"The system behaved correctly. The failure was in the contract."
An MCP server is not merely infrastructure. It is a delegation of power. And power demands friction, clarity, and accountability.
The Category Error: Why “Server” Is the Wrong Mental Model
Most teams encountering MCP for the first time immediately slot it into a familiar bucket: just another server. Another service to deploy, another endpoint to expose, another box on the architecture diagram. In this framing, MCP is treated as plumbing — integration glue that connects internal systems to AI tools in roughly the same way REST APIs, webhooks, or automation runners have done for years.
This is the category error, and it is the one that will hurt you later.
The word server quietly smuggles in a set of assumptions that are deeply misleading:
- that requests are deterministic
- that callers are constrained by explicit endpoints
- that side effects are narrow and foreseeable
- that failures are local, inspectable, and attributable
Those assumptions hold for REST APIs. They mostly hold for webhooks. They even hold for automation platforms, where flows are pre-authored by humans and executed exactly as written.
They do not hold for MCP.
An MCP "server" is not primarily serving resources. It is serving capability.
When you expose an MCP tool, you are not saying "here is some data you may fetch." You are saying "here is something you are allowed to do." And critically, you are saying it to a probabilistic agent that can decide when, why, and how to invoke that ability based on emergent context.
This is much closer to what happens when you provision a human user account than when you deploy an API.
When you give a user access to a system, you do not enumerate every action they will take. You define roles, scopes, and constraints, then trust — with audit and enforcement — that they will act within those bounds. MCP operates on the same axis. You are delegating the ability to act autonomously within a defined scope, not executing a predefined workflow.
That is where the analogy to REST, webhooks, and automation tools breaks completely.
Those systems assume that intent lives outside the system — in the human who authored the call or the flow. MCP assumes that intent is internal, inferred, and fluid. The model selects tools dynamically. It chains actions you did not explicitly sequence. It retries, reframes, and escalates in ways that are rational from its perspective but surprising from a traditional systems view.
If you approach MCP as "just another server," you will optimize for ease of deployment, speed of integration, and abstraction of complexity. And in doing so, you will hide the very questions that matter most: what authority is being granted, under what conditions, and with what blast radius when something goes wrong.
That is why the server mental model bites you. Not immediately — but later, when the system behaves exactly as authorized, and not at all as expected.
MCP Is Authority, Not Automation
This is the core distinction most teams miss: MCP does not automate actions, it authorizes actors.
Traditional automation systems are built on deterministic guarantees. A human defines a workflow, enumerates each step, specifies conditions, and then the system executes that script exactly as written. The authority in those systems is narrow and mechanical: when X happens, do Y. If something goes wrong, you can point to the step that failed, the condition that misfired, or the data that was malformed. Intent is external, explicit, and human-owned.
MCP breaks this model completely.
When you expose an MCP tool, you are not defining a workflow. You are granting a standing permission. You are saying: this agent is allowed to perform this class of action when it believes it is appropriate. The decision of whether, when, and in what sequence that action is taken is no longer authored by you in advance. It is inferred by a probabilistic agent at runtime.
This is the difference between triggering an action and authorizing an actor.
Triggering an action assumes determinism. An event fires. A handler runs. The surface area is fixed. The blast radius is knowable.
Authorizing an actor assumes autonomy. You are not pulling a lever; you are issuing credentials. Once issued, those credentials can be exercised in combinations, contexts, and moments you did not explicitly predict. That is exactly how user access works — and exactly why access control, auditing, and least-privilege principles exist.
MCP tools are therefore not "functions the model may call." They are capabilities the model may exercise. Each one expands the agent's effective agency within your system. And unlike traditional APIs, MCP tools are selected dynamically by the model itself, often in response to ambiguous or evolving user intent.
This is where deterministic guardrails fall away.
In a REST system, guardrails live at the endpoint boundary: required parameters, schemas, explicit routes, and predefined responses. In automation platforms, guardrails live in the flow graph: steps cannot be skipped unless the designer allowed them to be.
In MCP, guardrails must live at the level of authority design. You cannot rely on call order, fixed sequences, or assumed intent. You must instead assume that if a capability exists, the agent will eventually try to use it, and often in combination with others.
