Securing AI and Infrastructure with Teleport + Anthropic’s Model Context Protocol (MCP)

Securing AI and Infrastructure with Teleport + Anthropic’s Model Context Protocol (MCP)

As Large Language Models (LLMs) become everyday tools for developers and knowledge workers, ensuring secure, controlled, and auditable access to infrastructure and data is more critical than ever. Watch to learn how Teleport is integrating with Anthropic’s Model Context Protocol (MCP) to deliver robust zero-trust security for AI workflows.

In this webinar, we cover two powerful new use cases:

• Secure Database & Data Access for AI Assistants: Learn how Teleport enables MCP-enabled AI tools (like Claude Desktop) to connect directly to Teleport-protected databases using strong authentication, role-based access control, and complete audit logging. Now, querying your production data through an AI assistant can conform to existing security frameworks.
• Zero-Trust for MCP Servers: Discover how Teleport is extending zero-trust security to MCP servers themselves. Whether you're hosting AI agents or custom MCP tools, you’ll be able to enforce short-lived credentials, mutual TLS, granular access policies, and full auditing of every request—without disrupting the AI user experience.

Whether you're an AI-forward team or looking to securely operationalize LLMs in production, this session will show you how to bridge cutting-edge AI capabilities with the security rigor modern infrastructure demands.

Key topics on Securing AI and Infrastructure with Teleport + Anthropic’s Model Context Protocol (MCP)

• Model Context Protocol (MCP), developed by Anthropic, is an open standard for AI integration.
• Often referred to as a “USB-C for AI applications”, MCP standardizes how AI models connect to external data sources and tools through a client-server architecture.
• MCP introduces three key security risks: deployment architecture risks, authorization and governance gaps, and LLM manipulation threats.
• Teleport extends its infrastructure identity platform to secure MCP deployments by providing unified identity management for humans, machines, and AI agents; eliminating static credentials with cryptographic security; implementing Zero Trust principles and short-lived privileges; and delivering comprehensive audit trails for all AI-driven activities.
• Organizations should integrate security early in AI initiatives, align AI projects with business objectives, assess data readiness, and establish shared responsibility between security and development teams.
• The key is extending existing security frameworks rather than creating AI-specific silos.
• With Teleport’s MCP support, organizations can accelerate AI innovation while maintaining their existing security posture, avoiding the need for separate AI security frameworks.

Expanding your knowledge on Securing AI and Infrastructure with Teleport + Anthropic’s Model Context Protocol (MCP)

• White paper: Securing the Model Context Protocol: Access, Authorization, and Audit for Enterprise AI
• Teleport Infrastructure Identity Platform: Secure MCP
• Teleport Infrastructure Identity Platform: Securing Agentic AI
• Blog: Where Large Language Models (LLMs) meet Infrastructure Identity
• Blog: Your Infrastructure Has a Non-Human Trust Problem

Transcript - Securing AI and Infrastructure with Teleport + Anthropic’s Model Context Protocol (MCP)

Diana: All right. Good morning, good afternoon, and good evening, all. So I’m Diana Jovin, Chief Marketing Officer here at Teleport. And thank you for joining us today for the important topic of securing AI and infrastructure with Teleport and Model Context Protocol. Before we get started, we have a couple of housekeeping things to cover, so let me start with those. Please note the chat box on the right side of your screen. Feel free to ask questions, post comments, and engage with us there. We’ll keep an eye on this throughout the webinar. And if you have any questions, please feel free to add them to the Q&A tab at the top of the chat box, and we will address them at the end of the webinar. We’ll be sending you a recording of the webinar 24 hours after the event, so don’t worry about furious notetaking. And please note that there are a couple of linked resources in the Docs tab as well. Feel free to download those.

Speaker introduction

Diana: Okay. So let me introduce my co-presenters here. We have Stephanie Walter. Stephanie is an analyst-in-residence for HyperFRAME Research, and she has more than 20 years leading innovation in cloud, SaaS, middleware, data, and artificial intelligence. She has guided product life cycles from concept to go-to-market in both senior roles at IBM and fractional executive capacities, lending engineering expertise with business strategy and market insights. From software engineering and architecture to executive product management, Stephanie has driven large-scale transformations, developed technical talent, and solved complex challenges across startup growth stage and enterprise environments. I will add — Stephanie is the author of a white paper on MCP that you can download from the Download tab that I talked about. So I encourage you to go read this excellent resource, although please wait until the end of the webinar to do it. But it is an excellent paper, so please take that with you.

