We Didn’t Build Our Defenses for This
Most companies built security controls for people.
Employees log in. They open apps. They download files. They send emails. The workflow may be messy, but it is familiar.
Agents behave differently.
A single request, “prepare my renewal brief for our top 50 accounts”—can trigger a chain of actions across CRM, product usage data, event attendance, sponsor history, support tickets, finance, Slack, and email. That workflow can create real operating leverage. It can also expose pricing, margin, legal notes, customer commitments, and sponsor terms before anyone notices.
That is why MCP matters, even if many CEOs have never heard of it.
The Model Context Protocol, introduced by Anthropic in 2024, gives AI systems a common way to connect with external tools, data sources, and business systems. Think of it as something like USB-C for agents and enterprise software: one standard connection pattern instead of a pile of custom integrations. Anthropic described MCP as a way to let developers “integrate once” and connect AI systems to multiple data sources; early examples included connections to tools such as GitHub, Slack, Google Drive, and Postgres. (The Verge) The benefit is speed.
The risk is reach.
When agents can reach into business systems, the question changes. It is no longer only, “Did the AI give a good answer?” It becomes: what can this agent access, what can it do, where can it send the output, and who is accountable when it gets it wrong?
From Chatbots to Operators
The first wave of enterprise AI was mostly copy and paste. Employees used chatbots to draft, summarize, classify, or brainstorm. Risk existed, but people still moved the work.
The second wave embedded AI into everyday software. A CRM summarized account notes. A document tool drafted meeting recaps. A marketing platform generated copy. The work became faster, but it mostly stayed inside one application.
The third wave is different.
Agents can retrieve information, choose tools, plan steps, and take action across systems. MCP makes that easier by standardizing how agents connect to those systems.
That is the turning point.
For revenue teams, this is attractive. Agents can prepare account plans, flag churn risk, improve sponsor reporting, enrich attendee profiles, draft campaigns, and clean CRM records.
For security, legal, finance, and the board, this is uncomfortable. The same workflow that improves renewal prep can also combine sensitive data in ways no one approved.
That is the agent + toolbelt problem.
The agent is the actor. The toolbelt is the set of systems, data, permissions, and actions it can use. The risk lives in the combination.
The Commercial Stakes Are Bigger Than “Security”
This is not only a security story.
In media, events, and information services, the highest-value data often sits across many systems: registration, badge scans, session attendance, sponsor engagement, content consumption, community behavior, CRM, CDP, email, ad delivery, finance, and customer success.
Used well, that data can improve segmentation, pricing, renewals, sponsor ROI, and product development.
Used carelessly, it can create contract exposure, customer trust damage, privacy issues, board escalation, and margin leakage.
A sponsor intelligence agent that pulls booth scans, meeting history, campaign engagement, renewal notes, and discount history may create a better account brief. If that same agent posts confidential pricing or legal context into the wrong channel, the business problem is not “AI risk.” It is trust, revenue, and enterprise value.
Where Old Assumptions Break
Old assumption: we know who is acting.
In the old world, a human user took a visible action. In the agent world, one human prompt can trigger dozens of actions through service accounts, tools, APIs, and MCP servers. Auditing only by user and device is no longer enough.
Old assumption: tools are narrow and vetted.
Traditional integrations moved through IT and procurement. MCP lowers the friction. That is useful, but it also means new servers and capabilities can appear faster than the review process can keep up.
Old assumption: actions are easy to follow.
A person runs a report, downloads a file, and sends it. An agent retrieves, summarizes, transforms, posts, updates, and escalates in seconds. The risk is in the sequence.
Old assumption: access controls are enough.
Static permissions tell you what an agent can access. They do not tell you whether the agent’s behavior makes sense in context.
Four Scenarios CEOs Should Recognize
The Helpful Agent That Over-Shares
A sales leader asks an agent to summarize everything known about Client X before a renewal meeting.
The agent pulls the right sales deck. It also finds a margin analysis, a legal exposure memo, and internal notes about pricing flexibility. Then it posts the summary into a broad Slack channel.
The executive consequence: customer trust damage, negotiation leverage lost, and an ugly board question about who approved the workflow.
Prompt Injection Becomes Data Movement
An agent reads support tickets and knowledge articles. One document contains hidden instructions telling the agent to ignore prior rules and export customer records.
If the agent only generated text, this might be a bad answer. If the agent has access to CRM or storage through MCP, it becomes a data movement problem.
OWASP’s 2025 LLM application risk guidance calls out prompt injection, sensitive information disclosure, supply-chain risks, and excessive agency as major risk categories—exactly the set of issues that become more serious when agents can call tools and take action.
The Misconfigured MCP Server
A team installs a community MCP server because it promises faster reporting.
It also exposes functions nobody reviewed, logs poorly, and can call external destinations. The agent trusts the server and uses it.
The executive consequence: a useful shortcut becomes an unmanaged control surface.
The Chained Error
One agent tags customer-facing content. A second agent trusts those tags to decide what can be sent to sponsors or attendees.
One bad tag becomes a mass-send problem.
The executive consequence: a low-risk workflow becomes a customer-facing incident because no one watched the chain.
The New Unit of Risk: Agent + Toolbelt
The model matters. The prompt matters. The user matters.
But the real control point is the combination of agent and toolbelt:
Which agent can call which MCP servers, with which permissions, against which data, for which business purpose, under whose ownership, with what logging, and with what shutdown path?
That is the new risk unit.
MCP installs more doors between rooms. Agents carry the keyrings. The business has to decide which keys they get.
Metrics + Instrumentation
Track this early, before agents spread across the business:
✅ Agent inventory coverage: percentage of production agents with owner, purpose, permissions, data scope, and review date.
✅ MCP server coverage: percentage of connected servers reviewed and approved.
✅ Sensitive data access: when agents touch customer, financial, legal, employee, sponsor, or regulated data.
✅ High-risk actions: exports, external sends, permission changes, deletions, financial actions, or customer-impacting updates.
✅ Anomalous behavior: unusual tool combinations, export spikes, after-hours access, or unexpected destinations.
✅ Containment time: how quickly the company can suspend an agent or disable a server.
✅ Commercial impact: renewal prep time saved, sponsor reporting speed, pipeline influenced, margin protected, and service cost avoided.
Security should not own this alone. The CISO owns risk controls. The CIO owns architecture. The CDO owns data rules. RevOps owns revenue workflow instrumentation. Business leaders own use-case value and accountability.
Ready to Step Into the Revenue Room™?
The ideas in this article are just the starting point. Revenue Room™ brings together CEOs and revenue-critical leadership teams across media, events, data, and information services to align around one growth plan, one scorecard, and one execution cadence—turning data, AI, and operator insight into measurable revenue, margin, and enterprise value outcomes.
Continue the conversation and take the next step:
Check out our event lineup including upcoming Exchange Roundtables, Revenue Room™ Salon: Women Who Accelerate & Lead, and RevvedUP 2027 Apply to Join Revenue Room™ CXO
Become part of the invite-only executive network for CEOs and revenue-critical C-suite leaders building the next era of profitable growth. Learn More About Upcoming Revenue Room™ Bootcamps
Equip your teams with practical, instructor-led programs designed to move from learning to execution. Download Revenue Room™ Playbooks
Access frameworks, templates, and operating tools to help your team assess gaps, prioritize growth moves, and execute with greater speed and clarity.
Latest playbooks
Step into the room where modern growth leaders align, accelerate, compound, and connect.
