MCP 2.0 Explained: Securing AI Agents Before They Secure Themselves

Note: “MCP 2.0” is used here as a colloquial reference to the next-generation evolution of the Model Context Protocol. MCP itself uses date-based versioning (e.g., the latest release being 2025-11-25 at the time of this document’s release) and does not officially define a 2.0 release.

AI agents are no longer just answering questions – they’re taking action. They’re reading files. They’re modifying systems. And in some cases, they’re making decisions that ripple across an entire enterprise.

That’s why Model Context Protocol (MCP) 2.0 matters.

In a recent episode of STRIVE, Commvault’s thought leadership series on cyber readiness, I sat down with Werner Nel, Principal, Security and AI Intelligence, at Commvault, to unpack what MCP 2.0 really changes – and why security leaders can’t afford to treat it as a minor spec update.

This isn’t a theoretical conversation. It’s a practical look at how enterprises can enable AI innovation without widening their blast radius.

Key Takeaways: What MCP 2.0 Really Changes

• MCP 2.0 marks a shift from AI adoption to accountability.
• OAuth can enable least-privilege access for AI agents.
• Structured schemas may help mitigate prompt injection and abuse.
• Elicitation flows can add critical pause points for high-risk actions.
• MCP 2.0 may help improve security – but doesn’t eliminate risk.
• Understanding agent authority and blast radius is essential.

Why MCP 2.0 Is a Turning Point

MCP 1.x was about adoption.

It gave enterprises a way to connect AI models to real tools and real data. But as Werner explains, that first wave was never designed to answer the hardest question: How do we let AI agents execute real work inside the enterprise – without turning them into a security liability?

MCP 2.0 is the industry’s first serious attempt to answer that question.

Instead of focusing purely on connectivity, it shifts attention to authorization, control, and visibility – three things security teams care deeply about, especially as agents move from read-only assistants to actors with real power.

The Three Security Shifts That Matter Most

1. OAuth comes to MCP. MCP 2.0 introduces OAuth support, giving enterprises a standardized way to assign permissions and enforce least privilege. Instead of relying on vague trust assumptions, agents can be scoped to exactly what they’re allowed to do—and nothing more.
2. Structured schemas help reduce prompt injection risk. Structured schemas act like an allowlist for agent actions. If a tool isn’t explicitly defined in the schema, it won’t execute. This can help reduce prompt injection risk and other manipulation techniques that were easier to exploit in earlier implementations.
3. Elicitation flows add a “pause button.” Elicitation flows can enable workflows to pause mid-execution so a high-risk step may trigger confirmation, validation, or even credential escalation. This can help shift teams from “log and hope” to more deliberate control over sensitive actions.

Sneak Peek: MCP 2.0 in Action

This preview highlights why authority, blast radius, and reversibility are the three most important questions enterprises should be asking as they deploy AI agents.

The Gaps MCP 2.0 Doesn’t Solve (And Why That’s Important)

MCP 2.0 is a big step forward – but it’s not the finish line. As Werner highlights in STRIVE, there are still meaningful gaps enterprises need to account for in real-world deployments.

For example, enterprises still can’t fully cryptographically prove that an MCP server is the authentic original (vs. a clone or modified copy). Similarly, even if the protocol improves authorization and input discipline, organizations still need to think about signing tools and binaries, and about the environment where MCP servers and models run – because a compromise can translate into broad access depending on how it’s deployed.

The takeaway: MCP 2.0 improves the protocol, but organizations still have to make smart decisions about trust, containment, monitoring, and oversight.

A Simple Framework for Evaluating AI Agent Risk

One of the most practical moments in the episode is Werner’s three-question risk lens – something CISOs and architects can apply immediately:

• What authority does my agent have?
• How big is the blast radius?
• How reversible is the action being taken?

These questions help teams move from generic “AI risk” discussions to concrete decisions about permissions, containment, and how to handle high-impact actions that may not be easy to roll back.

Watch the Full STRIVE Episode

This blog only scratches the surface. In the full 20-minute STRIVE podcast, you’ll hear:

• Why MCP 2.0 evolved so quickly.
• What CISOs should prioritize right now.
• Where MCP 3.0 is likely headed.
• How security teams can keep pace as agents become more autonomous.

Watch the full STRIVE episode on the Readiverse.

Go deeper and assess your own readiness.

FAQs

Q: What is MCP 2.0?

A: MCP 2.0 is an updated protocol that governs how AI models interact with enterprise tools and data, with a strong focus on security, authorization, and control.

Q: How is MCP 2.0 different from MCP 1.x?

A: MCP 1.x focused on connectivity and onboarding. MCP 2.0 prioritizes securing those interactions.

Q: Does MCP 2.0 eliminate AI security risk?

A: No. It can help improve security hygiene but must be paired with strong architecture and governance.

Q: What is an elicitation flow?

A: An elicitation flow allows AI workflows to pause for confirmation before executing high-risk actions.

Chris Mierzwa is Senior Director, Portfolio Marketing, at Commvault.

Related Blogs

• The Causal Frontier: Bridging the Gap Between Intelligence and Resilience
• Arlie’s Latest Enhancements: Your New and Improved AI Assistant
• A CIO’s Perspective: Strengthening Business Resilience in the AI Era
• Data Rooms: Unlocking the Power of Trusted Data for AI Innovation