What is an MCP connector and why does it create security risk?

MCP (Model Context Protocol) lets AI models like Claude connect directly to external tools, APIs, and data sources through standardized servers and "skills." When an AI builds or configures these connectors, it often requests broad OAuth scopes, long-lived API keys, and service accounts with excessive permissions because the model optimizes for "make it work" rather than least-privilege access. The result is a powerful, persistent attack surface that touches your financial systems, client data, and identity directories.

Can I just tell the AI to use least-privilege permissions?

You can ask, and the model will often produce a plan that sounds correct. In practice, AI-generated code and configuration still default to broad scopes because the training data and success metrics reward working integrations over locked-down ones. Real least-privilege requires understanding every downstream permission each service actually needs, plus ongoing validation that the connector never escalates. That is architectural work, not prompt engineering.

How fast can an AI-generated MCP server or skill be exploited?

In the environments we audit, the window is often measured in days or weeks, not months. Attackers scan for exposed OAuth apps, leaked API keys in public repos or logs, and overly permissive service accounts. One documented case involved a connected app in QuickBooks Online that had write access across multiple financial entities. Fraudulent transactions moved through it for weeks before detection. The app was added during an automation project, exactly the pattern AI-assisted teams are repeating today.

Do small or lean teams without developers really need this level of security review?

If your AI connectors touch money, client records, email, files, or any system that holds regulated or sensitive data, yes. Lean teams are the primary target because they have the highest ratio of powerful integrations to security headcount. The contractor who used to log in once a month now has an AI agent with persistent access. The one-time script the founder prompted into existence last quarter is still running with the original broad credentials.

What is the difference between a one-time security audit and ongoing monthly support?

A one-time audit (typically three weeks) produces a complete inventory of current OAuth apps, API keys, contractor access, and AI tool connections plus a prioritized remediation roadmap. Ongoing monthly support is the operating system that keeps the surface from growing back. It includes continuous monitoring for new integrations, quarterly access reviews, key rotation enforcement, incident response retainers, and a governance framework so the next MCP server your team ships already follows the rules instead of breaking them.

How do I know if my current MCP or AI skills setup is dangerous?

Ask five questions: Do we have a documented list of every OAuth app and API key with its exact scopes and owner? Can any AI connector write to our financial systems without a human approval step? Do we rotate credentials on a schedule, or only when something breaks? If a contractor or AI agent left tomorrow, could we revoke all their access in under an hour? Have we ever reviewed the actual data flows our AI automations are allowed to see or change? If any answer is uncertain or no, you have exposure.

Call (949) 243-7440

Cybersecurity

When AI Builds Your MCP Connectors:
The Security Architecture Vibe Coders Can't Ignore

You are shipping powerful AI agents and MCP servers into your financial systems, client data, and identity directories faster than your security model can keep up. The model does not think about blast radius. You need architecture that does.

May 2026·16 min read

MCP & Skills

OAuth & API Keys

Least Privilege

Governance Gap

Contractor + AI Access

The Shift

The New Developer Is an LLM

Three years ago, a non-technical founder or operations lead who needed to connect two systems hired a developer or waited for IT. Today, that same person opens Claude or Cursor, describes the outcome, and an hour later has a working MCP server or a set of skills that can read invoices, create tickets, update CRM records, and send summary emails.

This is not science fiction. It is Tuesday. The barrier to building production-grade automation has collapsed. The barrier to building production-grade secure automation has not moved at all, and in many cases has gotten worse because the people now doing the building have never carried a pager for a breached integration.

The model is fast, confident, and completely indifferent to your threat model. It will request the broadest OAuth scopes that make the demo work. It will hard-code long-lived API keys. It will create service accounts with directory read and write because the task mentioned "list users." It will store credentials in environment variables that end up in a repo. And it will do all of this while telling you the integration is complete.

You now have a powerful, persistent, often undocumented bridge between an AI that can be tricked or hijacked and the systems that run your business or your clients' businesses. That is the new attack surface. Most teams do not see it until after the first incident.

The Technology

What MCP and Skills Actually Expose

Model Context Protocol (MCP) and the "skills" pattern popularized in Claude and similar platforms are standardized ways for AI models to discover and invoke external capabilities. Instead of the model hallucinating an API call, you give it a server or a skill definition with typed inputs, outputs, and descriptions. The model can then call those tools reliably during a conversation or agent run.

That is incredibly useful. It is also a direct privilege escalation path when the tool you expose has access to real data and real write capabilities.

MCP Servers

Standalone processes or services that register tools the AI can call. A server might expose "create_invoice", "list_unpaid_bills", "update_ticket_status", or "search_client_files". The server holds the credentials. If the server is compromised or the AI is jailbroken into calling it maliciously, the credentials do real work.