Diana: It’s also my pleasure to introduce Boris, Boris Kurktchiev. Boris is a Teleport Specialist Solutions Architect known for his expertise in Zero Trust identity solutions for cloud and AI, and his contributions to the CNCF’s Cloud Native AI Working Group. So he’s on the inside track. A thought leader and KubeCon presenter, he advocates for AI and security, developing solutions like automated Kubernetes policy enforcement and ML for identity governance, and advises enterprises on their AI strategies. So thank you both for being here. And let’s kick it off with the first question, which is for Stephanie. Let’s talk about what is MCP and why does it matter.

What is Model Context Protocol (MCP)?

Stephanie: Yeah. So I’ve prepared a little — I’ve prepared some slides because, sometimes, it’s easier to see the words while I’m talking. So Model Context Protocol (MCP) is an open standard for AI integration. So it was developed by Anthropic. And it standardizes how large language models, small language models, connect and interact with external data sources and tools. So it describes the client-server architecture. And what does that mean? So the AI applications that typically include the AI models — those are considered clients. And the clients can communicate with data sources or tools or services, and those are considered the servers through this standard protocol. Sometimes, you’ll hear it referred to as USB-C for AI applications. And if you hear that, it means that MCP is sort of considered this universal connector that simplifies integration across diverse systems that tend to make up these AI applications. So that’s what MCP is.

Benefits of MCP

Stephanie: Why does it matter? What are the benefits? So the reason this was brought to fruition is because, of course, it simplifies integration. So it reduces the need for custom connectors between AI models and data sources. So I mean — think about if you had to write a custom API or a custom connector every time your application wanted to access a different tool or different type of data source or different AI applications wanting to access the same data source, but they all need access calling from different ways. So what this really does is it simplifies this integration and allows you to embed AI capabilities into your enterprise more easily. It also allows the AI models to access relevant data in real time. So it’s not just the data that the model has been trained on but the proprietary enterprise data that can produce better results for the organization. So this is why MCP is so attractive. And then also interoperability. So different AI tools and services can work together, and the protocol fosters a much more cohesive AI ecosystem by enabling these different AI tools, services, data sources to all work together seamlessly. And one more thing to add is we’re seeing a lot of MCP when we talk about AI agents, especially these AI services or agents that work independently. MCP is really attractive in these use cases.

MCP security considerations

Diana: So now, Stephanie, often you see innovation and security at odds with each other. And one of the things that I heard frequently at RSA was that “S” is the security in MCP, right? So what is the issue with security and Model Context Protocol?

Stephanie: So loosely, there’s sort of three areas of security considerations when we talk about MCP. So one category is the deployment architecture risks. So what does that mean? So there can be overprivileged access, right? So many MCP clients, LLMs, they request really broad and/or persistent access to systems or data. And that can obviously be a problem if there’s data in that broad access that shouldn’t be shared or if it should have been shared a month ago but not now. So overprivileged access is really something you need to look out for.

Stephanie: Expanded attack surface — this is another deployment architecture risk. So when there’s more endpoints, all these clients, all these servers, and there’s more credentials, especially if the credentials are reused or poorly secured, obviously, the system becomes easier to hack. If there are centralized tokens, loosely configured endpoints, I mean, those increase the likelihood of data sprawl and shadow access. And then when we’re talking about applications, there could be potentially a supply chain exposure. So MCP servers may use third party — or the clients too may use third-party or open-source components with limited security validation. So those are some examples of what we would consider deployment architecture risks.

Stephanie: There’s also authorization and governance gaps — so if there’s static credentials, long-lived secrets that remain in circulation for too long. Inconsistent policy enforcement — this is one we especially are seeing right now since AI and MCP are fairly recently being — I don’t want to say being used, but being, I want to say, operationalized in a lot of organizations and enterprises. So access control for LLMs, often, is implemented ad hoc and, unfortunately, sometimes not at all, which can be a big exposure. And there’s also limited visibility. So many environments, at least right now, lack sufficient logging or insight into AI-driven resource usage. So some organizations have little or even no visibility into how many MCP servers are in their environment, what AI applications or MCP clients are accessing the MCP servers, when are they accessing them. Understanding which teams use MCP the most, identifying anomalies in its usage — these are things that are very important to understand and know, and as the technology is evolving, we see a lot more work to be done in this area.

