Discover the Model Context Protocol (MCP), an open standard to securely connect LLMs with enterprise data, overcoming integration and governance challenges.
Introduction: The Enterprise Data Maze and the LLM Paradox
Consider a seemingly simple business question posed to a mid-level manager: “What was our total Q3 spend with vendors associated with Project ABC, and did any of those invoices contain non-standard payment terms?” In a typical enterprise, answering this question is not a simple query; it is an “archaeological expedition.” The journey might involve logging into an ERP system for payment data, navigating a separate document management system for PDF invoices, searching through shared drives for contracts, and trawling email archives for related communications. This process, often taking a team of analysts days or even weeks, highlights a fundamental truth of modern business: enterprise data is a chaotic maze of silos, fragmentation, and unstructured formats. An estimated 80-90% of all new enterprise data is unstructured, locked away in forms that are difficult to govern, search, and analyze.
Into this complex landscape enters the Large Language Model (LLM), a technology promising to understand language, reason through problems, and automate complex tasks. Yet, a challenging paradox emerges when these powerful models are deployed within an enterprise context. Their most impressive capabilities are blunted by a set of inherent limitations that are magnified by the realities of corporate IT environments.
- The Knowledge Cutoff and Context Window: LLMs are trained on vast but static snapshots of public internet data. They have no intrinsic knowledge of a company’s internal operations, sales figures, or proprietary data. Furthermore, they can only process a limited amount of information at once – a “context window” that, while growing, remains a mere thimble against the terabytes of data in a typical enterprise. This creates a functional brick wall, preventing the model from seeing the full picture required for meaningful analysis.
- The Hallucination Risk: LLMs are probabilistic models that can generate plausible-sounding but factually incorrect information, a phenomenon known as “hallucination”. While a minor annoyance in a creative writing task, this becomes a catastrophic liability when dealing with financial reporting, legal contracts, or customer data, where precision and accuracy are non-negotiable.
- The Integration Nightmare: Connecting an LLM to the myriad of enterprise systems (ERPs, CRMs, databases) currently requires a bespoke, brittle, and insecure approach. Developers must write custom code for every data source and every tool the LLM needs to interact with, leading to a patchwork of one-off solutions that are difficult to maintain, scale, and govern. This creates a classic “N x M” problem: for N language models and M data sources, N×M custom adapters are required. The constant evolution of libraries and APIs only exacerbates this maintenance burden.
- The Security and Governance Black Hole: The “black box” nature of many LLMs poses a fundamental challenge to enterprise security and compliance teams. How can an organization grant an LLM access to its sensitive financial data without giving it carte blanche? How can its actions be audited to satisfy regulators? Without clear answers, deploying LLMs in regulated industries remains a high-risk proposition.
This leads to the current state of enterprise AI: a world of expensive, hard-to-maintain, and insecure custom solutions. Teams build complex Retrieval-Augmented Generation (RAG) pipelines and craft agents with custom toolsets, attempting to solve these problems in a piecemeal fashion. However, these approaches often fail to address the root issue. The core challenge is not just about using LLMs; it’s a collision of two massive, independent problems:
- the inherent architectural limitations of LLMs
- and the pre-existing chaos of enterprise data management.
A small context window is a theoretical constraint, but it becomes a practical disaster when the necessary data is scattered across a thousand SharePoint sites. The tendency to hallucinate is a known bug, but it becomes a five-alarm fire when the ground truth it needs is locked in an un-versioned PDF contract. This vicious cycle – where LLMs are needed to make sense of the data mess, but the data mess prevents their safe deployment – demands a more fundamental, protocol-level solution. The move towards these more capable, autonomous systems is a core part of what is explored in The Architect’s Guide to Enterprise Agentic AI.
1. The “USB-C Moment” for AI: A Plain-English Guide to the Model Context Protocol
Before the advent of USB-C, the world of electronics was a tangled mess of proprietary chargers and data cables. Every device had its own unique connector, creating frustration for users and complexity for manufacturers. USB-C introduced a single, open standard that “just works,” simplifying connectivity and fostering an ecosystem of interoperable devices. The Model Context Protocol (MCP) aims to be the “USB-C for AI,” creating a universal standard for connecting intelligent models to the world of enterprise data and tools. It acts as a “universal remote” for your AI applications.
At its core, MCP is an open protocol designed to standardize how applications provide context to LLMs. It is not another AI model, a proprietary platform, or a specific application. Instead, it is a shared language – a set of rules for communication – that allows any MCP-compliant application to seamlessly connect with any MCP-compliant data source or tool. This simple but powerful idea represents a fundamental paradigm shift in how enterprises can approach AI integration.
