Model Context Protocol (MCP) is an open standard developed by Anthropic that defines how AI models share structured context - including messages, observations and actions - in a predictable and machine-readable way. Released in early 2024, MCP has been described as an “API for AI models”. However, describing it as just an API underplays its fundamental purpose: to provide a common, structured language for inter-model communication, which goes beyond a simple API call and introduces new considerations for systems design and governance.

MCP defines how an AI model passes information, or “context”, to another. That context isn’t just about messages — it can also include structured references to the underlying data, documents, or observations that shaped the model’s output. This turns MCP into a kind of data-aware memory layer, helping future models trace not just what was said, but why — and where that information came from. Think of it like passing a conversation transcript, document summary, or structured evidence set from one model to another. That context could include user intent, prior dialogue, or other task-relevant cues.

If AI systems are going to work together to solve problems, answer questions or coordinate tasks, they need a shared language, and MCP is one emerging proposal to allow this to happen in a structured way. But letting models talk to each other isn’t just a technical problem; it’s also a governance challenge, and a growing risk management issue.

Why It Matters

AI models are rapidly becoming part of critical workflows: assisting knowledge workers, making investment recommendations, generating software code, even helping to triage medical cases. As these models are embedded into more systems and automated workflows, the idea that a single model will do everything is being replaced by a more modular approach: many models, each with a specialisation, calling on each other as needed.

This shift creates a technical need for a protocol to allow communication between models, such as MCP. However it also increases complexity. As soon as one model starts accepting input from another, you introduce new attack surfaces, trust assumptions, and failure modes. Without governance, you’re building a fragile system on shifting foundations.

A few real-world use cases can illustrate this shift:

  • An autonomous agent breaking down a complex task or request into subtasks, calling specialist models for help.
  • A customer support model retrieving user history from a summarisation model that is trained on past chats or transcribed conversations.
  • AI tools from different vendors - such as OpenAI, Anthropic, and Google - working together inside the same enterprise workflow, using a common protocol to exchange context as they work through a task.

MCP enables these use cases by structuring model interactions using a lightweight format - typically JSON - that includes message, observations, and actions as primitives. This structured approach helps models interpret each other’s output more reliably. It also allows context to carry traceable links to the original data or observataions that informed the output - supporting transparency, accountability, and trust.


MCP is one of the first open AI protocol standards designed to support model interoperability and structured context sharing between AI systems.


Risk Considerations

Here are some of the key risks that arise when implementing or relying on MCP:

  • Model-to-model hallucination: If a model sends inaccurate or fabricated information to another model, that second model may act on it without any independent verification. This compounds the risk of hallucination - errors are no longer isolated, but distributed further down the chain without traceability back to the source.

  • Context poisoning: Just like traditional prompt injection attacks, models could be tricked into inserting misleading context. If a compromised model is trusted by others, it becomes a vector for manipulation.

  • Loss of data lineage: When context flows across multiple models, it becomes harder to trace where a particular piece of information came from - or how it was transformed. In regulated environments, knowing how outputs were generated is a legal requirement. You may need to demonstrate “chain of custody” for decisions, recommendations, or generated content.

  • Overtrust and implicit permissions: A downstream model may implicitly assume that upstream input is safe or vetted, especially if those models are integrated in a pipeline. Without clearly defined permissions, models may share too much, or blindly act on inputs they shouldn’t.

  • Feedback loops: Without careful design, two or more models could end up feeding outputs into each other indefinitely, creating unbounded loops or runaway behaviour. This is especially risky in autonomous or agentic settings. Information fidelity goes down, and hallucination risk increases.

Governance Implications

To safely adopt or oversee the use of MCP, organisations should establish policies and control mechanisms around the interaction of AI models:

  • 1. Context scoping: Define what types of context are allowed to be shared between models. For example, can personally identifiable information be passed? Or can summaries of internal company documents be shared with external models?

  • 2. Model access controls: Not all models should be allowed to communicate with all others. Treat each model as a system with an identity, access level, and scope of authority.

  • 3. Audit logging and transparency: Maintain logs of model interactions - capturing what context was exchanged, when, and what actions were taken as a result.

  • 4. Model trust tiers: Create internal classifications for models and enforce interaction rules accordingly. Know which models are trusted, which are experimental, and which interface with external systems.

  • 5. Data lineage frameworks: Track where data comes from, how it has been modified, and which models or agents have consumed it. Think of it as version control and audit trails for model-generated content.

  • 6. Usage monitoring and rate limiting: Monitor how often and how much context is exchanged between models, to detect anomalies and prevent abuse. Rate limiting can help avoid feedback loops or overloads.

  • 7. Interoperability standards: As adoption grows, it may become necessary to develop internal or industry-wide interoperability standards. MCP is one early standard, and future models may need to work across multiple protocols.

Final Thoughts

Model Context Protocol is a promising and necessary innovation. As AI systems get more capable and more autonomous, we need a reliable way for them to collaborate. But the moment you allow models to talk to each other, you invite new risks that traditional governance frameworks may not be set up to handle.

Just as API governance became essential in cloud-native systems, model-to-model governance will be a critical discipline in the age of AI.

Risk leaders, security architects, and digital governance teams need to get ahead of this now. That means not only understanding MCP technically, but also shaping the organisational policies, controls, and guardrails that will determine how safely and responsibly it’s used.

Frequently Asked Questions

What is the Model Context Protocol (MCP)?
MCP is an open standard developed by Anthropic that enables structured communication between AI models, allowing them to pass context, coordinate tasks, and interoperate safely.

Is MCP the same as an API?
Not exactly. MCP is sometimes described as an “API for AI models,” but it’s more accurately a shared protocol that governs how context is structured and exchanged.

Why does MCP matter for governance?
Because once models begin interacting with each other, new risks emerge - such as hallucination propagation, loss of data lineage, and an implicit overtrust once implemented. MCP needs to be governed like any critical interface.

Further reading

If you want to explore the Model Context Protocol (MCP) in more depth - whether for technical implementation, governance insight, or emerging security risks - the following resources are recommended:

Technical and Research Papers

Workflow and Multi-Agent Use Cases

Resources