Stephanie: And then the third consideration is really LLM manipulation threats. So there’s prompt injection, right, where a malicious user can input some kind of prompt that causes the LLM to ignore its guardrails or trigger unauthorized actions, and that’s usually with malicious intent. But there’s also the concept of context leakage. So there could be poor session management or poor segmentation that allows the data to bleed across users or tools. So if you think about an AI HR chatbot, right, and let’s say someone’s chatting with the chatbot and trying to figure out, “What do I need to do to get a promotion?” You don’t want the chatbot to come back with a list of people that have been promoted in the past year and suggest they talk to them, right? So there’s this concept of this data leaking through whether intentionally or unintentionally. That’s also a definite security consideration. So we’ve talked about the security challenges that MCP brings, especially as we’re starting to see it operationalize in organizations. Diana, Teleport just had a big announcement regarding MCP and securing MCP. Can you tell us about that?

Poll: AI adoption impact on security

Diana: Certainly. So actually, before we go to the announcement, I’d like to do a short poll of the audience and bring you into the conversation. So Lexi, who is behind the scenes, is making this webinar work effortlessly for us. And she has put a question on the screen for you. So it says, “Please select all questions you like to answer yes to. So have you worked at a company that has already experienced a breach? Did it involve compromise of a static credential? Are you worried that AI adoption in your organization will increase your vulnerability? And are you confident that you can adopt AI with appropriate security guardrails?” Okay. It looks like we have a few votes coming in. We’ll give it just another few seconds. We should have some Jeopardy music.

Diana: Okay. Lexi, do you want to put the results on the screen?

Boris: They’re there.

Diana: Oh, they are?

Boris: Yeah. It looks like everybody’s very worried about vulnerability exposure.

Diana: Okay. Yeah. Thank you. All right. So let’s see. So 25% voted for, yes, you’ve experienced a breach. 20% said it involved a static credential. 40% of you said that you’re worried about AI adoption, and 16% of you said that you are confident. So this is not surprising, right? This is something that we’re seeing commonly that there is concern about the increase in risk that AI adoption poses to organizations and the lack of a view on how to govern it. So let’s now turn to the announcement that we made earlier in May. So Teleport announced support for securing MCP. From a vendor perspective, this is a pretty straightforward announcement. Basically, what we’re communicating is that we’re expanding the identities that we cover in our platforms, so expanding it from the servers and databases and clouds and machines and workloads and Windows and GitHub to MCP — to include MCP as one of the infrastructure identities that we support. That means that for the MCP protocol and for MCP servers, we support authentication, authorization, audit, and governance within our infrastructure identity platform. Now, that’s a very kind of practical version of what we announced, but what does it mean for you? That is much more dramatic. What this means is that if you have adopted infrastructure identity, you can now use this existing security framework that you already have and extend it to AI and MCP. So that means that you can accelerate the innovation that you want to achieve while preserving your security posture. In other words, you can invest in AI as part of your unified identity strategy and not as its own identity and security silo. And this is not like hand-wavy PowerPoint stuff, right? The demo that Boris is going to show you today is live, and this will be available for you to start working within a few weeks.

Infrastructure identity architecture

Diana: So some of you may be familiar with Teleport, and some of you may not. And so you may be thinking, “Wait, how can I secure AI without investing in a new security framework? Isn’t it different?” So I just want to spend a couple of minutes talking about infrastructure identity. So let’s see. Share a screen here. All right. So in the world of infrastructure identity, there are a few key concepts that are different from kind of the classical way that people think about identity and access management. So first of all, we introduced Teleport as an identity solution that is purpose-built for infrastructure to modernize identity and access and policy for the needs of engineering and infrastructure teams. And we did this because the characteristics of infrastructure, the scale, automation, it’s ephemeral. You deploy things as code. You deploy infrastructure as code. You deploy policy as code. Those don’t fit with identity and access products that were designed around workforce and employed life cycles. So when you think about — so when you look at this architecture, let me talk about the foundational concepts. At its foundation, infrastructure identity consolidates identities for humans, machines, workloads, devices, AI agents. So you have a consolidated view of everything that’s in your infrastructure. That’s the first foundational concept.

Diana: The second foundational concept is that you eliminate all static credentials. And instead, you secure them cryptographically so they are all rooted in something in the physical world. This means that you no longer have a digital artifact that you can steal or lose or share. And also, you can reason about everything together. So you don’t think about humans as silos. You don’t think about workloads as silos. You don’t think about AI as silos. And we’ll come back to why that’s important. The second layer is about Zero Trust. And this extends the concept between the way that people may think about Zero Trust from a network strategy perspective to extending Zero Trust throughout your infrastructure stack. And the third layer is about privileges. So this implements a policy around short-lived privileges. So things are task-based. They expire. You eliminate the over privileges and standing privileges that people use to execute reach and pivot strategies. And then finally, the third layer, you now have a single source of truth for everything that is happening in your infrastructure. And you can use that both for audit purposes and for confirming your security posture.

