A rate limit tuned for a human user is no defense against an agent issuing hundreds of tool calls per second. Set rate limits per tool and per caller with bucket policies tuned to the underlying resource each tool consumes, and start every MCP server at minimal read-only scope, elevating privilege incrementally via targeted challenges only when a privileged operation is first attempted.