A PYMNTS Company

MCP Server Access to Corporate Systems Raises Legal Issues 

By  |  April 29, 2026

A technology standard that lets artificial intelligence tools tap directly into a company’s internal systems is spreading quickly through the corporate world, and legal experts warn that most organizations are not prepared for what that means.

    Get the Full Story

    Complete the form to unlock this article and enjoy unlimited free access to all PYMNTS content — no additional logins required.

    yesSubscribe to our daily newsletter, PYMNTS Today.

    By completing this form, you agree to receive marketing communications from PYMNTS and to the sharing of your information with our sponsor, if applicable, in accordance with our Privacy Policy and Terms and Conditions.

    The protocol is called Model Context Protocol, or MCP. At its core, it allows AI assistants like Claude or ChatGPT to connect to databases, customer records, internal communications tools, and other corporate systems. When those connections are in place, employees can ask an AI a question in plain language and receive answers drawn from live company data. The experience looks like a typical AI chat. The implications are anything but.

    According to a new analysis from ZwillGen, a law firm focused on technology and data issues, approving an MCP integration carries risks that are fundamentally different from anything companies have dealt with before in AI deployment. Before MCP, managing AI risk mostly meant reviewing what employees typed into a chat window. MCP changes the nature of that risk entirely.

    “In some cases, sanctioning an MCP server is the equivalent of replying ‘yes’ to all of those requests at once,” ZwillGen writes, referring to the years of legal questions companies have fielded about what data is safe to feed into AI tools.

    The firm outlines several categories of risk that deserve close attention. One concerns data that flows beyond company walls. When an employee queries an internal database through an MCP connection, the results may travel to a third-party AI provider, where they can be retained in logs under that vendor’s own retention policies. That creates a secondary record of sensitive information sitting outside the company’s control.

    Another concern involves access. MCP removes the technical barriers that once limited who could extract data from complex enterprise systems. Querying a database used to require knowledge of SQL. Navigating a CRM platform required training. MCP eliminates that friction. Any employee with access to a connected system can now pull information through a simple plain-English request, including data about colleagues, compensation, or confidential business matters.

    ZwillGen also flags the risk of running afoul of existing contracts. Enterprise systems often contain data from partners, customers, and vendors that comes with restrictions on how it can be used, shared, or processed. Many of those agreements did not anticipate AI and may expressly prohibit it. The unpredictable nature of how AI tools retrieve and combine information makes compliance with those terms difficult to guarantee.

    The risks grow further when AI tools are given write access rather than read-only access, meaning they can update records, send messages, or trigger actions across connected systems. At that point, ZwillGen notes, a prompt injection attack, where malicious text embedded in a company’s own data manipulates the AI, could allow a bad actor to hijack workflows or spread malware.

    The firm recommends that organizations conduct thorough due diligence before deploying any MCP connection, including auditing what data lives in systems they plan to connect, reviewing all relevant vendor contracts and privacy agreements, logging all queries and actions taken through MCP connections, and restricting write access wherever possible. The memo also suggests defaulting to blocking new data access until each integration has been individually reviewed and approved.