Use MCP Tools as a Data Fence

One pattern that I’ve been adopting in my recent designs is what I’m calling “MCP as data fence.” The idea is simple, but worth making explicit.

The pattern has a few motivations:

• We want to build interfaces for AI workflows
• Workflows should allow the user to use an AI agent of their choice (e.g. Claude, ChatGPT, etc), or to switch frontier models–we want to decouple the AI agent from the user data
• Users should have explicit, granular control over which data is exposed to the AI, along with how and when that data exposed

MCP is often just used as a wrapper to provide agents elevated access to existing system tools. While this allows us to get more done with agents, it defers the hard problem of making real decisions about process and data ownership. But with a bit of deliberate design, MCP servers can be tools for data autonomy.

To support this, consider treating MCP as an explicit boundary by:

• Designing the shape of the exposed data. This means potentially reformatting existing metadata and being very explicit when choosing fields to expose.
• Creating privacy controls and filters on the user’s local machine, inside the MCP boundary. Controls and filters should be applied before the agent is given any visibility to the data via the AI tools. If data is prefiltered in this way, the MCP results should not give any indication to the AI agent that filtered data even exists.
• Doing all indexing and pre-processing of raw data on user controlled storage and compute (either locally, or in a trusted cloud) before providing access at the MCP boundary. The user should have a simple way to search data and test filters before exposing it to agents in a tool.

With tools built around these principles, a user would be able to pre-process, curate, and expose their data carefully–MCP could be a carefully controlled boundary rather than a floodgate.

Building tools this way is certainly more work! Collecting, processing, and storing this data requires user-side tools and storage, and developing a clean, understandable UX for access control is hard.

Are you using MCP for data control? I don’t think any of this is super profound–data access is one of the clear use cases in the MCP spec. But I do think it’s valuable to make some of these patterns explicit.

How are you defining data boundaries in your agentic workflows?

Thanks for reading Playful Work! Subscribe for free to receive new posts and support my work.