What is MCP and why does it need to be secure?

The Prompt

My name is Shannon Moir and I'm the Director of AI for Fusion5.  I'd like to write an educational and somewhat humorous blog on MCP - model context protocol, what exactly this is and why did it come about, what is the intended purpose.  Can you also cover off important security aspects of MCP.  Does the protocol allow for security to be implemented easily.  What types of security can be created natively?  I want this to be in Australian spelling.  Can you please organise ideas clearly and for the main part in the same order as below.  Can you aim the content at CIO/CFO type roles, people that need to make decision about AI adoption and care about the bottom line - the basis of the entry is below.  Please include any references or weblinks in the copy you create. 

My initial understanding is that MCP in the current context is metadata that can be used on the fly to dynamically choose the correct path / model for AI orchestrations.  There are particular attributes that are important when choosing a model and MCP allows these to be defined and used on the fly.  Can you demonstrate the use of MCP with an invoice entry agent and there are a number of ERPs that might be used for the final invoice data.  How might MCP be used to dynamically and easily facilitate the orchestration of these end to end processes.

Finally can you comment on just prompting for MCP, seems this might be possible - but cumbersome.   Thank you AI! 

This was generated using Gemini 2.5 Flash.  I might need to reduce how casual this is - but it's very readable.

The result

G'day everyone, Shannon Moir here, your friendly neighbourhood Director of AI for Fusion5, ready to chat about something that might sound a bit dry but is actually super important for anyone dabbling in the wonderful world of AI: Model Context Protocol, or MCP for short.

Now, I know what you're thinking. "Shannon, another acronym? Can't we just get on with making money with AI?" And you're right to ask! But trust me, understanding MCP is like finding the secret sauce for your AI applications – it makes everything smoother, more efficient, and ultimately, more profitable. So, grab a cuppa, maybe a Tim Tam, and let's unravel this mystery with a bit of Aussie humour thrown in for good measure.

What in the Blazes is MCP and Why'd It Rock Up?

Alright, so my limited understanding, and it's a pretty good one if I do say so myself, is that MCP in the current context is essentially metadata on steroids. Think of it as a fancy set of instructions or labels that you attach to your data, your models, or even your entire AI workflows. The "context" part is key here – it's all about providing the right information at the right time to make smart decisions.

Why did it come about? Well, as AI systems get more complex, with multiple models working together (what we call "orchestrations"), things can get a bit… messy. Imagine a busy Sydney intersection at peak hour, but instead of cars, you've got data packets and AI models all trying to get to their destination. Without clear rules and directions, you've got chaos, slowdowns, and probably a few bumped digital fenders.

MCP emerged from this need for order. Its intended purpose is to provide a standardised way to:

• Dynamically choose the correct path/model: Instead of hardcoding every decision, MCP allows your AI system to adapt on the fly. It's like giving your AI a GPS that not only knows the destination but also the best type of vehicle for the journey (e.g., a truck for a big delivery, a motorbike for a quick dash).
• Define important attributes: There are always particular attributes that are crucial when selecting a model – things like data sensitivity, processing speed requirements, cost implications, or even the regulatory environment the data needs to abide by. MCP allows these to be defined and used instantly.

Think of it this way: without MCP, you're essentially building a separate, bespoke decision-making tree for every single AI workflow. With MCP, you're creating a set of reusable, dynamic "rules of engagement" that your AI can understand and apply. It's about moving from bespoke blacksmithing to industrial-scale manufacturing, in the AI world.

Lock Her Up! Security Aspects of MCP

Now, you CIOs and CFOs out there will be keenly aware of the importance of security. A slick AI system is no good if it's as leaky as a rusty tinny. The good news is that MCP can be a real champion when it comes to implementing security easily.

Because MCP is fundamentally about defining attributes and rules, it provides a fantastic framework for embedding security directly into your AI orchestrations. It's not an afterthought; it's baked in.

Does the protocol allow for security to be implemented easily? Absolutely! By tagging data and models with security-related attributes (e.g., "confidential," "PII present," "requires ANZAC cloud residency"), you can enforce security policies dynamically. This means you can:

• Restrict model access: Only allow certain models to process highly sensitive data.
• Enforce data residency: Ensure data remains within a specific geographical boundary.
• Implement data anonymisation/masking: Automatically trigger these processes for data with certain tags before it's passed to a less secure model.
• Audit trails: MCP can facilitate better logging and auditing by providing rich contextual information about why a particular path or model was chosen, and under what security constraints.

What types of security can be created natively? While MCP itself isn't a security solution, it's a powerful enabler. Natively, you can define attributes that allow for:

• Access Control: Attributes like security_clearance_level: "top_secret" or data_owner: "finance_department" can dictate which users or models can interact with specific data or processes.
• Compliance & Governance: Attributes such as regulatory_compliance: "GDPR_compliant" or data_jurisdiction: "Australia" can ensure your AI adheres to legal and ethical frameworks.
• Data Classification: Tagging data with data_sensitivity: "confidential" or personal__identifiable_information: "true" enables dynamic handling of sensitive information.

For further reading on data security in AI, you might find resources from the Australian Cyber Security Centre (ACSC) helpful, even if they don't explicitly mention MCP by name, their principles align perfectly with how MCP can be used for security.

An Invoice Entry Agent's Grand Tour with MCP

Let's get down to brass tacks with a practical example. Imagine you've got an invoice entry agent, a brilliant piece of AI that extracts information from incoming invoices. The catch? You've got customers using a whole smorgasbord of ERPs – SAP, Oracle, Xero, MYOB, you name it.