The value of this shift is best understood by comparing the day-to-day reality of enterprise workflows “without MCP” to the streamlined, intelligent possibilities “with MCP.” For the ordinary clerks and analysts who grapple with information retrieval and processing daily, the difference is transformative.
| Challenge | “Without MCP” (The Old Way) | “With MCP” (The New Way) |
|---|---|---|
| Fuzzy Search: “Find recent invoices from XYZ Corp that mention ‘Project ABC’.” | A clerk manually searches the ERP system for “XYZ Corp,” exports a list, then searches the document management system for PDFs containing “Project ABC,” and finally cross-references the two lists. A developer might build a custom RAG pipeline that indexes documents into a vector database, but this system is disconnected from live ERP data and cannot take further action. | The user asks an AI assistant integrated with an MCP Client. The client connects to an ERP Server and a Document Server. The LLM can dynamically construct and execute a precise search across both systems for “XYZ Corp” and “Project ABC” in parallel. It receives a unified list of results, complete with links to the source documents and ERP entries, and can summarize the findings or prepare them for further action. |
| Document Conversion:“Convert this PDF invoice into a new entry in our ERP system.” | A clerk opens the PDF on one screen and the ERP interface (e.g., SAP, Oracle NetSuite) on another, manually re-typing data like vendor name, invoice number, amount, and date. This process is slow, tedious, and highly susceptible to human error. An OCR tool might extract the text, but it still requires manual verification, correction, and entry into the structured ERP form. | The user provides the PDF to the AI assistant. The LLM calls a tool like convert_pdf_to_markdown from a dedicated service (like the community “MarkltDown MCP” service) to get clean text. It then discovers a create_invoice Tool provided by the ERP’s MCP Server (e.g., for SAP). The tool’s schema defines the required fields. The LLM intelligently extracts the corresponding data from the text and prepares to call the tool. The user is presented with a single, clear dialog: “Create invoice for XYZ Corp for $15,250?” and clicks “Approve”. |
| Data Aggregation & Analysis: “Summarize our weekly sales from Salesforce and compare it to our inventory levels in NetSuite.” | An analyst exports a CSV file from Salesforce and another from NetSuite. They open a spreadsheet or BI tool, clean and merge the two datasets, build a pivot table, and create a chart. The entire process is manual, requires specialized skills, and the resulting report is static and outdated the moment it is created. | The user asks the question in plain language. The MCP Client connects to a Salesforce Server and a NetSuite Server. The LLM uses Resources to pull live sales and inventory data from both systems. It performs the comparison within its reasoning context, generates a concise summary with key insights, and can even use a send_report Tool from an Email Server to share the findings with the management team, all in a matter of seconds. |
This comparison illustrates that MCP is not merely an incremental improvement. It fundamentally changes the nature of human-computer interaction in the enterprise. It transforms static, siloed applications into a dynamic, interoperable ecosystem where complex, cross-system workflows can be orchestrated through natural language, moving the burden of integration from human labor and brittle code to a standardized, intelligent protocol.
Key Benefits of MCP
In a nutshell, the protocol delivers several core advantages for enterprise architecture:
- Standardized Integration: Define tools and resources once, and any compliant LLM can use them. This eliminates the N×M connector nightmare, reducing duplicated effort and brittle integrations.
- Richer AI Workflows: Agents can perform actions by calling tools, not just retrieve text. This moves beyond static RAG to enable dynamic, multi-step tasks that can interact with and change the state of enterprise systems.
- Context Efficiency: By allowing the AI to request specific information on demand, MCP solves the context-window limitation. The model never has to ingest entire terabyte-scale reports; it just asks for the precise fields it needs to answer a query.
- Audit & Traceability: Every MCP call can carry metadata, allowing every answer to cite its source. If an AI reports a financial ratio, the server can specify exactly which line items and reporting period were used, providing crucial traceability for compliance and trust.
- Vendor Neutrality: Because it is built on the open JSON-RPC protocol, MCP works with any LLM and any data source, including SQL, NoSQL, REST, and even legacy systems.
2. The MCP Framework: A Solution Architect’s At-a-Glance
To appreciate how MCP achieves this transformation, a solution architect must look beneath the surface at its core components and design principles. The protocol is built on a host-client-server model, where a Host Application (like an IDE or a chat interface) instantiates an MCP Client to communicate with one or more MCP Servers. These servers, in turn, expose the capabilities of backend systems like databases or enterprise applications. Communication occurs over standard transports like STDIO for local servers or HTTP+SSE for remote ones, using a JSON-RPC connection. The entire interaction is governed by a versioning scheme using date-stamped strings (e.g., 2025-06-18) that clearly delineates backward-incompatible changes, ensuring stable and predictable interoperability.
