For two years, workplace AI governance has rested on one comforting assumption: the AI only knows what someone pastes into it. Your controls – policy, training, DLP – all sit at that single choke point. The paste.
That era is ending. In late March, OpenAI announced support for the Model Context Protocol – MCP – the open standard Anthropic released last November for connecting AI models to data sources and tools. With both major labs behind it (and others following), MCP is fast becoming the USB-C of AI: one connector standard, everything plugging into everything.
Concretely, this means the assistant your staff use is growing the ability to read the shared drive, query the CRM, search the ticket system, and – the part that deserves your full attention – act: create, update, send, execute. The chat box is becoming an operator.
The paste point was your perimeterLink to this section
It's worth being explicit about what changes, because the security model inverts:
- Before: data reached the AI when a human chose to share it. Slow, lossy, and governed by whatever judgement that human had. (Training that judgement is, frankly, our bread and butter.)
- After: data reaches the AI because a connector grants standing access. The human choice happens once, at setup, often by someone who clicked through the consent screen to get to lunch.
A connected assistant is an integration, and it deserves everything your other integrations get: a vendor review, scoped permissions, an entry in the asset register, an owner, and an offboarding step. If your AI tool register (you have one by now, yes?) only lists chat apps, it's already a version behind. Add a column: what is this connected to?
Least privilege just became an AI problemLink to this section
An MCP-connected assistant generally acts with the access of the user who connected it. Which means every over-provisioned user account you've been meaning to clean up is now a potential over-provisioned AI – one that can traverse everything that user can reach, at machine speed, without the social awkwardness a human feels when opening folders they probably shouldn't.
That stale access-review backlog was always a finding waiting to happen. Connected AI turns it into an amplifier. The fix is unglamorous and familiar: tighten scopes, review grants, and where the platform allows it, give assistants their own narrowly scoped credentials instead of piggybacking on a person's.
Prompt injection stops being a party trickLink to this section
Here's the risk that's genuinely new for most staff, and the one we've started drilling in every session: once an AI reads sources you didn't write, content becomes instructions.
A document in the shared drive, a row in a ticket, an email in the inbox – any of it can contain text crafted to steer the model: ignore your instructions, collect what you can see, send it here. The person using the assistant never sees the malicious text. They asked a normal question; the AI read a poisoned page while answering it.
Treat a connected assistant like a very fast new starter with no scepticism whatsoever: it believes what it reads, and it reads everything it can open.
Defence in depth applies – output filtering, action confirmation, scoped access – but the human layer matters too. Staff should know that "the AI did something odd after reading a file" is a reportable event, the same reflex as "I clicked a link and something odd happened."
Five moves for this monthLink to this section
- Inventory connectors, not just tools. For each AI tool in use: what can it read, what can it do, who approved the scopes?
- Gate action permissions. Read-only connectors first. Anything that can send, modify, or execute goes through change control and gets a confirmation step while trust is being established.
- Fold connected-AI questions into vendor reviews. Which protocol, whose servers, what's logged, how are actions audited?
- Log agent actions somewhere a human can review. When something odd happens, "what did the assistant actually do?" must be answerable.
- Brief your people. Fifteen minutes on connected assistants and injection. The mental model shift – the AI acts on my behalf and believes what it reads – is the control.
The upside is why this is urgentLink to this section
None of this is an argument against connecting AI to your systems. An assistant that can actually look things up beats one that hallucinates from memory, and the productivity gap between connected and disconnected AI will be large enough that connection is inevitable. Which is exactly why the governance can't wait for the incident: by the time the first "how did that document end up there?" lands, the connectors will already be everywhere.
Plumb it in – deliberately, scoped, logged, and with a workforce that understands what they've been handed.