There's a quiet shift happening inside most companies, and it's bigger than the one everyone's talking about. AI is moving from something your employees use to something that acts on their behalf — reaching into systems, calling tools, taking steps on its own.

The connective tissue for that shift has a name now: MCP, the protocol that lets an agent plug into your real tools and data. A year ago it was an obscure technical term. Today it's on every executive agenda and was one of the most-submitted topics at this year's RSA. The reason is simple — it's the thing that turns a clever model into an agent that can actually do something in your environment.

Here's the part nobody put in the rollout plan. MCP was built for interoperability, not security. There's no governance at the protocol level. Each connection a server makes quietly accumulates credentials for every service it touches, which turns a single compromise into broad access. The first malicious MCP package surfaced last September and exfiltrated email data for two weeks before anyone caught it. The NSA has since published guidance on the failure modes. This is not theoretical anymore.

So picture what most companies actually have right now: a growing fleet of agents, wired into production systems over the last two quarters, each one a door into the business — and no log of who opened which, on whose authority, to do what.

The reflex is to hand this to the security team as a bolt-on. That's the wrong frame, and it will always be a step behind. Governance can't be a quarterly project that describes a company which no longer exists by the time it's written. It has to be a byproduct of how you run the thing day to day. If you're actually managing your AI — routing the high-stakes actions through a human, knowing which agent did what — the audit trail falls out the bottom for free. The record isn't extra work. It's the exhaust of operating properly.

And the record is the whole game. The first time an agent does something expensive — and at scale, one will — the question in the room won't be how it happened. It'll be who let it. Most companies won't be able to answer, not because no one is responsible, but because no one can reconstruct it: which agent acted, on whose permission, with what instruction, against which system. The trail isn't there.

One trap worth naming, because a lot of money is about to chase it. Vendors are racing to own the MCP plumbing — the gateway, the pipe. That layer will commoditize, the way pipes always do. The durable thing was never connecting the agents. It's the accountable record of what flowed through: an honest, cross-provider read on what your AI is doing, who stood behind it, and whether it was a good idea.

The "it'll govern itself" assumption is going to age exactly as well as "it'll deploy itself" did. You can't govern what you can't see — and you increasingly can't see it, because it's no longer your people clicking buttons. It's agents, acting, behind a door you never logged.

— Tobias

Keep reading