Your MCP server works. Every tool call executes. But do you know who made that call, whether they were allowed to, and whether it should have required a human to approve it first?

Most MCP servers today operate on implicit trust. If an agent can connect, it can run anything - usually without any identity checks, boundaries, or logs. That works in dev. In production, a misconfigured agent or a prompt injection can trigger your most sensitive tools with nothing to stop it.

This session makes the path from 'working' to 'governed' concrete: authenticating agents via OAuth, enforcing per-tool authorisation, and adding human-in-the-loop approvals for high-stakes actions. Live demo: we’ll take an unauthenticated agent, lock down the server, and hold a sensitive call for approval with a full trace on exit.

MCP connects agents to your most important systems; it’s time we started checking their IDs at the door.