Diana: So what does this mean from a practical perspective? Those first two layers now eliminate anonymous computing. You no longer have things like admin showing up in your audit log that require forensic investigation. You also ensure that no one or nothing has access unless there is a unit of work to be completed. So you eliminate a lot of the concerns around having persistent attack surfaces that people can target. And the third layer proves that the security posture has not changed. Also come back and talk about why that’s critical. So let me stop sharing here. So now if you want to begin to govern workflows that involve humans accessing LLMs that are accessing databases or MCP servers, you now see that you don’t want to have a human silo and a database silo and an MCP silo. You want to reason properly about how humans and workloads and databases, all of those things, work together. Or you may want to be sure that there’s no LLM that is now attached to a critical resource, right? Maybe you have a database where you want to have a policy that you can never access it through LLMs, and you want to see that that’s true, or if it happens, you want to get an alert, or if it happens, you want to know who did it.

Diana: And so all of these things you can now see if you have a consolidated view of how all of these identities act together. So these are all things that you can do with our identity security product. So this is also a good opportunity when you’re thinking about these initiatives to start or accelerating your thinking about ways that you want to invest in things that harden your defenses. So now I’ll kick it back to you, Stephanie. We’ve talked about some of the security concerns. We talked about some of the opportunities. We talked about some ways that you can address security with MCP with this announcement that we’ve made. How should companies think about balancing the needs of driving innovation and implementing security? And how are organizations handling this from an organizational design perspective?

Stephanie: So one of the best things that organizations can do is to start early, so integrate security early in the innovation process. This might be easier said than done sometimes, but when you’re doing those POCs, when you’re doing those pilot projects, you want to be asking yourself, “What security considerations do I have? What would need to be implemented here to put this into production?” So starting early is probably one of the number one pieces of advice that I would have. And not just security but also think through compliance early as well. So you want to ensure that any innovations that could potentially make it to production meet legal and ethical standards from the beginning. So again, security compliance — start early, and really, security needs to be embedded into any digital transformation effort. It’s much easier to do if you can extend your security model using something like infrastructure identity and Teleport so that you don’t have to completely rewrite your model. But this is something that — security, of course, needs to be a key piece in any digital transformation effort. And your governance practices really need to be implemented across your innovation projects.

Stephanie: So you need to make sure that you’re covered from a governance perspective. Who really needs to access what? Whose job is it to control this or that? So make sure that your governance policies and any tools are updated and can handle this new wave of AI innovation that is coming. All of these things are great, but really what needs to happen is there needs to be this culture of shared responsibility. So the folks that are responsible for infrastructure and security and really locking things down also need to be held responsible and see innovation and see supporting their organization’s innovation as part of their role, right, as part of their responsibility and part of their success metrics. And on the flip side, these developers that love innovation and love putting out new things, they also need to be held accountable for security and compliance and making sure that what they are putting out into the world isn’t going to introduce new security risks for the organization that they work for. So this is more of a person problem than just technology. But if you can pull that off, this culture of shared responsibility, things will go a lot more smoothly in the balance of innovation and security.

Strategic considerations for AI integration

Diana: Fantastic. So the last question for you before we kick it off to Boris for the demonstration — so when companies are integrating AI into their technology infrastructure, what are some strategic considerations that they should keep in mind?

Stephanie: So I’m going to have a nice slide on this one. So some strategic considerations are — the first one — I always harp on this one — is you want to align your AI integration with business objectives. So do not just do AI for the sake of doing AI, right? You want to make sure that any type of — I mean, really any project has clear goals, and you focus on value creation. So AI can do a lot of neat things, but if it’s not advancing your progress, it’s not creating value for your organization, it’s not worth it. So making sure that the AI is serving you and your organization is paramount.

Stephanie: The next thing that I would take a look at is really assess the data readiness in your infrastructure. So I think we all know by now that if you have poor data quality, the results are going to be poor. Garbage in, garbage out, right? So high-quality, relevant, well-governed data is essential for effective AI. Many organizations may need to conduct a thorough assessment of existing data assets — identify gaps. If you can’t trust your data, you can’t trust the analysis, which is a huge problem. And then expanding from the data, the infrastructure that supports this data, right? So you need to have the necessary infrastructure. You need storage, processing capabilities, data pipelines to support your AI initiatives. And depending on what you’re doing, there’s a lot of — you may need a lot of infrastructure and a lot of power, like I’m saying, depending on the demands of the AI applications that you’re writing or using in your organization.

