Via a connection protocol called Model Context Protocol (MCP), AI agents can connect to SaaS tools and perform actions on your behalf. While LastPass doesn’t manage MCP‑powered AI agents, it can govern human‑owned credentials such as static API keys and SSH keys that AI agents commonly rely on. These long-lived credentials remain a primary source of AI access risk.
- Every time an employee authorizes an AI tool with MCP integrations, it creates a machine identity that doesn't expire or show up in standard usage reports. And most SaaS security frameworks aren't built to see it.
- MCP launched in November 2024 with no authentication framework at all. In 2026, OAuth 2.1 and authentication are a strong spec recommendation for MCP, but no enforcement mechanism exists.
- 58% of SaaS logins occur outside SSO-managed environments. AI tools widen that gap, because employees can authorize them independently without informing IT.
- The access trail your auditors will ask for (which AI tools are active, what data they can touch, and how access is controlled) must be documented before the question gets asked, not after.
- LastPass helps lean IT teams at Professional Services firms close gaps at the credential layer, where both human and AI-connected logins occur, without needing a separate IAM platform.
SaaS identity and access management was designed for human users. AI agents authenticate differently, using tokens, API keys, and certificates that often don't expire and carry persistent access. Ultimately, every AI tool with MCP integrations your team authorizes adds a machine identity your current controls weren't built to see.
Your consultants are using MCP-powered AI agents to work faster and more efficiently. And so are your accountants, engineers, and legal team.
You’re resigned to it, of course. But what keeps you up at night is what those agents can access.
The MCP (Model Context Protocol) standardizes how AI agents interface with the apps your business uses.
And if those apps grant the right API permissions, your agents can perform tasks like scan your Slack messages to find a shared PDF or generate custom summaries in Teams.
For productivity, that's a real gain. But for your access controls, it introduces a category of risk that wasn't part of the design when most SaaS security frameworks were written.
So, what does that risk look like for a Professional Services firm, and what can you do about it without rebuilding your security stack?
What’s a machine identity?
Before we get to MCP and the risks involved, let’s talk about machine identities. A machine identity is a non-human entity, like an AI agent, service account, or automated workflow that authenticates with tokens, API keys, or certificates instead of a username and password.
So, when someone connects an MCP-powered AI agent to a SaaS app (like Slack), they grant that agent’s machine identity the scoped permissions needed to act on their behalf.
Historically,SaaS security has always treated identity as a human problem, but AI agents or machine identities break that model entirely.
Via MCP, AI agents can retain long-lived access to your digital assets with credentials they are permitted to use. And what’s worrying is that this over-privileging of machine identities is the default for most AI integrations today.
Does MCP increase your SaaS app security risks?
The answer is yes. As mentioned, MCP standardizes how AI agents connect to your apps, which is a big win for productivity. But it also increases the risk of new access paths you can’t see.
This is because each new MCP integration results in one or more credentials with persistent, multi-system access that most SaaS security tools can’t track.
From a SaaS app security standpoint, this creates three specific problems.
#1 Over-scoped permissions. When employees authorize tools with MCP integrations, they typically grant full read/write access because the authorization screen makes it the path of least resistance. So, the AI agent operates with full permissions indefinitely.
#2 Credential accumulation. AI agents operating via MCP can access multiple systems at a time. And each system connection requires its own credentials or tokens. As your team adds SaaS tools with MCP integrations, the number of active access tokens in your environment grows.
#3 Visibility gaps. 58% of SaaS logins occur outside SSO-managed environments (Help Net Security). That’s for human users. AI agents widen that gap, because individual employees can authorize them without informing IT. Your access logs show what people are logging in to, but not where their credentials are being used by agents.
How does weak SaaS identity and access management (IAM) create audit exposure for Professional Services firms?
Weak SaaS IAM creates audit exposure because AI agents may use employee-authorized credentials to access client systems without clear revocation controls.
If you can't show which AI-enabled tools are active, what access they hold, and how that access is controlled, you have a documented gap in your SOC 2, ISO 27001, or client contract obligations.
