AI

The Model Context Protocol: Giving AI Agents Safe Access to Enterprise Systems

MCP is the missing standard that lets AI agents actually do work in the enterprise — safely, auditably, and without a bespoke integration for every tool.

All posts
3 min read8 Jul 2026

Every enterprise that gets excited about AI agents hits the same wall within a fortnight: the agent can reason beautifully, but it can't do anything. It has no safe, standard way to query the warehouse, open a ticket, or read the data catalogue. So teams start hand-wiring integrations — one brittle adapter per tool — and the promise of autonomy quietly drowns in glue code.

The Model Context Protocol (MCP) is the standard that fixes this. It's the piece I now reach for first when I'm designing an agentic system for a large organisation.

What MCP actually is

MCP is a simple, open protocol that sits between an AI agent and the tools, data sources, and actions it needs. Instead of teaching every agent how to talk to every system, you expose each system once as an MCP server — a small, well-defined interface that says: here are the tools I offer, here's what each one does, here are the inputs it expects.

Any MCP-aware agent can then discover and use those tools. One integration, reusable everywhere. Think of it as USB for AI tooling: a common port replaces a drawer full of proprietary cables.

Why it matters for the enterprise specifically

Consumer AI can afford to be loose. Enterprise AI cannot. The value of MCP isn't just convenience — it's that it gives you the three things a regulated organisation actually needs:

  • A narrow surface area. Each MCP server exposes a deliberate, minimal set of tools. The agent can do exactly those things and nothing else. That constraint is the security model.
  • Auditability. Every tool call is a discrete, loggable event with structured inputs. When an agent touches production, you have a complete trail of what it did and why.
  • Separation of concerns. The team that owns the warehouse owns its MCP server and its permissions. The agent team doesn't get a backdoor — they get a contract.

How I design an MCP integration

When I bring MCP into an enterprise agent system, I follow a few hard rules:

Read and write are not equal. Read-only tools (query the catalogue, profile a table, fetch lineage) can be broadly available. Anything that mutates state — writing data, closing a ticket, triggering a pipeline — goes behind explicit human approval, at least until the system has earned trust.

Tools should be intention-shaped, not API-shaped. A good MCP tool is find_owner_of_dataset, not run_arbitrary_sql. The narrower and more semantic the tool, the safer the agent and the better its reasoning.

Everything is observable. I wire MCP calls into the same tracing and logging that the rest of the platform uses. An agent's actions should be no more mysterious than a microservice's.

Where it fits with LangGraph and friends

MCP handles access; an orchestrator like LangGraph handles control flow. In the systems I build, a LangGraph workflow decides what to do next — plan, retry, branch, escalate — and reaches for MCP tools whenever it needs to touch the outside world. The two compose cleanly: one is the agent's nervous system, the other its hands.

The takeaway

The hard part of enterprise agents was never the intelligence — it was safe, standard access to the systems where the real work lives. MCP turns that from a pile of bespoke integrations into a governed, reusable interface. If you're serious about putting agents into production behind the firewall, it's the foundation I'd start from.

Related reading: Building Autonomous Data Platforms with Agentic AI.

#MCP#Agentic AI#LangGraph#Enterprise
Share

Get new essays in your inbox

Occasional notes on AI engineering and data architecture. No spam, ever.