RBAC was built for humans clicking pages. Agents fire hundreds of retrievals per session across permission domains the role-to-resource map never reconciled. The fix lives in the pipeline, not the prompt: pre-retrieval filters, delegated identity, RLS, audit trails that outlive ACL changes.
The MCP spec describes a protocol, not a security posture. Most production deployments shipped with a static secret in a header, no identity propagation, and error messages that leak internals. Four enforcement layers, executable, before the next incident review.
Third-party MCP servers run inside your agent's reasoning loop with privileged tool access. Most teams added them without a review process. A 0-100 scorecard across provenance, scope, code, network, and runtime — gated in CI before they ship.