Skills and Tool Definitions

Lightweight function definitions that travel with the conversation. The AI sees the schema and description and decides when to call. Because the definition lives in the prompt or context window, teams often copy-paste powerful capabilities into many sessions without realizing every participant in that thread effectively inherits the permission.

The common thread: these are not read-only toys. The moment you connect an AI capability to QuickBooks, Bill.com, Google Workspace, your PSA, email, or file storage with anything beyond the narrowest possible scope, you have created a high-value target that attackers are already scanning for.

Case Study

The Breach That Started With "Just One More Integration"

A professional services firm in Southern California noticed something odd in their QuickBooks Online activity. Payments were being processed through accounts the company did not control. Funds were moving in patterns that did not match any client work. The initial assumption was a compromised password.

It was not. Attackers had discovered a third-party application connected via OAuth with excessive permissions. The app had been added during an automation project months earlier. It could read and write across multiple entities in their QBO environment. The attackers used it as a clearinghouse, pulling funds from unrelated accounts and routing them through the victim's legitimate payment rails before anyone noticed.

The firm was contractor-heavy. Access had never been formally inventoried. Multiple people had granted OAuth apps over time for reporting, reconciliation, and "quick automations." No one had a complete list of what was still connected or what scopes each app actually held. The AI layer made it worse: tools for meeting transcription, expense categorization, and client research were all granted workspace access with varying levels of persistence.

This is the exact pattern repeating in companies that let AI build the next layer of automation without an architectural review. The difference is velocity. Where a traditional developer might have asked security or IT for the narrowest viable scope, the LLM asks for everything that makes the function succeed and moves on.

The Failure Mode

How LLMs Make Security Decisions (and Why They Are Terrible at It)

Large language models are trained to complete tasks and satisfy the user. Their reward signal is "did the requested thing happen?" Not "did this respect the principle of least privilege?" or "will this credential still be safe in 90 days?"

Over-scoped OAuth

Prompt: "Connect to QuickBooks so the agent can reconcile payments and update invoices." Output: an OAuth app requesting full write access across all entities because the model saw "update" and "reconcile" in the same sentence. The correct scope might have been a single restricted token for one entity with approval workflows.

Long-lived credentials in generated code

The model happily emits a .env.example with a placeholder and instructions to "put your production key here." It rarely suggests a secrets manager, short-lived tokens via STS, or a rotation schedule. The credential lives until the first breach or the first time someone checks the repo history.

Service accounts created on demand

"The agent needs to list users and check group membership." The generated script creates a new service account with Directory Admin or at least Organization Viewer + User Management. No one ever comes back to tighten it because the task is marked complete.

Missing audit trails

The integration logs successes to the console or a local file. It does not emit structured events to a SIEM or even a simple log aggregation service. When something goes wrong six months later, there is no chain of custody for who (or what AI agent) actually made the change.

The Map

The Attack Surfaces You Are Opening Right Now

Every system an AI connector touches becomes part of your perimeter. Here are the categories we see most often in lean environments that have started shipping AI automations without a security review.

Financial Systems (QBO, Bill.com, Banks)

→OAuth apps with write access to payments and vendors
→Bank feeds and reconciliation tools that can initiate or approve transfers
→Sync accounts that bridge QBO to CRMs or project tools

Identity & Directory (Google Workspace, M365)

→Super-admin or delegated admin OAuth grants
→Service accounts that can create users or reset MFA
→Drive and Gmail access that survives the original user's departure

Operations & PSA Tools

→Ticketing systems where AI can close or reassign tickets at scale
→Time and billing platforms connected for automated invoicing
→Monitoring and RMM tools that control endpoints

Communication & File Storage

→Email accounts used for approvals and notifications
→Shared drives containing client deliverables and PII
→Chat platforms where AI agents post and act on messages

The Identity Problem

The Contractor Problem Meets the AI Agent Problem

Lean teams rely on contractors. Contractors need access. Most teams never build a formal onboarding and offboarding process for those contractors, let alone for the AI agents those contractors (or the founder) spin up to do the contractor's work faster.

The result is identity sprawl with no owner. A contractor who helped with bookkeeping six months ago still has an active connected app in QBO. The AI agent they prompted to "handle recurring invoices" is still running under that same OAuth grant. When the contractor relationship ends, no one revokes the token because no one knows it exists.

AI makes this worse because the agent can act continuously and at machine speed. A human contractor might only log in occasionally. An AI agent with persistent credentials can exfiltrate or manipulate data every hour of every day without raising the same red flags.