---
config:
theme: "base"
---
flowchart TB
classDef main stroke:#233256,stroke-width:2px;
subgraph MCP_Host["MCP Host (AI Application)"]
MCP_Client1["MCP Client 1"]
MCP_Client2["MCP Client 2"]
MCP_Client3["MCP Client 3"]
end
MCP_Client1 -->|One-to-one<br>connection| MCP_Server1["MCP Server 1<br>(e.g., SAP ERP)"]
MCP_Client2 -->|One-to-one<br>connection| MCP_Server2["MCP Server 2<br>(e.g., Filesystem)"]
MCP_Client3 -->|One-to-one<br>connection| MCP_Server3["MCP Server 3<br>(e.g., Database)"]
class MCP_Host main
This architecture is designed around a principle of delegated trust with human-in-the-loop verification. Unlike traditional API-driven automation that relies on pre-configured, static trust (like an API key with broad permissions), MCP consistently pushes the final decision-making authority to the human user via the client application. This design choice directly addresses the primary enterprise fears surrounding AI: the loss of control, the lack of explainability, and the challenge of auditability.
--- config: theme: "base" --- sequenceDiagram participant LLM as LLM box LightGrey human-in-the-loop participant User as User participant Client as Client end participant Server as Server autonumber Note over Client, Server: Server initiates sampling Server ->> Client: sampling/createMessage Note over User, Client: Human-in-the-loop review Client ->> User: Present request for approval User -->> Client: Review and approve/modify Note over LLM, Client: Model interaction Client ->> LLM: Forward approved request LLM -->> Client: Return generation Note over User, Client: Response review Client ->> User: Present eresponse for approval User -->> Client: Review and approve/modify Note over Client, Server: Complete request Client -->> Server: Return approved response
The Server Side: Exposing Enterprise Capabilities as Services
An MCP Server acts as a bridge, exposing the data and functions of a specific domain – be it a file system, an email service, or a complex ERP system – to the AI application in a standardized way. Servers provide these capabilities through three core building blocks:
- Resources: The “Nouns” of the Enterprise. Resources are how a server exposes data for an LLM to consume as context. They are identified by URIs and can be either static or dynamic.
- Direct Resources have a fixed URI, like
file:///path/to/annual_report.pdf, providing a direct link to a specific piece of information. - Resource Templates are more powerful, using parameterized URIs like
erp://invoices/{customer_id}?status=paid. This allows the LLM to query for dynamic, filtered information, effectively turning a static data source into a searchable API. An application can discover these templates and provide them to the model, which can then reason about how to fill in the parameters to get the context it needs.
- Direct Resources have a fixed URI, like
- Tools: The “Verbs” of the Enterprise. Tools are how a server exposes actions that an LLM can request to be performed. Each tool represents a single, well-defined operation, such as
createCalendarEventorsendEmail.- Schema-Defined: Every tool is defined by a JSON Schema, which specifies its name, purpose, and its expected inputs and outputs with strong typing. This makes tools discoverable and self-documenting.
- User-Approved Execution: This is a critical security feature. An LLM cannot execute a tool autonomously. It can only request that a tool be called. The MCP Client must present this request to the human user for explicit approval, typically through a dialog box. This ensures that any action that mutates data, incurs cost, or has external side effects is explicitly sanctioned by a human.
A simple tool implementation in Python might look like this, where the @mcp.tool decorator registers the function with the server:
@mcp.tool
def get_orders_above(min_amount: float, start_date: str, end_date: str) -> List[Order]:
# Query the orders database behind the scenes
query = "SELECT * FROM orders WHERE date >=? AND date <=? AND total >=?"
return db.fetch(query, (start_date, end_date, min_amount))
- Prompts: Reusable Interaction Templates. Prompts are pre-packaged recipes for interaction, defined by the server author. They guide the user toward common, high-value workflows. For example, a travel server might offer a
/plan-vacationprompt that defines arguments fordestination,budget, andinterests. When a user invokes this prompt, it provides a structured starting point for a complex task, ensuring the LLM receives the necessary information to use the server’s resources and tools effectively.
The Client Side: The User’s Trusted Command Center
The MCP Client is more than just a passive messenger; it is the user’s trusted agent in the interaction. Managed by the host application, it not only connects to servers but also provides a set of powerful features that enable a more secure, interactive, and intelligent experience.
