The Model Context Protocol (MCP) is the best thing to happen to agent tooling in a while: expose a capability once, as an MCP server, and any MCP-aware agent can use it as a standard tool. We build the capabilities in client systems — email, calendars, search — this way so they are reused instead of reimplemented per agent.
But "any agent can use it" is exactly the sentence a security reviewer circles in red. A tool that sends email, moves money, or reads personal data is not safe just because it speaks a clean protocol. The protocol is the easy part. The control around it is the work.
Three things MCP does not give you
MCP standardizes how a tool is described and called. It does not, on its own, answer:
- Who is allowed to call this tool, and with what scope?
- What happens when the call is high-impact — a refund, a bulk send, a delete?
- Where is the record of who called what, when, and why?
Those are policy, plan, and observability questions. They are the reason we never expose an MCP server directly to a fleet; we put it behind a governance layer.
The pattern we ship
Every MCP tool sits behind a policy gate. The agent calls the tool; the gate evaluates the caller's identity and scope before the call resolves; high-impact operations route to a human-in-the-loop step; and every call is logged.
$ bytevon mcp expose --server email-agent
tools: read draft send watch
policy: send => scope=email:send rate=100/h
gate: send>50 recipients => human-review
audit: every call logged · reversible
◉ MCP server live behind policy gate
Exposing a tool over MCP is a one-line decision. Exposing it safely is a policy you write once and enforce on every call — which is the whole point of the governance layer we build in.
A short checklist
- Scope every tool.
readandsendare different privileges; do not grant them together by default. - Gate the irreversible. Anything that spends money, deletes, or contacts a human at scale gets a checkpoint.
- Deny by default. A new agent can call nothing until a policy grants it.
- Log the call, not just the result. The audit trail is what turns an incident into a query.
MCP makes tools composable. Policy, plans, and audit make them safe to compose. Ship both, and "any agent can use it" becomes a feature instead of a liability.