Here's how MCP could be the unsung hero, making this orchestration sing:

Without MCP (the Old, Hard Way):

Your invoice agent finishes its extraction. Now, you'd have to have a complex "if-then-else" logic in your code:

• IF customer_ERP == "SAP" THEN send_to_SAP_integration_module
• ELSE IF customer_ERP == "Oracle" THEN send_to_Oracle_integration_module
• …and so on, ad nauseam.

Every new ERP means code changes, testing, and a bit of a headache. Not very agile, is it?

With MCP (The Smart, Aussie Way):

1. Invoice Arrives: An invoice lands in your system.
2. Initial AI Processing: Your invoice entry agent gets to work, extracting key data like supplier, amount, and most importantly, it identifies the customer_ID.
3. MCP Lookup: Here's the magic. Before sending the extracted data anywhere, your system performs an MCP lookup. You've pre-defined MCP rules that link customer_ID to their specific target_ERP_system. This target_ERP_system attribute is now dynamically attached to the extracted invoice data as context.
   • Example MCP Rule:
     • Customer_ID: "ABC Corp" -> target_ERP_system: "SAP"
     • Customer_ID: "XYZ Pty Ltd" -> target_ERP_system: "Xero"
     • Customer_ID: "GHI Holdings" -> target_ERP_system: "Oracle_Cloud"
     • Invoice_Type: "Purchase Order" -> processing_priority: "high"
     • Invoice_Amount: ">10000" -> requires_approval: "true"
4. Dynamic Orchestration: Now, instead of hardcoded logic, your orchestration platform simply looks at the target_ERP_system attribute within the MCP context attached to the invoice data.
   • If target_ERP_system is "SAP", the data is routed to your SAP integration API.
   • If it's "Xero", it goes to the Xero API.
   • If requires_approval is "true", it's routed to a human approval queue before ERP integration.
5. Seamless Integration: Your invoice data smoothly sails into the correct ERP, without your AI needing to know the specifics of each customer's setup beforehand. You've dynamically adapted to the context.

This makes your system incredibly flexible. Add a new customer with a new ERP? Just update your MCP rules, not your core AI code. It’s a huge win for agility and reduces maintenance headaches.

Just Prompting for MCP – A Bit Like Trying to Drive a Ute with Your Feet

You raise a fair point about just "prompting" for MCP. In the realm of large language models (LLMs), prompting is how we instruct them. So, theoretically, could you just include all your MCP rules and attributes directly in your prompts to an LLM that's orchestrating things?

Yes, you could. For very simple scenarios, you might get away with it. You'd essentially be telling your LLM, "Here's the invoice data, and by the way, if the customer is ABC Corp, use SAP, if it's XYZ Pty Ltd, use Xero."

However, as soon as your orchestrations get any level of complexity, or you have more than a handful of rules, this approach becomes:

• Cumbersome (an understatement!): Imagine typing out hundreds or thousands of these rules in every prompt. It's a nightmare for human readability and prone to errors.
• Inefficient: LLMs have context windows – a limited amount of information they can process at once. Jamming all your MCP rules into the prompt will quickly fill up that window, leaving less room for the actual task and increasing processing costs.
• Hard to manage: If a rule changes, you'd have to update every single prompt template. A proper MCP system, on the other hand, centralises these rules, making updates a breeze.
• Not scalable: As your AI landscape grows, this "prompting only" approach will collapse under its own weight faster than a pavlova in the rain.

So, while a clever prompt engineer might try to wrangle it for a tiny, proof-of-concept, a dedicated MCP system (whether it's an internal framework or a feature of your orchestration platform) is the way to go for any serious enterprise AI adoption. It's about structured, machine-readable context, not just throwing more words at an LLM.

Wrapping Up

So there you have it, folks. Model Context Protocol might not be the flashiest term, but it's a foundational piece of the puzzle for building robust, scalable, and secure AI solutions. For CIOs and CFOs, understanding MCP means understanding how to unlock greater efficiency, reduce operational costs, and mitigate risks in your AI deployments.

It's about making your AI smarter, more adaptable, and ultimately, a better investment. So next time you're thinking about your AI strategy, remember the power of context – it's what separates a good AI system from a truly great one.

Cheers, and may your AI always be perfectly orchestrated!

Shannon Moir Director of AI, Fusion5

References/Further Reading (as they become available):

Currently, MCP is more of an emerging architectural pattern and concept within the AI and MLOps community rather than a formally ratified protocol with widely published specifications like HTTP or TCP/IP. Therefore, direct "official" web links to a single, universally accepted MCP standard are scarce. However, the principles of dynamic model selection, metadata-driven orchestration, and context management are heavily discussed and implemented in various forms within:

• MLOps platforms and frameworks: Look into documentation for platforms like Kubeflow, MLflow, or proprietary AI orchestration tools which often implement similar contextual routing mechanisms.
• Data Mesh architectures: The concept of data as a product with rich metadata aligns well with MCP's philosophy.
• Enterprise Architecture blogs and papers on AI: Many industry leaders discuss the need for flexible, metadata-driven AI pipelines.

While there isn't a single definitive MCP website yet, you can find discussions around these concepts in:

• Google Cloud's MLOps whitepapers: While not explicitly named "MCP," their discussions on model registries, metadata stores, and intelligent routing often touch upon these ideas.
• Microsoft Azure Machine Learning documentation: Similar to Google, their best practices for MLOps encompass the need for robust metadata and contextual information.
• Medium articles and academic papers: Searching for terms like "AI orchestration patterns," "metadata-driven AI," "dynamic model routing," and "contextual AI pipelines" will yield relevant results that embody the spirit of MCP.

As the concept matures, expect more formal definitions and industry best practices to emerge. For now, consider it a powerful and evolving design principle in the AI world.