The guardrails, orchestration, and audit between a prompt and a production deployment.

Auth boundaries, tool scopes, audit surface, and failure modes get modeled before the first function is written. Skip this and you'll rewrite it later, under worse conditions.

An agent that reads invoices doesn't get a credential that can write them. One scope, one tool, one expiry — credentials live in a broker, tools expose narrow surfaces with explicit allowlists.

Every decision, suggestion, and override produces a structured event. Compliance review, debugging, and post-incident work all run against the same surface — not reconstructed from logs after the fact.

Reversible, low-risk actions auto-run. Anything touching production state, payments, or customer-facing data queues for human approval. The default is "ask."

Every engagement ships with IaC, runbooks, and architecture docs your team can operate without me. Nothing locked behind tribal knowledge. Handoff is a milestone, not an afterthought.

The Model Context Protocol is an open transport for connecting AI agents to external tools, data sources, and services. An MCP server exposes a set of tools (typed function calls) and resources (read-only context) to a client — the agent — over stdio or HTTP. The protocol itself is small and well-specified; the interesting decisions are upstream of it: what each server's trust boundary is, which tools it exposes, how outputs are bounded, and how auth is resolved. In production, treat each MCP server as a security boundary, not a convenience layer — one server, one credential scope, read-only by default, writes tagged and policy-gated.

Five decisions sit upstream of the onboarding wizard. First, pick OAuth on-behalf-of for any tool that touches user-scoped data — API key auth attributes everything to the MCP server's own identity, which fails compliance review. Second, classify the connector into the right Power Platform DLP zone before publishing. Third, enable generative orchestration on the agent — classic orchestration ignores MCP. Fourth, use Streamable HTTP transport; SSE was deprecated in August 2025. Fifth, scope the connector to your tenant unless cross-tenant publishing is the explicit business goal.

Four shapes cover the realistic option space. App-only (service principal) suits agents acting on shared, non-user-scoped data — the audit trail reads "the agent did it." On-behalf-of (OBO) is the only correct answer when the agent reads or writes user-scoped data — the trail reads "the user's agent did it." Federated identity credentials (FIC) replace stored client secrets for agent runtimes outside Azure (GitHub Actions, Kubernetes, Vercel). Managed identity is the platform-managed machine identity when the agent runs on Azure compute. The choice is downstream-attribution-driven, not preference-driven.

The work is the layer between a working prompt and a production deployment that passes security review. Concretely: a credential broker so agents never hold long-lived secrets, scoped tool surfaces so the blast radius of any single tool call is bounded, policy-gated approvals so irreversible actions queue for human review, and a structured audit layer so compliance, incident response, and post-mortem all read from the same source. Deliverables include architecture docs, IaC, runbooks, and the operator dashboards governance teams actually use — handed off to the client's engineers, not locked behind the consultant.

One to two weeks, fixed-fee. The output is a written report covering the five layers — identity, credential broker, scoped tool access, policy gating, audit — mapped to the specific compliance controls the client's InfoSec team will ask about. The report includes a threat model, a prioritized remediation list, and a one-page summary suitable for handing to security leadership. Discovery is the right engagement when an agent project either hasn't passed security review yet or hasn't been put in front of one, and the team needs a clear remediation path before committing to a build.