https://avelino.run/tags/security/Recent content in Security on Thiago AvelinoHugoen-us© AvelinoMon, 06 Apr 2026 18:12:41 -0300https://avelino.run/mcp-governance-token-sprawl/Mon, 06 Apr 2026 00:00:00 +0000https://avelino.run/mcp-governance-token-sprawl/<p>My team adopted MCP fast. I encouraged it — the productivity gains were real and visible. Engineers connecting Sentry, Slack, Grafana, GitHub directly into their workflow, no friction. The kind of thing you want to happen organically.</p> <p>Then one day I asked a simple question: who has a Sentry token? Who has Slack? Grafana?</p> <p>The answer was: everyone. Each engineer had generated their own. No inventory. No rotation policy. No single revocation point. We had traded operational security for developer experience — and nobody had made that trade explicitly. It just happened, one <code>mcp add</code> at a time.</p>