Since the introduction of OpenAI’s ChatGPT in November 2022, there has been a torrent of interest and investment in building and deploying AI technologies, especially the large language models (LLMs) that are the basis for generative AI like ChatGPT. GPT (Generative Pre-trained Transformer) is the underlying language model, and ChatGPT is the chatbot application that was released to showcase it. The technology has been tried in a wide range of industries and applications, from medical imaging interpretation to customer service chatbots, from writing marketing material to personalized teaching plans. It has had mixed results, with a March 2025 survey showing that only about one in six AI projects have made it into production while only a quarter of AI projects have met their return on investment targets. This is partly due to the thorny problem of LLM “hallucination”, where the models produce plausible but fabricated information in response to answers.

To improve the situation, the industry has responded with additional approaches. Retrieval augmented generation (RAG) is where company-specific datasets, such as instruction manuals or company policies, are used to enrich a standard off-the-shelf LLM. These documents are searched (via a vector search to match the user’s question with the most relevant data) and the information retrieved is used to augment the original question to give greater context. This can enable the LLM to provide more meaningful answers, for example, a customer service chatbot that actually knows the customer’s specific order history via an external file. The latest trend is for “agentic AI”, where multiple AI models (agents) are linked together and given autonomy to perform tasks. For example, a chatbot might research a possible holiday for you, checking hotels and flights, while an agentic AI application might take this research and actually book the holiday for you, assuming you give it your credit card details. In practice, there are many issues with this. There have been early attempts to address some of these with the introduction of agentic AI frameworks, though these are in their infancy.

The latest twist in this has been the introduction of an open-source protocol, delivered by Anthropic in November 2024, called Model Context Protocol (MCP). This provides a framework that allows LLMS to connect to multiple tools, APIs and systems. The idea is to provide a single standard that agents can send structured requests to and chain multiple tools together where needed. MCP servers tell the AI what tools they have access to, interpret and run commands, format the results in a way an AI can understand, and handle errors that occur. The protocol acts as an intermediary between AIs and services, and can run locally or over the internet. The protocol has been adopted by a number of companies, including Microsoft in its CoPilot Studio. There are even companies now building tools to help build and manage MCP servers. 

This all sounds good, but there are some serious problems with MCP. MCP servers need to be granted broad security permissions in order to do their job, such as the ability to send email and not just read it. The broader the implementation, the wider access it needs to enterprise systems, a kind of a master key to enterprise data. Given this, you would think that a lot of effort would have been put into ensuring there were robust authentication mechanisms that had been put in place, but you would be wrong. MCP currently has little or no authentication at all built in. One simple example of how this may go wrong is if someone gained access to the OAuth token stored by the MCP server for Gmail, in which case they could set up their own server, access email history, send emails appearing to be someone else, and quietly monitor communication. Since AI assistants interpret natural language commands before sending them to an MCP server, attackers could inject messages including hidden instructions that trigger MCP actions. Such a message read by an AI might, for example, trigger the forwarding of financial documents to an external address.

Enterprises need to be very careful how MCP servers are deployed, ensuring that they are within established security controls and monitoring frameworks. The high level of security access that MCP servers need means that considerable care needs to be spent in monitoring them for suspicious activity. MCP servers can be isolated in dedicated network segments, and web application firewalls should be set to inspect MCP traffic for anomalies. Request tracing needs to be implemented to allow incident analysis and auditing. MCP response can be routed through data loss prevention systems to detect and possibly block sensitive data. There are some general AI security guidelines starting to appear, such as the UK government’s AI Cyber Security Code of Practice, but this does not yet specifically address MCP. The excitement about AI and the high level of investment in it mean that there is perceived pressure to do things as fast as possible, for example, for fear of a competitor acting quicker. However, agentic AI is a new technology, and there are considerable dangers in rushing to implement it without thinking through the risks and challenges. The host of security issues around MCP will doubtless be mediated over time, but any technology that requires administrative access to lots of corporate systems is in itself a juicy target for attackers. Enterprises need to carry out a careful security review of any MCP implementations that they may be introducing, especially since these may be buried within other packaged software applications, so they may not even be aware that they are running.