This is why thinking of MCP as automation leads teams to overexpose power. Automation thinking asks, "What steps should we make easy?" Authority thinking asks, "What actions should ever be possible at all?"
If you miss this distinction, you will build MCP servers that look safe in isolation but become dangerous in composition. The system will not misbehave. It will behave exactly as authorized — exercising autonomy you did not realize you had granted.
That is the real risk surface of MCP: not bugs, but unexamined authority.
MCP as a Three-Way Contract
The correct mental model for MCP is not "server" or even "service." It is contract.
Every MCP tool definition implicitly binds three parties at once, whether you acknowledge it or not. If you do not make these contracts explicit, they still exist — they are just unsigned, underspecified, and dangerous.
1. Tool ↔ Model: Behavioral Promises
When you define an MCP tool, you are making a promise to the model.
You are saying:
- This tool does what its name implies.
- Its side effects are limited to what is described.
- Calling it will not surprise you in ways you cannot recover from.
The model will plan around these promises. It will chain tools based on expected behavior. If the tool's real behavior is broader, more destructive, or more stateful than described, the model will unknowingly overreach.
An underspecified tool is a broken promise. The model cannot reason safely about capabilities you failed to describe precisely.
2. System ↔ User: Trust Boundaries
At the same time, you are making a promise to the user.
You are saying:
- The agent cannot act beyond this surface.
- These are the limits of what it is allowed to do on your behalf.
- You will not silently expand its power without consent.
Users implicitly treat MCP-enabled systems the way they treat delegated access: like giving a human assistant credentials. When that assistant acts, the user assumes the system constrained it appropriately.
If your MCP tools blur boundaries, leak capability, or allow surprising escalation, the trust break is immediate — and often unrecoverable.
3. Organization ↔ Reality: Accountability
Finally, you are making a promise to the real world.
Regulators, auditors, customers, and courts do not care that "the AI did it." They care that you exposed the capability.
Every MCP tool carries:
- legal risk
- financial risk
- reputational risk
If a model misuses a tool, the question will not be why did the model do that? It will be why was it allowed to do that at all?
That question lands squarely on the organization.
The Actionable Takeaway
Design MCP tools the way you design access roles, not endpoints.
For every tool, you should be able to answer — explicitly and in writing:
- What authority does this grant?
- What actions are impossible even if the model tries?
- What is the maximum plausible harm?
- How do we detect and audit misuse?
- How do we revoke or constrain this capability without redeploying the world?
If you cannot answer those questions, you do not yet have a tool. You have an implicit contract you have not read.
MCP works when contracts are explicit. It fails when power is granted accidentally.
Friction Is a Feature, Not a Bug
Contracts exist for one primary reason: to constrain parties.
They do not exist to make things easy. They exist to make things safe, legible, and enforceable. The moment you adopt the contract mental model for MCP, the need for friction stops looking like an inconvenience and starts looking like a design requirement.
When teams talk about "easy MCP deployment," what they usually mean is removing decision points. Fewer questions. Fewer explicit choices. Fewer moments where an engineer has to stop and ask, "Should this capability exist at all?" That instinct makes sense in traditional infrastructure, where speed and abstraction reduce toil.
It is exactly the wrong instinct for MCP.
Because MCP tools do not merely expose functionality — they grant authority. And authority without friction is how you end up delegating power you did not intend to give. You're removing friction because you think it's slowing you down. What if it's the only thing preventing you from granting authority you don't understand yet?
Healthy friction in MCP design forces you to do the work that contracts are meant to do:
- Explicit scoping forces you to define what the agent may never do, even if it tries.
- Boring, explicit code paths make side effects legible and auditable.
- Intentional limits cap blast radius when assumptions inevitably fail.
This becomes obvious with even a simple example.
Imagine an internal assistant designed to answer employee questions about company policy. The goal is straightforward: ingest policy documents, let the agent search them, and generate accurate answers.
The naive approach is tempting. You give the agent access to the entire policy document library "so it can find everything." From an infrastructure mindset, this looks reasonable. More data means better answers.
But what have you actually authorized?
You have not authorized search. You have authorized disclosure.