- Roots: The Filesystem Sandbox. Roots are a simple but crucial security primitive. When connecting to a server that interacts with the filesystem, the client can specify a list of “root” directories (e.g.,
file:///Users/jane/project_alpha/). This tells the server, “You are only allowed to operate within these boundaries.” It prevents a server from attempting to read sensitive system files or access unauthorized areas, enforcing the principle of least privilege at the filesystem level. - Elicitation: The Interactive Clarification Mechanism. Elicitation is a game-changing feature that solves the ambiguity inherent in many automated processes. When a server encounters a situation where it lacks sufficient information to proceed – for instance, a tool call is missing a required parameter, or a search query returns multiple possible matches – it can pause its operation and send an
Elicitationrequest back to the client. The client then presents a structured question to the user (“Which of these two ‘XYZ Corp’ entities do you mean?”). This turns a potential workflow failure into a simple, interactive clarification, making the entire system more robust and user-friendly. - Sampling: The Secure “Phone-a-Friend” for AI Tasks. Sampling allows a server to leverage the client’s LLM capabilities without needing its own AI model, API keys, or billing relationship. A server can send a
Samplingrequest to the client, asking it to perform an AI-dependent task like “Summarize this technical document” or “Translate this customer email into English”. The security implications are profound:- Isolation: The sampling request is processed in a separate, isolated context. The server has no access to the user’s main conversation history.
- User Consent: The client must show the user exactly what the server wants to analyze and why, requiring explicit approval before the request is sent to the LLM. The user also reviews the AI’s response before it is sent back to the server.
- This “delegated AI” model puts the user and their client application in complete control, ensuring that server-initiated AI interactions cannot compromise security or privacy.
By combining these server- and client-side primitives, MCP creates an architectural framework where an LLM can propose a complex, multi-step workflow, but each step that mutates data or interacts with the outside world is a discrete, auditable, and user-approved action. This is a fundamentally more secure and governable paradigm for enterprise AI.
3. [Business Case] The XBRL Revolution: Streamlining the Complexities of Financial Reporting
ℹ️ Note
On a personal note, I’ve spent a significant amount of time working in the RegTech (regulatory technology) and SupTech (supervisory technology) domains, particularly with the intricacies of XBRL. It’s a field ripe for innovation, and I’m excited to share how the combination of MCP, AI, and LLMs can be a game-changer for financial reporting preparation, supervision, and analysis.
To see the true power of MCP’s architectural primitives, one must apply them to a genuinely difficult enterprise problem. There is perhaps no better example than the world of financial reporting and the eXtensible Business Reporting Language (XBRL).
The Problem: Navigating the XBRL Complexity
XBRL is the global standard for digital business reporting, mandated by regulators like the U.S. Securities and Exchange Commission (SEC) and in the European Union by the European Securities and Markets Authority (ESMA) for public company filings. While intended to make financial data consistent and machine-readable, its implementation has created a significant burden for enterprises. The process is notoriously complex and error-prone. Analysis of public filings has revealed thousands of problems, from incorrect signs on values to missing concepts.
The core challenge lies in tagging: the process of mapping human-readable financial concepts from a company’s statements to the correct digital tags within a vast, hierarchical dictionary known as a taxonomy. The US GAAP Taxonomy, for example, contains over 17,000 distinct concepts, while its European counterpart, the European Single Electronic Format (ESEF) taxonomy, is based on the International Financial Reporting Standards (IFRS) as adopted by the EU. This complexity leads to common, recurring errors. Data from XBRL US shows that “invalid member axis combinations” – where a financial concept is incorrectly categorized – account for over a third of all identified errors. The second most common mistake, accounting for over 12% of errors, is the “negative value error,” where a value that should be positive (like revenue) is entered as a negative number, or vice-versa.
While AI-powered tools have emerged to assist with this tagging burden, they often function as “black boxes”. They can still make significant mistakes, especially with new or complex reporting standards, and their lack of explainability makes it difficult for auditors to trust their output. This requires painstaking manual validation and correction, undermining much of the promised efficiency. As a result, many investors and analysts still consider the XBRL data to be less reliable than the traditional plain-text filings, defeating the standard’s primary purpose.
The MCP-Powered Solution: A Conversational Approach to Compliance
An MCP-based architecture can revolutionize this process, transforming it from a rigid, error-prone task into a collaborative, conversational workflow between a financial analyst and an intelligent assistant. As XBRL experts note, this allows financial professionals to simply ask natural language questions like, “Compare the liquidity ratios of these companies over the past year,” and receive immediate, accurate responses without wrestling with technical tools. This is achieved by building a dedicated “XBRL Compliance Server” that exposes the complexities of XBRL through the simple, secure primitives of MCP.