MCP was built for speed and convenience, not security. When Anthropic launched it in November 2024, there was no authentication framework at all. Anyone who could reach an MCP server could use it.
By the time OAuth 2.0 auth arrived in March 2025 (refined to OAuth 2.1 in June 2025), the ecosystem had already exploded with thousands of MCP servers, all deployed with ZERO authentication baked in.
In 2026, OAuth 2.1 and authentication are strong spec recommendations for MCP, but no enforcement mechanism exists. There’s no requirement to identify exactly who’s connecting to the MCP server. The same server also has no authorization controls, which means there are no rules about what an agent can do once it’s connected.
With managed services like Composio, your AI agents get scoped sessions with your tokens or login permissions. They see only what you allow. However, developer-hosted MCP servers often use dev credentials, which gives 24/7 unchecked access to assets, with no session timeouts or monitoring.
As of March 2026, there are 3,012 unique servers in the official MCP registry, up from ~ 2,500 six months ago. But only 8.5% use OAuth. The rest (91.5%) rely on static API keys, personal access tokens, or no authentication at all.
The risk can’t be emphasized enough: In Q1 2026, 42,000+ OpenClaw servers were exposed to the public internet, leaking API keys, Slack creds, and chat histories.
In a Professional Services context, a senior associate at your consultancy who connects an MCP-powered AI assistant to your client database automatically confers on the AI assistant the same high privileged access they enjoy.
If that tool is later compromised or if it’s an unvetted Shadow AI tool your IT team never approved, you have no audit trail to even begin an investigation with.
The organizations with the strongest SaaS security posture are the ones treating AI agent credentials with the same rigor as employee credentials: provisioned with least privilege access, documented, and revocable on demand.
How does LastPass Business Max address AI-linked credential risk?
LastPass Business Max addresses the human credential layer where AI-enabled access begins.
Essentially, LastPass governs human credentials, controls which apps they reach, and revokes access when an employee leaves. Those controls apply to AI agent activity by extension, because the agent is running on your team’s credentials *see note below*
Here’s what that looks like in practice:
- SaaS Monitoring surfaces every app your team is logging in to via the browser. The discovery is automatic and organized by app, user, and risk indicators (credential health, risky logins, compliance).
- SaaS Protect lets you set access rules at the app level: “Approve” for tools that have passed IT review, “Warn” for gray-zone apps, and “Block” for tools that pose a documented risk to data integrity and privacy compliance.
- LastPass reports produce the access trail your auditors require. So, when you’re asked how your firm governs AI tool usage, you have documented controls with evidence.
With LastPass, you have a credential governance layer that keeps access inside the boundaries you set.
If your firm doesn't have the headcount for an enterprise IAM deployment or the budget for an enterprise secrets manager like Hashi Corp, LastPass is a practical answer to MCP risks.
*A note on offboarding and AI access*
When SaaS access is enforced through SSO, disabling an employee’s access also revokes agent access. But when AI tools rely on long‑lived API or SSH keys, revoking vault access prevents future use but doesn’t invalidate keys stored outside the vault. Rotation at the source system is required. LastPass governs the human credentials AI agents rely on, reducing exposure even when full machine‑identity controls aren’t deployed.
|
What you need |
How LastPass helps |
|
Secure place for API keys & SSH keys |
Encrypted Secure Notes inside your vault |
|
Strong security without specialization |
AES‑256 encryption, zero‑knowledge design, MFA enforced at the vault level. No IAM expertise required |
|
Predictable, affordable cost |
~$9 per user/month, no per‑secret or usage fees |
|
No infrastructure or DevOps overhead |
SaaS‑based; no vault infrastructure to manage |
|
Fast time to value |
Deploy in hours; zero integration required to start |
|
Simple sharing & revocation |
Centralized sharing, instant revocation when roles change or employees leave |
|
Manual rotation is acceptable |
Works well for manually rotated, long‑lived secrets |
Read how Professional Services firms like EBC Financial Group are using LastPass to close their access control gaps and try it free today.