Stephanie: The next strategic consideration that I hope everybody has gotten the point of by now is prioritize security and ethical considerations. So you want those robust security measures. You want to protect these AI systems and data from potential threats. We’ve gone through how you can do some of those things and what you need to consider. And you also want to establish guidelines to ensure that your AI is used responsibly. So you want to avoid biases. And you also, especially for compliance reasons, but also trust with your users, trust with your customers, there needs to be some level of transparency in these AI-driven decisions. You need to be able — especially ones that are important or people are depending on. You need to be able to explain. You have explainability. So that’s something to think about as you introduce AI into your workflows.

Stephanie: And then lastly, you want to monitor — once you have all this set up, you really want to monitor and evaluate your AI performance, going back to — is AI actually helping you meet these business objectives and your goals in creating value? So like anything, if you want to see your performance, you need to define metrics, your KPIs to assess how effective AI is for your organization. And then you want to keep monitoring for continuous improvement. Are there areas where it’s not working so well? We need to pull the plug. This isn’t worth it. Or we’re there, but we need a couple of tweaks. So consistently making sure that you know what AI is doing and also how it’s helping your organization is really essential for a successful AI integration project.

Diana: Okay. Fantastic. Thank you so much, Stephanie. So Boris, we’ll turn the mic over to you.

Boris: Oh, fantastic. And the audience is already asking very relevant questions, which I greatly appreciate. Okay. So let us share. Okay. Before we get going, I do want to address a few things. First and foremost, if I were to summarize a lot of what we talked about so far, MCP is slowly but surely becoming the glue of applications and access to data, whether it’s structured or unstructured for AI models. MCP deployment architectures can be a problem as it is a very brand new protocol and best practices are kind of developing as we speak. And again, that becomes problematic as Diana pointed out, the “S” in MCP is for security. In other words, it’s a little lacking at the moment. The community is addressing this problem, but you cannot wait for the community at all times because security should not be a day-two problem. Security should always be baked from the start, from day zero, from your design point.

Why does MCP matter?

Boris: So what is good about MCP? I can interface with my database. I can interface with my structured data, and I can now enable people to consume and even manipulate if you want that data much, much faster, make decisions faster, utilize it to do work more efficiently. You can give it access to unstructured data. In today’s example, I’ll be manipulating GitHub. But you can do file system access, which gets a little [inaudible], but it becomes important as it allows your non-technical audience and non-technical end users to be able to, again, interface — use AI to interface with your existing systems making both the utilization of those systems more efficient but also the consumers more efficient. And then at the end of the day, you’ve got to be able to track this. You got to know what was being done, who is doing it, how they’re doing it, why they’re doing it, and to be able to grant these different kind of roles and exceptions that maybe sometimes you need an elevated privilege in order to do certain work and be able to do that through the AI system.

Boris: So I might suggest people go in full screen for this, so it looks a little bit better. But what does the full stack look like? Currently, you will have kind of the top end of the system. Claude, OpenAI, almost all of the major AI players and providers have decided to kind of throw their ball into the MCP court and are supporting it. That allows your client side to add glue plug-ins for specific levels of access, which is what MCP sits. Right after your prompt, MCP will go, “Hey, I’m a client, and I want to do a database access.” Where Teleport sits in this stack is right in the in-between. The Teleport platform, and everything that Teleport does, gives you the ability to each MCP to have a specific identity, just like a passport that it can carry through its access points in accessing systems. We are able to assign it roles that give it specific permissions to do maybe read-only access to part of my database, maybe do read-write to other parts of my database and then at the end of the day, as I said, actually keep track of who did what, where, how.

Teleport Demo

Boris: And then at the end of the day, your MCP servers, right, where MCP will take the client request, use the identity that Teleport gave it, and then access the data, consume the data, format it, and send it all the way back from wherever your infrastructure may be, all the way back up the chain, back to your end user who requested the call or the call for information. So I will hop out of this for now and quickly jump into Teleport. Now, if you have never seen Teleport 4, this is kind of what the web interface looks like. And I have a bunch of resources that are under management by Teleport in this particular environment. The important bits to point out are — I now can start my MCP servers, which, again, are going to be the pieces that will glue together my structured and unstructured data. I can enroll them just like any other regular resource that Teleport can consume and protect. Furthermore, something that we’ve kind of alluded to a little bit is MCP does provide your ability to glue data together.