A modern architecture for this solution might involve multiple layers:
- a dedicated database for XBRL facts,
- a clean query API on top of it,
- an MCP server acting as a communication layer,
- and finally the LLM-based analysis layer that provides the conversational interface.
The MCP server becomes the crucial translator, routing requests between the AI and the structured data.
- Taxonomies as
Resources: The server exposes the entire XBRL taxonomy not as a static file to be downloaded, but as a dynamic, queryableResource. An analyst could ask the AI assistant, “What is the appropriate tag for revenue we recognize over the life of a customer subscription?” The LLM, using a resource template likexbrl://taxonomy/us-gaap/{concept_description}, can search the taxonomy for relevant definitions, presenting the top three options with their official descriptions and relationships to other concepts. This empowers the analyst to make an informed decision rather than guessing. - Tagging and Validation as
Tools: The server provides a set of hardenedToolsfor interacting with the filing. Instead of allowing an LLM to “write” raw XBRL – a risky proposition – it can only call validated tools likeapply_tag(concept, value, context_id)andvalidate_filing(). The business logic for correct tagging is encapsulated on the server. For example, the server’sapply_tagtool can contain logic to prevent the most common errors, like invalid member-axis combinations, before they are ever committed to the document. - Solving Ambiguity with
Elicitation: This is the killer feature for tackling XBRL’s most persistent problems. Consider the common negative value error. When an analyst provides a negative value for a concept likeCommonStockValue, which is expected to be positive, theapply_tagtool on the server would detect this mismatch. Instead of failing silently or accepting the incorrect data, it would trigger anElicitationrequest back to the client. The analyst would see a simple, plain-English prompt: “The concept ‘CommonStockValue’ is typically a positive number. You provided a negative value. Did you intend to apply a negated label to flip the sign for presentation?”. This transforms a frequent and critical error into a simple, interactive clarification at the point of entry. - Human Oversight via
Sampling: For a final review, the analyst could invoke a prompt like/audit-filing. The XBRL server could then use theSamplingprimitive to securely send the context of the entire filing to the client’s powerful LLM, with the instruction: “Act as a senior financial auditor. Review this XBRL filing for potential inconsistencies, logical errors, or deviations from standard accounting principles”. The LLM provides a final layer of AI-powered analysis, but its findings are presented to the human expert for final review and sign-off, maintaining a clear audit trail and human accountability.
This approach, detailed in the table below, directly addresses the most significant pain points of the XBRL process. The existence of open-source projects like an SEC EDGAR MCP server, which taps official filings to answer questions in real-time, demonstrates that this model is not just theoretical but practical and already being implemented.
| XBRL Challenge | Traditional Approach / AI Limitation | The MCP Solution |
|---|---|---|
| Incorrect Tag Selection | An analyst manually searches a massive taxonomy PDF or website. A simple AI might suggest a tag, but with no explanation or context, leading to low confidence and a need for manual verification. | The LLM queries the official taxonomy definitions via a server Resource. It compares the financial statement’s text to the tag definitions, presenting the top 3 choices with explanations, allowing the analyst to make an informed, confident decision. |
| Invalid Member-Axis Combination | This is the most common error, often caught only during a final validation check, forcing costly rework and delaying the filing process. | The LLM calls a validate_combination Tool on the server before applying the tag. The XBRL server’s internal logic contains the rules to prevent this entire class of error. The invalid action is blocked at the source, before it’s even committed. |
| Negative Value Errors | An analyst inputs a negative number where a positive is expected, or vice-versa. This critical error leads to incorrect data interpretation by regulators and investors. | The apply_tag Tool logic on the server detects the potential sign mismatch. It uses Elicitation to ask the user for clarification in plain English, preventing the error by turning ambiguity into a simple, interactive choice. |
| “Black Box” AI & Lack of Trust | An AI tool auto-tags the report, but the process is opaque. Auditors cannot trace why a specific tag was chosen, making it difficult to rely on the output for compliance. | Every single tag application is a discrete, user-approved Tool call. The entire process is transparent and auditable. The LLM’s “thought process” can be logged, and the final approval for every data-mutating action rests with the human expert. |
| Taxonomy Updates & Versioning | Managing updates to taxonomies is a manual, resource-intensive process. Teams must ensure they are using the latest version and correctly migrating tags. | The XBRL server is the single source of truth for taxonomies. When a new version is released, the server’s Resources are updated once. All clients automatically gain access to the latest version without any local changes or installations. |
4. Integrating MCP into Your Architecture
The promise of a technology like MCP can only be realized through a pragmatic and well-designed integration strategy. Enterprise architects do not have the luxury of working in a “greenfield” environment; new technologies must be woven into the complex, existing fabric of legacy systems, cloud services, and established security postures. A successful MCP rollout requires thinking strategically about architectural patterns, governance, and phased adoption.