How does LastPass compare to other vendors for SaaS security?
LastPass doesn’t authenticate AI agents, issue OAuth tokens, or manage machine identities. But it governs the human-owned credentials those agents rely on, which is where most AI access risk originates today.
See how LastPass compares with Dashlane Omnix and Zscaler below.
|
Dimension |
LastPass Business Max |
Dashlane Omnix |
Zscaler |
|
Primary purpose |
Credential-layer SaaS & AI access governance |
Browser-based credential & phishing protection
|
Network-level Zero Trust access |
|
Visibility into Shadow SaaS/AI apps |
Automatic discovery via browser usage (Discovered Apps) |
Limited to credential risk detection and browser-side protection, not app-level governance |
Can block an app at network level but zero visibility into weak or compromised credentials, the actual entry point for most breaches
|
|
App-level access controls |
Allow / Warn / Block per app |
Warn / interrupt flows only |
Allow / block via network policies
|
|
Coverage of non-SSO logins |
Strong; browser-based enforcement |
Strong for credentials only |
Weak unless traffic is routed through Zscaler
|
|
Audit readiness for AI tool usage |
Built-in SaaS & access reporting |
Event & risk reporting (credential-centric) |
Requires correlation across tools
|
|
Deployment effort |
-Low; SaaS visibility begins within minutes of deployment
-no specialized networking expertise required
|
Low, but focus is on credential threat lifecycle rather than SaaS governance |
High; extensive network configuration and policy tuning required |
|
Best fit buyer |
Lean IT teams needing SaaS + AI governance |
Teams focused on phishing & credential misuse |
Large enterprises with existing Zero Trust stack
|
In summary:
- Choose Dashlane Omnix if your primary goal is phishing resistance and browser-level credential safety
- Choose Zscaler if you already run a full Zero Trust network architecture
- Choose LastPass Business Max if your risk lives at the credential and SaaS layer, especially with AI tools authorized directly by employees
What should your professional services firm do right now to improve its SaaS security posture?
Getting ahead of the machine identity problem doesn't require rebuilding your security architecture but closing four specific gaps.
Step 1: Map your AI tool surface. Run a SaaS Discovery pass to see which AI tools are actively in use, not just the ones IT approved. SaaS Monitoring in LastPass Business Max does this automatically through the browser extension, with no agents required.
Step 2: Classify what you find. For each AI tool in active use, determine: Is this approved? Does it touch client data? Does it have appropriate credential governance? Tag tools by risk level, so you can apply the right controls.
Step 3: Apply app-level access rules. Use SaaS Protect to set allow, warn, or block policies for tools based on their classification. This gives you control without a blanket lockdown. Your employees keep their access to approved tools, while you get the visibility you need to protect your business.
Step 4: Enforce credential standards for high-risk apps. For apps that touch client data or feed into MCP-connected AI workflows, enforce FIDO2 MFA for your LastPass vault and set authentication policies that apply automatically. Don't rely on busy employees to maintain these standards independently.
Step 5: Build revocation into offboarding. When someone leaves your firm, their access should be revoked immediately. LastPass lifecycle management controls make this part of standard offboarding, not a separate step someone may forget.
If we disable an employee’s access, will AI agents still have access?
It depends on how access was granted. If access was enforced through SSO, disabling the employee revokes both human and agent access. But if the agent authenticated with static credentials (such as API keys or SSH keys), revoking access in LastPass prevents future use but doesn’t invalidate credentials already stored outside the vault. Rotating or disabling those credentials at the source system is required.
Sources
OWASP: MCP (Model Context Protocol) Security Cheat Sheet
OWASP CheatSheet – A Practical Guide for Securely Using Third-Party MCP Servers 1.0
DEV: 30 CVEs in 60 Days: MCP's Security Reckoning Is Here
Forbes: MCP, Agent Tool Access and the New Execution-Layer Security Gap