Boris: But a lot of people are also hosting rather than consuming directly from OpenAI. They’re hosting their own LLMs. We can also bring in those hosted environments. In this particular example, I’m using NVIDIA’s NIM, where I can host my models that are specific to the tasks that I want, and I can protect that API endpoint with Teleport. Okay. So before I go further, I’m actually going to switch back to Claude. So I’m here. I am now an engineer. I have access defined. I am accessing my LLM. In this particular case, I’m accessing Claude through Teleport, and I have a few MCPs defined. Now, those MCPs give me access to GitHub and various different tools and actions within GitHub. They give me access to do certain things within databases that are exposed through Teleport, such as listing and actually running queries. I can manipulate file system files to do things that I have access to. And furthermore, something that we’re very conscious and working towards is the fact that people want to be able to also access Teleport-specific data through an LLM. So we actually have that available as well.

Boris: But let’s talk about databases first. Let me just prompt here and say — now, what we should kind of see here — and I’m glad Diana said that this is live. Every time I run this prompt, the response is slightly different. Why is that both interesting and problematic? You will see here that the LLM is going out and trying to find what access it has through the database MCPs that I have listed here. You can see exactly what it’s sending out to the system, and you see exactly what it’s getting back. This is great. However, every once in a while, the LLM decides to run a few different iterations of the queries to the MCP before it arrives at the output of, “Hey, I have access to the Top Secret database, and I have access to the Aurora database.” First and foremost, as maybe a malicious user, I see, “Oh, Top Secret. Tell me what is in the database.” I would want to be able to run some queries against the Top Secret database.

Boris: Now, hopefully, what should happen is, yeah, you will see that it attempted to connect to this database, and it received a failure error as we do not allow this particular MCP access to the Top Secret database. On the other hand, I can now go and explore the other database, and it should return information about this. Now, why is it important that I can have this delineation between what can I do, what can I not do, how can I explore the system, how can I access the system? You will see that here it just simply says, “Hey, tell me what’s going on in the Aurora database.” And you will see that it’s running various forms of database queries here that are of various complexity. It is ultimately probing the system for me. I don’t have to come up with these queries. And as I said earlier, LLMs are non-deterministic, right? Every time I do this prompt, sometimes it just automatically stops at the first query. Other times, you will issue multiple queries in order to ultimately give me the idea of, “Hey, this is what’s available. This is some interesting information about the database based on the data that I have had access to.” So this has been about databases.

Boris: Let’s talk about GitHub, something that is very unstructured. Databases are a structured data, so LLMs are relatively good at being able to manipulate that. But because I have the GitHub MCP enabled, what I’m now able to do is say, "Find the top 10 GitHub projects just based on star counts?” Now, this will be potentially a little more complicated to do, but you will see that what it’s doing is it’s telling you, “Hey, this is the particular search repositories. I’m using this particular tool of the MCP. I’m going to go out here, and I’m going to give you that list,” right? And it’ll be however long. I can now say, “What are the top five issues in this project?” I’m only doing a read in these actions, but I am fully capable and able to start opening up GitHub requests, opening issues, providing the MCP with the level of automation and access that I needed to have in order to achieve whatever end goal I have as the end user.

Boris: And yeah, you will see it went out. It ran various different tools, found the repository, found all the issues, gave me the top five issues that they have. And then finally, one of the other demos is I’m going to kind of play around a little bit with the toolbox here and the MCP that connects directly to Teleport and allows me to ask it questions about the things that are happening within the Teleport system. So hopefully this will return it. But what this should do is actually go, and because I have given access to the Teleport MCP for this, it should be able to go out and tell me what has been happening within the audit log for the last five minutes. Why is this important when we’re talking about compliance, when we’re talking about auditing, when we’re talking about all of these other events that are continuing to only become more complex? I can now ask information and get back structured data in order to prove that, yes, this person is creating this access in a much faster way than standard just querying an access log of some form. But more importantly, I can provide the full context of, “This is what was happening. At this time, these particular users were doing these things,” and glue multiple sources of information together into a final output and a final report on this data.