Architectural Patterns for MCP Deployment
Instead of treating MCP as a standalone system, it should be integrated using proven enterprise integration patterns to ensure scalability, security, and maintainability. Building systems of multiple agents communicating via MCP introduces a host of classic distributed systems problems, as explored in Agentic AI: The Distributed Systems Challenges You Didn’t Know You Had.
The API Gateway Pattern
In any large enterprise, there will not be one MCP server, but many: a server for the ERP, one for the CRM, another for the HR system, and so on. To manage this complexity, an API Gateway (such as AWS API Gateway, Azure API Management, or a service mesh like Istio) should be placed as a single, unified entry point for all MCP traffic. This central gateway handles cross-cutting concerns that are essential for enterprise-grade operations. It can manage authentication and authorization, ensuring only valid users and clients can access the MCP ecosystem. It can enforce rate limiting to prevent abuse, provide centralized logging for observability, and route incoming requests from various clients to the appropriate backend MCP server. This pattern provides a crucial layer of control and visibility over the entire MCP landscape.
---
config:
theme: "base"
---
flowchart TD
subgraph Clients
A[Web App]
B[Mobile App]
C[External Partner]
end
subgraph Gateway[API Gateway]
G1[Authentication & Authorization]
G2[Rate Limiting]
G3[Centralized Logging]
G4[Routing to MCP Servers]
end
subgraph MCP_Servers[MCP Ecosystem]
ERP[ERP MCP Server]
CRM[CRM MCP Server]
HR[HR MCP Server]
end
A --> Gateway
B --> Gateway
C --> Gateway
Gateway --> ERP
Gateway --> CRM
Gateway --> HR
style Clients fill:#e8ffe8,stroke:#007f3f,stroke-width:2px
style Gateway fill:#ffefdb,stroke:#d27b00,stroke-width:2px
style MCP_Servers fill:#dbf3ff,stroke:#0077b6,stroke-width:2px
The Adapter Pattern
Enterprises are filled with legacy systems – on-premise databases, and older applications – that cannot be easily rewritten. The Adapter Pattern provides a powerful way to bring these valuable assets into the modern AI ecosystem. An architect can design an MCP server that acts as an adapter, wrapping the legacy system’s non-standard interface. This adapter server exposes standard MCP Tools and Resources. Internally, it translates a modern MCP Tool call, like get_customer_record(id: 123), into the specific format the old system understands, whether that’s a SOAP request, a message queue entry, or a direct database query. This allows the organization to unlock the data and functionality within its legacy systems without undertaking a risky and expensive modernization project.
---
config:
theme: "base"
---
flowchart TD
subgraph Modern_AI_Ecosystem[Modern AI Ecosystem]
C1[Client App or AI Agent]
T1[MCP Tool, e.g. get_customer_record]
end
subgraph AdapterMCP[Adapter MCP Server]
A1[Exposes Standard MCP Tools & Resources]
A2[Translates MCP Tool Calls]
end
subgraph Legacy[Legacy System]
L1[Non-Standard Interface]
L2[On-Prem Database / Older Application]
end
C1 --> T1
T1 --> AdapterMCP
AdapterMCP -->|SOAP / MQ / Direct DB Query| Legacy
style Modern_AI_Ecosystem fill:#e8ffe8,stroke:#007f3f,stroke-width:2px
style AdapterMCP fill:#ffefdb,stroke:#d27b00,stroke-width:2px
style Legacy fill:#dbf3ff,stroke:#0077b6,stroke-width:2px
The Event-Driven / Pub-Sub Pattern
Not all AI-driven workflows need to be initiated by a human user in real-time. Many business processes are triggered by asynchronous events. Using an Event-Driven Architecture, an organization can automate MCP workflows. For example, a new invoice PDF landing in an S3 bucket or Azure Storage could trigger an event notification. This event could invoke a serverless function (e.g., AWS Lambda or Azure Functions) that acts as an MCP Client. The function would then initiate a workflow with the relevant MCP servers – perhaps a Document Server to read the PDF and an ERP Server to create an invoice entry – all without direct human intervention. This pattern is ideal for high-volume, automated data processing tasks.