Policy libraries almost always contain more than what is ready for consumption:
- draft policies under review
- deprecated documents kept for reference
- legal notes not meant for broad distribution
- partially approved language with unresolved implications
The agent does not know which of these are socially or legally safe to surface unless you explicitly constrain it. Faced with a relevant query, it will do exactly what it was authorized to do: find the most relevant text and present it.
Nothing has gone wrong. The system has behaved correctly. The failure was in the contract.
A contract-first MCP design changes the question. Instead of asking "what documents should the agent be able to see?" you ask:
- What class of information is the agent allowed to disclose?
- What is explicitly out of bounds, even if it appears relevant?
- What happens when relevant information exists but is not yet authorized?
The resulting MCP capability looks very different. You might expose only approved, published policy summaries. Or require a separate tool for draft content that can only answer at a high level. Or force the agent to return "policy under review" instead of raw text.
This is friction. And it is doing its job.
Rather than trusting the agent to "be careful," the contract constrains what care even means. The agent cannot leak draft policy because it was never granted the authority to do so.
You would never give a human intern unrestricted access to legal drafts and tell them "just answer questions responsibly." MCP deserves the same discipline.
The contract model makes this easier, not harder. It gives you the right vehicle for defining the relationship between agent, system, and organization. Instead of trying to predict every action, you define bounds. Instead of scripting behavior, you constrain authority.
Friction is how those bounds are made real.
If deploying an MCP capability feels a little slow, a little careful, and a little uncomfortable, that is not failure. That is the system doing exactly what it should: forcing you to think about power before you delegate.
MCP as a Risk Container
Once you adopt the contract and authority mental model, a final shift becomes unavoidable: MCP servers are not just capability providers — they are risk containers.
Every MCP tool bundles multiple classes of risk together and exposes them through a single surface. Treating that surface casually does not reduce risk; it concentrates it.
Prompt Injection and Tool Misuse
In a traditional system, prompt injection is a content problem. In an MCP-enabled system, it is an authority problem.
A model does not need to be tricked into executing arbitrary code to cause damage. It only needs to be persuaded — through user input, retrieved context, or chained reasoning — that exercising an already-authorized capability is appropriate.
If a tool exists, the agent will eventually attempt to use it. Injection attacks simply influence when and why. The real question is whether the tool was safe to invoke under any circumstances.
Authorization Drift (Auth ≠ Permission)
Authentication answers the question who is calling. Authorization answers what they are allowed to do. MCP systems routinely blur this distinction.
It is entirely possible — and increasingly common — for a model to be properly authenticated while exercising permissions that no human stakeholder would have approved in aggregate. This drift happens slowly, through incremental capability additions, until the agent's effective authority far exceeds its original mandate.
Nothing breaks. Nothing alarms. The contract quietly expands.
Action Amplification and Unintended Side Effects
MCP tools do not act once. They act at scale.
An agent that can send an email can send hundreds. An agent that can modify records can do so repeatedly. An agent that can trigger workflows can cascade effects far beyond the original intent.
This is not a bug. It is amplification — the entire reason agents are useful. But amplification turns small mistakes into large incidents, and benign permissions into dangerous ones when combined.
Auditability and Blame Diffusion
When something goes wrong in an MCP system, the failure rarely maps cleanly to a single line of code.
Was it the prompt? The retrieved context? The tool definition? The model's reasoning? The user's request?
Without deliberate audit design, responsibility dissolves into ambiguity. And ambiguity is poison for incident response, compliance, and trust. "The AI did it" is not an answer that satisfies regulators, customers, or executives.
The Uncomfortable Truth
MCP does not introduce new kinds of risk. It repackages familiar risks into a single, highly leveraged surface. That surface must be treated the way we treat:
- root credentials,
- production access,
- financial authority,
- and legal disclosure powers.
If that comparison feels uncomfortable, good. That discomfort is the correct signal. MCP servers concentrate power. And concentrated power demands deliberate containment.
Better Questions Than “What Platform Should We Use?”
These five questions are not philosophical. They are practical. They are the questions that prevent incident reports, executive escalations, and career-ending postmortems. They force MCP design out of the realm of convenience and into the realm of responsibility.
1. What authority are we granting?
This question is about naming power explicitly.
Do not ask what the tool does. Ask what the agent is now allowed to cause in the world. Reading data, disclosing information, modifying records, triggering workflows, communicating externally — these are qualitatively different authorities, even if they are implemented through similar code.