Boris: Okay. And again, the output here is less important. The fact is that you went and saw, “Hey, you created some certificates. You access some databases. There were some bots that were doing some CI/CD things. They were accessing Slack. GitHub was doing fun things and searching the unstructured data that is GitHub.” I’m going to hop back into Teleport. And what I want to show here is in our audit log, when I come here, you will see that I have recorded all of my actions. So when I prompted it and said, “Hey, can you please tell me things about the Aurora database?” You will see that I have a full tracking of — okay, what databases did I ask, what is the specific database, what is the specific service, where does it live, who is it, what am I executing, who is executing it. But more importantly, I can actually also see with my — can actually also track the specific queries that I’m issuing that the MCP is issuing against the database. Again, this becomes very, very important when we’re talking about tracking and when we’re talking about auditability. I now have the specific identity of the MCP and the specific actions that the MCP is taking against my data. All right.

Boris: And what else? Ah, yeah. But one last thing is, well, okay, you saw all of the different tools that I had and all the different checkboxes when I was in Claude allowing me to search databases, do actions on database. What happens if I want to actually define what does each MCP have access to? What does each Claude desktop client have access to? What you’re seeing here on the left is a standard Teleport role that allows you to define a list of actions that are both allowed and denied for a particular identity. And here we have now added a way for you to use MCP and specifically define things that that role is allowed to do or not allowed to do.

Boris: On the right here, you actually see the full visualization of that stack of what people within my system are tied to this particular role and then, ultimately, what end MCPs are being accessed by this role. Again, from an audit perspective, from a compliance perspective, from an even actual operational perspective, this is hugely, hugely beneficial because now I am eliminating any hidden paths. I can all of a sudden very quickly see, “BK admin maybe should not have access to this. They should have a very different role access.” And with that, I think we are done with the demo portion. And we’re going to hop into Q&A potentially.

Diana: Thank you so much, Boris. So before we start Q&A, some of you may be wondering when you can start using the technology. And I’m going to invite Lexi to drop a link into chat where you can request to be notified when that release is available. It will be within the next two to four weeks, so please stay tuned for that. And then Boris, your demo has spawned a number of really great questions. So let’s start through those. So the first one is — does the audit log show the exact wording of the prompts input that became the list of low-level commands shown in the demo?

Q&A

Boris: Yeah. So that’s a great question. And this is where issues with the maturity of the MCP protocols and even the agent-to-agent protocols, which we’re not discussing here, but the prompts themselves currently do not get sent along with the requests. We are exploring ways to actually bring that data into the system because, whoever asked that question, it becomes very important to be able to further guardrail your LLM by knowing, “Hey, this particular prompt or this particular invocation generated this response on my system. I want to guardrail against these types of prompts.” But currently, the protocol itself does not support passing that prompt. So we are exploring ways to tie that in so we have that information for you.

Diana: Okay. Terrific. The next question in this demo. When MCP connects the database, if you’re using IBM NIMs, is the database authentication the Teleport part?

Boris: Sorry. The NIMs part of the demo was just showing your ability to front-gate access to self-hosted LLMs, which will track access to those LLMs. Access to the MCPs that those LLMs are utilizing is a separate piece or two separate components that are glued together, ultimately, to give you a full access and picture. Hopefully, that answers your question.

Diana: So next question. What do you do when LLMs, as they notoriously do, hallucinate your outputs? We have many cases now of public-sector issues with hallucinated outputs. In this security context, how can you rely on LLMs?

Boris: Yeah. So hallucination, I will go back to the LLMs that are non-deterministic, and this is a great example of this. As far as the outputs are concerned, hallucinating outputs is less of a problem because of how MCP interprets and returns that data. Wherever it’s hosted, whatever your requests did, the packaged-up response gets sent back up to your LLM as is. And the LLM is supposed to display it as is without further manipulation. If you remember seeing it, I asked Claude, “Give me some summary data.” You will have the output, the raw output. What it does after that to structure it or to do formatting on there, it may or may not hallucinate. That’s where the kind of the non-deterministic piece comes into this. But you will always have the raw output available for confirmation, if you will.

Diana: So next question, can the log audit trail see failed or rejected prompts?

Boris: Yeah. So this is what I was referring to earlier. Because of how MCP is currently designed, the prompts are not sent along with requests. And until we figure out a way to get around that limitation, it’s a little harder to give you a solid answer. We are, again, exploring some ways to get that information added to the system, which will then, yes, give you an audit trail of accepted, rejected prompts, if you will.

Diana: On that question, Boris, you can see failed or rejected requests, right? So maybe can you differentiate between when the failed query gets logged and when it doesn’t?

