88% of organizations have experienced confirmed or suspected security incidents involving AI agents, according to Gravitee's 2026 report. Only 14% obtained full security approval for agent deployments. The protocol everyone's betting on to fix this - Anthropic's Model Context Protocol (MCP) - solves the wrong problem, argues a new analysis from WunderGraph.
The core claim: MCP standardizes how AI agents call tools, but completely ignores what those agents can access or do with the data they get back.
The Retail Example That Explains the Gap
Consider a shopping assistant answering "Where is my order, and can I change the delivery address?" That single question requires six tool connections: customer order history, payment status, shipment tracking across two providers, and real-time inventory across three warehouses.
MCP handles the plumbing for those six connections. But it cannot enforce that customer_id in one system maps to account_ref in another. It cannot prevent an agent from attempting an address change after a shipment enters "in-transit" status. And it does nothing to mask credit card details sitting in payment history.
These are data governance problems, not protocol problems. MCP operates at what the article calls the "transport layer" - it moves requests around but has no opinion about the shape, sensitivity, or business rules of the data flowing through it.
What the Proposed Fix Looks Like
WunderGraph (which sells GraphQL infrastructure, so take the prescription accordingly) argues for a two-plane architecture: a Data Plane built on federated GraphQL that handles schema composition, field-level access control, and cross-system identity mapping, with MCP and Google's A2A protocol sitting on top as a Coordination Plane.
The idea is not new - it is basically the API gateway pattern applied to agents. But the specifics matter. Field-level access control means an agent querying an order can see shipping status but not payment details, enforced at the schema level rather than hoping the LLM respects a system prompt. Operation allowlisting means agents can only execute pre-approved queries, not generate arbitrary requests against your backend.
The Real Bottleneck
The practical takeaway for teams building with agents: MCP adoption is moving fast (150+ organizations now support Google's A2A protocol, including Salesforce, SAP, and ServiceNow), but the protocol layer is running ahead of the data readiness layer. If your internal systems have inconsistent identifiers, no field-level permissions, and no schema-driven API layer, bolting MCP on top will not fix the underlying mess. It will just give agents faster access to that mess.
Microsoft Fabric is already building GraphQL-to-MCP integration, which suggests the industry is starting to converge on this layered approach. The companies that invest in data readiness now - typed schemas, access controls, identity mapping - will have a much easier time when they layer agent protocols on top.