There is a moment, when you decide to open your SaaS to AI agents over MCP, where the ground shifts under two of your oldest assumptions at once.

The first assumption is that your data stays inside your walls. With MCP, the result of any tool call passes once through the user's chat screen — which means it passes through an external AI vendor's processing infrastructure on the way to the user. That is data sovereignty, and for finance, healthcare, audit, and HR it has historically been the reason to keep everything inside a built-in dashboard.

The second assumption is that the only actor writing to your system is a person you authenticated, or your own code. Open over MCP and an external agent becomes a write-capable actor on someone's behalf. The agent reads instructions from its context window, and that context can be poisoned. OWASP lists prompt injection as the number-one AI-related security risk for a reason: a quiet malicious instruction can steer a model into operations it should never perform.

Both of those sound like reasons not to open up. They are not. They are reasons to design the server side so that opening up is safe by construction. The whole game is to hold the reins on the server side, so that no matter what the external AI decides, it can only move inside the range you permitted.