MCP tools give AI agents direct access to external services - production databases, internal APIs, third-party platforms. But most teams deploying MCP today have no answer to a simple question: who authorized that tool call?

MCP has made remarkable strides in standardizing agent-to-tool connectivity - but AuthN and AuthZ at the tool invocation layer remain an open problem. Tool calls are dynamic and runtime-driven; static Kubernetes RBAC has no vocabulary for per-tool, per-agent, or per-parameter enforcement. There is no native spec primitive to say "only this agent can call this tool."

In multi-tenant environments this gets worse - one misconfigured agent can invoke tools across tenant boundaries and nobody finds out until the damage is done. Teams filling this gap today are relying on custom middleware, app-level checks, or nothing at all.

This talk explores where MCP's authorization model falls short and how policy-as-code closes the gap - with Kyverno as one strong implementation path. The session walks through real ClusterPolicy configurations, multi-tenant isolation patterns, and hard-won lessons from tuning enforcement without breaking production agents.