If you cannot describe the granted authority in plain language to a non-technical stakeholder, you do not yet understand it yourself. Vague answers like "search," "assist," or "help automate" are warning signs. Authority should be concrete, bounded, and legible.
2. To whom?
Authority is never granted in the abstract. It is always granted to an actor.
In MCP systems, that actor is a probabilistic agent whose behavior varies by context, prompt, retrieved data, and model updates. Treating the agent as a neutral conduit is a mistake. You must assume it will explore the edges of whatever authority you grant.
This question also forces you to confront scope creep. Is this authority appropriate for every user, every conversation, and every mode the agent operates in? If not, you need segmentation — different tools, different scopes, or different agents entirely.
3. Under what constraints?
Constraints are where contracts become real.
This includes hard technical limits (what data is accessible, what actions are impossible), contextual limits (when a tool may be used), and semantic limits (what outcomes are explicitly disallowed).
Well-designed constraints do not rely on the agent to exercise judgment correctly. They make incorrect behavior impossible. If a constraint depends on the agent "knowing better," it is not a constraint — it is a hope.
4. With what rollback, logging, and accountability?
Finally, assume failure.
Every MCP capability should be designed with the expectation that it will eventually be misused, misunderstood, or exercised in an unintended context. When that happens, you need to know:
- what happened,
- why it happened,
- who or what exercised the authority,
- and how to stop it from happening again.
If you cannot answer those questions quickly under pressure, the design is incomplete. Rollback paths, audit logs, and clear ownership are not operational niceties — they are part of the contract.
5. Should an agent be able to do this at all?
This is the question that saves you when every other answer sounds reasonable.
MCP design has a gravitational pull: if something can be turned into a tool, teams feel they should turn it into a tool. If something is tedious for humans, it is tempting to hand it to an agent. If something is possible, it starts to feel inevitable.
Resist that impulse.
Some capabilities are simply the wrong shape for autonomous execution. Not because the agent is unintelligent, but because the consequences are asymmetric, the context is too social, or the failure modes are too costly. There are actions where even a 1% error rate is unacceptable. There are actions where "technically authorized" is not the same as "organizationally survivable."
If you cannot defend the existence of a capability to a skeptical security lead, a compliance officer, and a future incident review board, it should not exist as an agent tool.
This is where you should be willing to say — and mean — things like:
- No, an agent should not be able to send external email.
- No, an agent should not be able to modify production data directly.
- No, an agent should not be able to access drafts, legal notes, or privileged documents, even if it would answer more accurately.
And if necessary, you should be willing to argue the point forcefully.
Because the easiest way to make an MCP system safe is not to add more guardrails. It is to not grant the authority in the first place.
If a capability would be a firing offense for a junior employee, it should not be delegated to an agent.
Together, these five questions form a minimal checklist for survivable MCP design. Teams that ask them early move slower at first, but dramatically faster after their first close call. Teams that skip them eventually learn them the hard way.
The Quiet Conclusion
MCP is not a tooling choice. It is a governance decision disguised as an API.
If you treat MCP servers as infrastructure, you will optimize for speed, convenience, and abstraction. You will ask how to deploy them faster, wire them more easily, and expose them more broadly. And eventually, you will be handed a postmortem that begins with the words "nothing technically went wrong."
If you treat MCP servers as power, your instincts change. You slow down. You name authority explicitly. You argue about scope. You design contracts instead of endpoints. You add friction not because you are cautious, but because you understand what is at stake.
This is not about distrusting agents. It is about respecting what you are delegating. Every MCP capability is a promise: to the model, to the user, and to the organization that will own the consequences. Power that is clearly defined, deliberately constrained, and auditable is survivable. Power that is implicit, expansive, and convenient is not.
MCP will reward teams that think in terms of authority and contracts. It will punish teams that treat it like plumbing. The technology is not reckless. It is literal. It will do exactly what you allow it to do.
We don't yet have good patterns for contractual MCP design because we've barely started asking what that means. The infrastructure patterns exist because infrastructure is familiar. Authority patterns for probabilistic agents? That's new territory. You're going to have to think.
Your job is not to make MCP easy. Your job is to make it safe to exist.