Model Context Protocol (MCP) is the new "universal adapter" for AI. Think of it as giving your AI platform a dynamic toolkit. It turns AI from a passive assistant into an active worker.
But handing AI these tools means you are trusting it to make the right call at the right time. And more importantly, you are trusting whoever built that tool.
What an MCP Server actually is
An MCP Server is a 'tool' that AI can use. It might query another system, or ask another system to take an action. It's very similar to an API, and quite often it's just a wrapper around an existing API.
Here's an example. Say your accounting system has an API for getting the current balance or creating a journal. This requires code to call that API. If that same accounting system had an MCP Server with the same functions, your AI platform could use the MCP Server to access them instead.
The clever bit is what happens next. The MCP Server tells the AI platform what it's capable of doing, and then the reasoning part of the AI platform decides when it's appropriate to call it. You're handing AI a set of tools and trusting it to pick the right one at the right time.
The quality of the reasoning (the thinking) is one concern, is the AI going to make decisions like a qualified accountant, or like a teenager with their first credit card.
The other concern is if the MCP Server is legit. When the AI platform asks it to create a journal, is it going to harvest your data while it does it, or worse?
It's a bit like handing someone your house keys
If you give a tradesperson the keys to your house, you'd want to know who they are, who sent them, and what they're going to do once they're inside. An MCP Server is no different. You're not just plugging in a handy tool, you're giving another party a way into your systems and your data.
So before you connect, three simple rules:
- Only connect to official MCP Servers provided directly by authorised vendors. The vendor who built the system is a very different proposition to a stranger who built a wrapper around it.
- Least privilege: give access to only what they need to do the job. Reduce your risk.
- If you're installing or hosting an MCP Server yourself, put it through the same evaluation you'd use for installing any other application. It's software. Treat it like software.
What can actually go wrong with MCP Servers?
When you use an MCP Server (or an API), three things are worth keeping front of mind:
Data exfiltration. You're giving that party access to all the information you pass to it. Whatever you hand over has left the building.
Unauthorised action execution. If you grant the MCP Server access to your account, it can take any action on your account, whether AI is asking it to do that or not.
Supply chain and dependency vulnerabilities. Plenty of the open-source MCP Servers floating around are completely unvetted. Do you trust who built it? What are their security processes?
So, should you connect to an MCP?
MCP Servers are genuinely useful, and they're going to be everywhere soon. But useful isn't the same as safe. Stick to official, vendor-provided servers, run anything self-hosted through your normal approval process, and be honest with yourself about what data and what actions you're exposing before you flick the switch.
Frequently asked questions
An MCP server is best described as a universal adapter for your AI platform. Unlike a standard API—which requires developers to write custom code for each action—an MCP server advertises its capabilities directly to the AI.
This allows the AI’s reasoning engine to independently decide when and how to use those capabilities, without manual coding for every scenario. In most cases, an MCP server is a robust wrapper around an existing API, translating its functions so the AI can understand and use them effectively.
When integrating with third-party MCP servers, you should be aware of three primary security concerns:
- Data exfiltration: Any information passed to an MCP server leaves your secure environment. If the server is not properly secured or is run by an untrusted party, your sensitive data could be at risk.
- Unauthorised actions: Granting broad access to an MCP server (such as to your accounting or CRM systems) means it could potentially execute any action within those systems, regardless of the AI’s intent.
- Supply chain vulnerabilities: Many open-source MCP servers are unvetted, offering little visibility into their security practices or potential backdoors. This introduces additional risk into your environment.
To protect your business and data, treat every MCP server integration with the same rigour as any new software deployment. Follow these best practices:
- Stick to authorised vendors: Only connect to MCP servers developed and maintained by the official vendors of your core systems. Avoid third-party or community-built wrappers unless they have been thoroughly vetted.
- Apply the principle of least Privilege: Limit the MCP server’s access to only what is strictly necessary for its function. Do not grant broad permissions or access to sensitive data unless absolutely required.
- Perform rigorous evaluations: If you are hosting or installing an MCP server yourself, ensure it goes through your organisation’s standard IT security and application approval processes. This should include code review, penetration testing, and ongoing monitoring.