---
config:
theme: "base"
---
sequenceDiagram
participant S as Event Source<br>(S3 Bucket / Azure Storage)
participant E as Event Notification System
participant F as Serverless Function<br>(AWS Lambda / Azure Function)
participant D as Document MCP Server
participant ERP as ERP MCP Server
S->>E: New invoice PDF uploaded
E-->>F: Send event notification
F->>D: Invoke tool - extract PDF data
D-->>F: Return extracted data
F->>ERP: Create invoice entry with extracted data
ERP-->>F: Acknowledge invoice creation
F-->>E: Workflow completed
A Governance and Security Framework for MCP
Winning the trust of the CISO and compliance officers is paramount for any new technology that touches enterprise data. MCP’s design provides the hooks needed to build a robust governance framework. The key is to recognize that MCP provides a missing application layer for AI governance. While traditional security focuses on controlling access to data stores and networks, MCP allows for the governance of an AI agent’s behavior.
- Mapping MCP to Core Governance Principles:
- Principle of Least Privilege (PoLP): This principle is enforced at multiple levels.
Rootsrestrict filesystem access to designated sandboxes.Toolsexpose only specific, approved business functions, not the entire underlying API of a system. An LLM can’t call an undocumented or unauthorized function because it simply isn’t exposed by the MCP server. This aligns with standard security best practices of ensuring users and systems only have the access necessary for their roles. - Role-Based Access Control (RBAC): While MCP itself doesn’t define roles (at least yet), it is designed to be used in conjunction with systems that do. The API Gateway fronting the MCP servers is the natural place to enforce RBAC. Policies can be configured to state that users in the “Finance” group can access the “ERP Server” and “XBRL Server,” while users in the “Sales” group can access the “CRM Server,” but not vice-versa. MCP communication can leverage standard OAuth flows, allowing enterprises to manage authentication, scopes, and secrets just as they would for any other modern API integration. For a deeper dive into these topics, see The Essential Guide to Modern Access Management.
- Auditing and Traceability: The human-in-the-loop design creates a powerful audit trail. Every call to a data-mutating
Toolcan be logged with a rich set of metadata: who requested the action, what the exact parameters were, when it was requested, and crucially, that it was explicitly approved by a named user. This level of traceability is essential for meeting compliance requirements like GDPR and SOX.
- Principle of Least Privilege (PoLP): This principle is enforced at multiple levels.
- Human-in-the-Loop as a Security Control: It is impossible to overstate the importance of this design principle. By making human approval a first-class citizen of the protocol via
Toolapproval,Elicitation, andSamplingconsent, MCP provides the ultimate defense against runaway AI agents or the malicious use of AI to orchestrate harmful actions. Governance is no longer just about static permissions on data; it’s about real-time, context-aware permission for actions. An architect can design a policy stating: “The AI agent mayread_customer_datafreely, but any call to thedelete_customer_datatool requires multi-factor user approval and must be logged to the security event information and management (SIEM) system.” This represents a fundamental step forward in safely deploying intelligent agents within the enterprise.
A Phased Adoption Strategy
---
config:
theme: "base"
---
timeline
title MCP Phased Adoption Strategy
section Phase 1. Identify High-Value, Low-Risk Use Case
Goal: Demonstrate power of unified data access without touching critical data : Catalog APIs and databases for the "Fuzzy Search" use case : Choose or build necessary MCP servers (e.g., file system, SQL)
section Phase 2. Introduce Action-Oriented Tools and Iterate
Goal: Show measurable ROI by automating workflows (e.g., XBRL tagging, PDF-to-ERP) : Integrate MCP client into host application : Implement OAuth scopes and secure sensitive operations : Add logging for all tool calls : Refine LLM prompts to optimize tool usage
section Phase 3. Scale and Federate
Goal: Scale ecosystem and empower business units to build MCP servers : Establish center of excellence for MCP adoption : Place all MCP servers behind central API Gateway : Encourage development of multiple client applications : Prepare for official MCP server registry for easier discovery
A “big bang” rollout of a foundational technology like MCP is unwise. A more pragmatic, phased approach is recommended to build momentum, demonstrate value, and mitigate risk. This can be broken down into concrete, iterative steps :
Phase 1: Identify a High-Value, Low-Risk Use Case. Begin with a project that focuses on read-only operations. The “Fuzzy Search” use case is a perfect example.
- Goal: Demonstrate the power of unified data access and build user enthusiasm without touching critical data or processes.
- Action: Define the “tools” and “resources” needed for this use case by cataloging the APIs and databases involved.
- Action: Choose or build the necessary MCP servers. Many common integrations (file system, SQL) may already exist, or a thin wrapper can be written using an SDK.