Boris: Yeah. So the queries themselves, right, let me share my screen one more time so it’s a little bit easier to talk about this. But if we go back here, right, the request that I am sending as an engineer, as an end user, to my LLM will come in here to my MCP client. And the MCP client will take the generated query that the LLM has created and send it, pass it through Teleport, which will then send it to the MCP servers that live wherever they may live. And at that point, your database or GitHub or whatever it may be will say, “Hey, this is malformed. I don’t want it,” or “Yeah. This works. Here’s the data that we will provide for you,” and send it back up the stack to come back to your Claude or OpenAI desktop or whatever it may be. So that gets audited and trailed. The specific queries that I send down to the MCP to the infrastructure, whether they are rejected or accepted, will get tracked in the audit log. I’ll stop sharing again.

Diana: Thank you, Boris. And I think you answered this with GitHub, but is MCP protocol useful with unstructured data?

Boris: Yeah. No. I mean, yes, MCP is great for enabling all of your end users to be able to access any type of data. Obviously, I showed GitHub in this particular use case, but whether it’s GitHub, whether it’s a file system, right, I don’t need, say, a business analyst to necessarily know how to navigate a server to be able to go, “Hey, I know you have access to some files. Go grab that file wherever it may be and manipulate it in whatever way I need it in order to get things done.”

Diana: All right. Next question. Does the MCP server or Teleport require some additional features to be implemented to support these security schemas?

Boris: No. Everything that I showed you, all of the MCPs — except the Teleport-specific one that allowed me to query data from Teleport directly — are off the shelf straight from GitHub, straight from the specific official MCP server repositories hosted in the cloud where I just have it enrolled as a resource within Teleport, which gives me all the access to kind of the protections and features that we were talking about like giving each MCP its own identity and being able to guardrail it through roles and all the other fun things and important things that you want in a security platform.

Diana: Okay. Next question, this one you might think about a couple of dimensions to it. Can you manage access approval using LLM? Because I know sometimes people ask, “Can you manage the access approval to LLMs?” so there might be a couple of dimensions here.

Boris: Yeah. And this is why I only briefly talked about the LLM hosting piece. But yes, because we can enroll your LLM endpoints, we can now govern access and revoke access for you, which will, I think, do what you’re asking in a pretty quick and easy manner. You can enroll people, and you can then unenroll them pretty quickly from the access to specific elements, to specific models for specific times. They can actually request, ultimately, adjusting time access for it, which is not something that we demoed here but we actually have in the works now for the LLMs themselves to be also able to request access to resources they don’t currently have access to.

Diana: All right. Next question, are there any tools or future plans to support RAG applications in the same way?

Boris: So I would say that because of how RAG works, you shouldn’t necessarily need any additional tooling in order to be able to enroll all of the pieces of your RAG pipeline in Teleport as a standard resource that will then keep track of the actions that were happening within the RAG. As far as having your RAG in your AI client and using this directly from the client that supports its own internal RAG system, I think that would be something that we would have to sit down with you and explore to figure out what the architecture of that may look like. But the individual RAG pipeline, yeah, all of the individual pieces and resources, you should be able to kind of plug in as a resource and have all the auditability and tracking and all the other things that you saw for MCPs.

Diana: All right. So we have time for one more question, and then we’ll wrap up and conclude here. What are your concerns about sharing sensitive information with AI models like ChatGPT or Claude?

Boris: Yeah. I mean, I think that is always a problem, and it is always top of mind. I think that because AI is volatile in how it packages data and how it consumes data and how it returns data, I think having systems like Teleport and having controls that give me the ability to fine tune what and where it can access and it can consume is about the best way you can do to protect sensitive information. You saw me try to access Top Secret. Top Secret was unavailable. So that is kind of the — or the cherry on top for that.

Diana: And I’m going to have to ask the last question here. Is there an emergency kill-all-access switch when there’s a worrying incident?

Boris: Yes. Because everything is enrolled as a resource, the moment I say that MCP’s identity no longer has access to anything, that’s it. You will basically say, “Hey, I don’t have access to anything. I can’t do anything. Sorry. Not sorry.”

Concluding words

Diana: All right. Thank you all for — that will conclude the webinar. We’re at time. So thank you all so much for attending. Thank you, Stephanie and Boris, for being here today. I’ll just remind you about the white paper in the Docs tab. Please download it. And if we did not get to your question, we will follow up by email. I noted some of you asked for a demo. We will follow up with you as well. And there’s a brief survey. It’s brief, three questions. It will help us improve our content for next time. Thank you so much for your participation today.