The Fix

You Need a Governance Framework Before the Next Connector Ships

The teams that survive this wave are not the ones that ban AI automation. They are the ones that put a lightweight but non-negotiable governance layer in front of every new integration.

A practical AI Integration Governance Framework for a lean team covers four things:

Mandatory Inventory

Before any new MCP server or skill goes live, it is added to a living document that records the exact OAuth scopes, API keys used, data classes touched, owner, and review date. No exceptions.

Scope Standards

Define acceptable versus prohibited scopes for each major system. Financial systems default to read with explicit approval workflows for any write. Identity systems require documented justification and a named approver.

Review Checklist

A one-page checklist the person shipping the automation must complete: credential storage method, rotation plan, logging destination, offboarding steps, and blast radius if the token is stolen.

Quarterly Re-validation

Every 90 days the inventory is reviewed. Apps that no longer have an owner or a clear business purpose are revoked. Keys older than policy are rotated. AI tools that have expanded their access are flagged.

The Math

Remediation Is Harder Than Prevention at AI Velocity

A one-time cleanup of an existing messy environment is valuable. It produces the inventory you never had and a prioritized list of what to revoke or tighten first. But the half-life of that cleanup is short when your team is still shipping new AI capabilities every week.

Every new MCP server, every new skill, every "quick automation" the founder prompts at 11pm adds back some of the surface you just removed. Without a process that runs faster than the AI generation loop, you are in a permanent game of catch-up.

That is why the companies that get this right treat security architecture as an operating system, not a project. The framework runs continuously. New work is forced through the guardrails. The monthly cost of that operating system is far lower than the cost of the incident it prevents.

The Partner Model

What Professional Security Architecture Actually Looks Like

We have been hardening exactly these environments for Orange County businesses since 2008. We know the attack patterns because we have cleaned them up after the fact and we have prevented them before they happened.

The work starts with a fixed-scope security audit that produces four concrete deliverables in three weeks: a complete access and permissions inventory, a findings report with risk ratings tied to your actual environment, a prioritized remediation roadmap, and an AI Integration Governance Framework tailored to the tools you already use and the MCP servers you are planning to ship next.

After the audit, most clients move to a month-to-month support agreement. That agreement is not "we log in once a month and check boxes." It is the operating system: continuous discovery of new OAuth apps and keys, enforcement of rotation policies, quarterly access reviews that actually revoke what should be revoked, a retainer for incident response when something does slip through, and a standing review of every significant new AI capability before it touches production data.

The goal is not to slow your team down. The goal is to make the next MCP connector your AI writes safe by default instead of dangerous by default. We have done this for professional services firms, agencies, and financial teams that run lean and move fast. We can do it for you.

The Stakes

The Real Cost of "We'll Secure It Later"

The breach in the case study above did not start with a sophisticated nation-state. It started with an automation project that had a deadline and no security review. The cleanup took executive time, forensic work, client notifications, insurance involvement, and months of tightening that could have been avoided with a few thousand dollars of architectural discipline upfront.

More importantly, the trust damage is real. When your clients learn that their financial data moved through an AI connector you did not fully understand, the conversation is no longer about your rates. It is about whether they can continue to trust you with their most sensitive systems.

You do not need a 50-person security team. You need a partner who has already solved this exact problem for companies that look like yours, and who stays on the hook month after month so the surface does not grow back.

If AI Is Writing Your Integrations, Architecture Is Now Your Job

You can keep prompting and shipping, or you can ship inside guardrails that were designed by people who have already seen what happens when those guardrails are missing. BRITECITY helps lean teams move fast without creating the next headline.

Fixed-scope AI stack audit in three weeks

Complete OAuth, API key, and contractor inventory

AI Integration Governance Framework you can actually use

Month-to-month support with no long-term contracts

Book a Security Architecture Review Explore Our Cybersecurity Services

IRVINE, CA · 17+ YEARS HARDENING LEAN ENVIRONMENTS · MONTH-TO-MONTH AGREEMENTS

Cybersecurity

When AI Builds Your MCP Connectors:
The Security Architecture Vibe Coders Can't Ignore

May 2026·16 min read

MCP & Skills

OAuth & API Keys

Least Privilege

Governance Gap

Contractor + AI Access

The Shift

The New Developer Is an LLM

The Technology

What MCP and Skills Actually Expose

That is incredibly useful. It is also a direct privilege escalation path when the tool you expose has access to real data and real write capabilities.

