and team-shared agent setups committed into repositories.

Artifact: Repository evidence log with file path, commit context, owner, and data/system reach.

Layer 5

Role-tailored attestation.

Catches: Non-technical AI use that endpoint and code scans miss, especially browser, desktop, and personal-account workflows.

Artifact: Survey-backed usage map across engineering, finance, ops, marketing, sales, legal, and leadership.

Layer 6

Risk classification heatmap.

Catches: Which findings become material because of data class, action scope, workflow consequence, and ownership gap.

Artifact: Department x MCP category x data-sensitivity heatmap mapped to OWASP Agentic Application risk categories.

Layer 7

Coverage caveat.

Catches: The audit's own limits before the audit committee does.

Artifact: Catches, partially catches, and misses. This is the layer that keeps the memo honest.

Layer 8

Findings memo.

Catches: The decision the technical findings support: approve, restrict, replace, remediate, monitor, or fund a workflow.

Artifact: Board-readable memo plus technical appendix for the security and platform teams.

Run in sequence, the layers separate useful demand from material exposure. The outcome is not "ban MCP." The outcome is a map of what should be approved, what should be governed, what should be rebuilt, and which workflow should move next through the AI Audit, AI Governance, AI Transformation, or AI Fluency.

The coverage caveat is load-bearing.

The easiest way to weaken a Shadow MCP audit is to imply total coverage. A point-in-time audit is not continuous monitoring. Endpoint scans do not see unmanaged personal devices. OAuth grant inventory does not prove every browser-only AI workflow. Git history does not prove what never entered a repository.

A findings memo that does not state its own limits cannot survive the audit committee.
Catches with high confidence
  • Declared MCP configs on managed endpoints.
  • Third-party OAuth grants in primary SaaS systems.
  • MCP config files committed to org repositories.
  • Self-attested usage from surveyed populations.
Partially catches
  • Non-standard package paths and direct binary installs.
  • Recently removed connectors with residue still present.
  • BYOD usage surfaced by attestation rather than telemetry.
  • Agent workflows that run through approved tools.
Misses without monitoring
  • Install-and-remove activity between scans.
  • Fully browser-only consumer AI sessions.
  • Air-gapped local tools with no observable connector.
  • New MCP package names outside the scanner signature set.

The honest framing is stronger commercially. Point-in-time discovery finds the ordinary shadow AI that is not trying to hide. Continuous monitoring is the follow-on control for deliberate evasion, drift, and newly introduced agent paths. Finance buyers can handle limits. What they cannot defend is an overclaimed memo.

What the findings memo should contain.

The closing artifact has to work for two audiences at once. The board, audit committee, investment committee, or CIO needs the operating read. The security and platform teams need enough technical detail to remediate findings in the next sprint.

Executive read
  • Top findings ranked by materiality.
  • Exposure by department, workflow, and data class.
  • What to approve, restrict, replace, remediate, or monitor.
  • 90-day remediation plan with named owners.
Technical appendix
  • Endpoint findings and connector inventory.
  • OAuth grant table and revocation actions.
  • Git findings and committed config evidence.
  • Risk heatmap mapped to agentic AI risks.

This is where the methodology turns into a finance decision. The audit proves what exists, where it matters, who owns it, and what evidence the firm can show when a regulator, board, customer, or investor asks how the AI estate is being governed.

Run the 19-question diagnostic.

If you want the fast internal read, start with the companion Shadow AI Self-Diagnostic. It asks whether your team can produce the artifacts this methodology depends on: AI-client inventory, MCP configuration map, OAuth grant review, repo scan, non-technical attestation, EU AI Act and AIUC-1 evidence logic, coverage caveat, and independent reporting line.

The goal is not to make a finance team feel exposed. "Do not know" is a useful answer. It tells the CIO, CISO, CAIO, or audit chair where the next operating read should begin.

Sources.

Public references used for the MCP security context and agentic-risk framing.

  1. NSA: Model Context Protocol security design considerations for AI-driven automation, May 20, 2026.
  2. Cloud Security Alliance: MCP Security Resource Center, August 20, 2025.
  3. NIST: AI Agent Standards Initiative, February 17, 2026.
  4. OWASP: Top 10 for Agentic Applications for 2026, December 9, 2025.
Related resources

Keep the operating read connected.

DiagnosticScore shadow exposure.
AI AuditShadow AI self-diagnostic for finance.
GuideFind hidden connectors.
AI AuditShadow MCP discovery.
GuideMap agent reach.
AI GovernanceAI agent security for finance.

Find the hidden connectors before they become findings.

Bring one workflow, vendor, or AI portfolio. We will map the evidence needed for finance leaders to fund, ship, or stop it.

Run the diagnostic →