Phase 2: Introduce Action-Oriented Tools and Iterate. Once the value of read-only context is proven, select a workflow with a clear, measurable return on investment to automate with MCP Tools. The XBRL tagging or PDF-to-ERP invoice creation use cases are ideal candidates.
- Goal: Provide a compelling business case for further investment by showing direct improvements in efficiency and accuracy.
- Action: Integrate an MCP client into a host application, like a specialized UI or a framework that supports the protocol.
- Action: Secure the workflow by implementing OAuth scopes, requiring explicit user consent for sensitive operations, and setting up logging for all tool calls.
- Action: Iterate on prompts and instructions to teach the LLM how to recognize when to call a specific tool, refining its performance over time.
Phase 3: Scale and Federate. With successful pilots completed, the focus shifts to scaling the ecosystem. Establish a center of excellence to help different business units build their own MCP servers for their specific domains. Place these servers behind the central API Gateway to ensure consistent governance. Encourage the development of multiple client applications tailored to different user needs. This federated approach fosters a truly composable, interoperable enterprise where innovation can happen at the edges while control is maintained at the core. The growing ecosystem support, including plans for an official registry of MCP servers, will make discovery and integration of new tools even easier.
Conclusion: Beyond Integration, Towards a Composable AI-Powered Enterprise
This deep dive began by confronting the central paradox of enterprise AI: the collision between the immense potential of Large Language Models and the dual constraints of their own architectural limitations and the chaotic reality of enterprise data. The status quo – a landscape of brittle, custom integrations – is unsustainable, insecure, and incapable of scaling to meet the ambitions of the modern digital business.
The Model Context Protocol offers a powerful and elegant way forward. By establishing an open, standardized language for communication between AI models and the systems they need to interact with, MCP moves beyond simple integration. Its architecture, built on the principle of delegated trust with human-in-the-loop verification, provides the technical primitives needed to build applications that are not only intelligent but also secure, governable, and transparent.
We have seen this potential made concrete. For the everyday analyst, MCP transforms tedious, manual tasks like fuzzy searching, document conversion, and data aggregation into simple conversational requests. For the specialized financial professional, it turns the error-prone quagmire of XBRL reporting into a collaborative, guided workflow that designs out the most common errors at their source. And for the enterprise architect, it provides a clear blueprint for adoption, leveraging established patterns like API Gateways and Adapters to weave this new capability into the existing IT landscape while establishing a robust governance framework.
Ultimately, the vision offered by MCP is not merely about better integration. It is about enabling a new architectural paradigm: the composable, AI-native enterprise. In this future, enterprise capabilities are no longer locked away in monolithic applications. They are exposed as discrete, intelligent, and interoperable services. LLMs act as the orchestrating “brains,” and MCP provides the secure “central nervous system” that allows those brains to safely and effectively interact with the enterprise’s “hands and eyes” – its vast array of tools and data sources. As one expert noted, MCP is creating “a space where both major enterprises and individual contributors can build equally viable, increasingly valuable options to make everyone’s lives better”. This paves the way for a future where complex business processes are not rigidly coded but are dynamically assembled, optimized, and executed in a continuous, intelligent conversation between humans and their AI counterparts. For organizations willing to embrace this new model, the competitive advantage will be immense.
Links and Further Reading
From this Blog
- The Architect’s Guide to Enterprise Agentic AI: A primer on the core principles of autonomous systems and agentic architectures.
- Agentic AI: The Distributed Systems Challenges You Didn’t Know You Had: A deep dive into the technical hurdles of building reliable and scalable multi-agent systems.
- The Essential Guide to Modern Access Management: An overview of the strategies and technologies for securing enterprise systems.
Core Protocols and Standards
- Model Context Protocol (MCP) Specification
- JSON-RPC 2.0 Specification
- Server-Sent Events (SSE) using Web APIs
- SOAP Version 1.2 Specification
- OAuth 2.0 Authorization Framework
Financial Reporting and Regulation
- XBRL International
- U.S. Securities and Exchange Commission (SEC)
- European Securities and Markets Authority (ESMA)
- US GAAP Financial Reporting Taxonomy
- European Single Electronic Format (ESEF)
- International Financial Reporting Standards (IFRS)
- General Data Protection Regulation (GDPR)
- Sarbanes-Oxley Act of 2002 (SOX)
Architectural Concepts and Cloud Services
- Adapter Design Pattern
- AWS API Gateway
- Azure API Management
- Istio Service Mesh
- AWS Lambda
- Azure Functions
- Amazon S3
- Azure Blob Storage

Thank you!






