MCP Dev Summit Seoul 2026

Most MCP deployments implicitly trust the LLM. If the model says call this tool with these parameters, the server calls it. That trust model is wrong — and at enterprise scale, it is catastrophic. This talk reframes MCP server design through a zero-trust lens: every tool invocation is treated as an untrusted external request that must be authenticated, authorized, validated, rate-limited, and audited independently of who initiated it. I'll demonstrate a zero-trust MCP middleware layer that enforces four controls: (1) per-call JWT audience binding so a tool call valid in one agent context is rejected in another, (2) schema-level input validation with content-addressable allow-lists to prevent prompt injection via tool parameters, (3) capability scoping — tools declare what filesystem paths, network ranges, and data stores they may access, enforced by a policy engine at runtime, and (4) immutable audit logs using append-only signed ledger entries. Live demos include intercepting and blocking a prompt injection attack mid-flight. Code ships as open-source middleware compatible with any MCP SDK.