MCP Servers

Skills and Tool Definitions

Case Study

The Breach That Started With "Just One More Integration"

The Failure Mode

How LLMs Make Security Decisions (and Why They Are Terrible at It)

Over-scoped OAuth

Long-lived credentials in generated code

Service accounts created on demand

Missing audit trails

The Map

The Attack Surfaces You Are Opening Right Now

Financial Systems (QBO, Bill.com, Banks)

→OAuth apps with write access to payments and vendors
→Bank feeds and reconciliation tools that can initiate or approve transfers
→Sync accounts that bridge QBO to CRMs or project tools

Identity & Directory (Google Workspace, M365)

→Super-admin or delegated admin OAuth grants
→Service accounts that can create users or reset MFA
→Drive and Gmail access that survives the original user's departure

Operations & PSA Tools

→Ticketing systems where AI can close or reassign tickets at scale
→Time and billing platforms connected for automated invoicing
→Monitoring and RMM tools that control endpoints

Communication & File Storage

→Email accounts used for approvals and notifications
→Shared drives containing client deliverables and PII
→Chat platforms where AI agents post and act on messages

The Identity Problem

The Contractor Problem Meets the AI Agent Problem

The Fix

You Need a Governance Framework Before the Next Connector Ships

The teams that survive this wave are not the ones that ban AI automation. They are the ones that put a lightweight but non-negotiable governance layer in front of every new integration.

A practical AI Integration Governance Framework for a lean team covers four things:

Mandatory Inventory

Before any new MCP server or skill goes live, it is added to a living document that records the exact OAuth scopes, API keys used, data classes touched, owner, and review date. No exceptions.

Scope Standards

Review Checklist

A one-page checklist the person shipping the automation must complete: credential storage method, rotation plan, logging destination, offboarding steps, and blast radius if the token is stolen.

Quarterly Re-validation

The Math

Remediation Is Harder Than Prevention at AI Velocity

The Partner Model

What Professional Security Architecture Actually Looks Like

The Stakes

The Real Cost of "We'll Secure It Later"

If AI Is Writing Your Integrations, Architecture Is Now Your Job

Fixed-scope AI stack audit in three weeks

Complete OAuth, API key, and contractor inventory

AI Integration Governance Framework you can actually use

Month-to-month support with no long-term contracts

Book a Security Architecture Review Explore Our Cybersecurity Services

IRVINE, CA · 17+ YEARS HARDENING LEAN ENVIRONMENTS · MONTH-TO-MONTH AGREEMENTS

When AI Builds Your MCP Connectors:The Security Architecture Vibe Coders Can't Ignore

The New Developer Is an LLM

What MCP and Skills Actually Expose

MCP Servers

Skills and Tool Definitions

The Breach That Started With "Just One More Integration"

How LLMs Make Security Decisions (and Why They Are Terrible at It)

Over-scoped OAuth

Long-lived credentials in generated code

Service accounts created on demand

Missing audit trails

The Attack Surfaces You Are Opening Right Now

Financial Systems (QBO, Bill.com, Banks)

Identity & Directory (Google Workspace, M365)

Operations & PSA Tools

Communication & File Storage

The Contractor Problem Meets the AI Agent Problem

You Need a Governance Framework Before the Next Connector Ships

Mandatory Inventory

Scope Standards

Review Checklist

Quarterly Re-validation

Remediation Is Harder Than Prevention at AI Velocity

What Professional Security Architecture Actually Looks Like

The Real Cost of "We'll Secure It Later"

If AI Is Writing Your Integrations, Architecture Is Now Your Job

When AI Builds Your MCP Connectors:The Security Architecture Vibe Coders Can't Ignore

The New Developer Is an LLM

What MCP and Skills Actually Expose

MCP Servers

Skills and Tool Definitions

The Breach That Started With "Just One More Integration"

How LLMs Make Security Decisions (and Why They Are Terrible at It)

Over-scoped OAuth

Long-lived credentials in generated code

Service accounts created on demand

Missing audit trails

The Attack Surfaces You Are Opening Right Now

Financial Systems (QBO, Bill.com, Banks)

Identity & Directory (Google Workspace, M365)

Operations & PSA Tools

Communication & File Storage

The Contractor Problem Meets the AI Agent Problem

You Need a Governance Framework Before the Next Connector Ships

Mandatory Inventory

Scope Standards

Review Checklist

Quarterly Re-validation

Remediation Is Harder Than Prevention at AI Velocity

What Professional Security Architecture Actually Looks Like

The Real Cost of "We'll Secure It Later"

If AI Is Writing Your Integrations, Architecture Is Now Your Job

When AI Builds Your MCP Connectors:
The Security Architecture Vibe Coders Can't Ignore

When AI Builds Your MCP Connectors:
The Security Architecture Vibe Coders Can't Ignore