{
  "docId": "019dd923-5e88-73ef-bd5d-47815abb602b",
  "docSlug": "485b1e996a637b43",
  "documentTitle": "2025 AI Agents and the Model Context Protocol",
  "authorId": "BCG",
  "authorName": "BCG",
  "documentKindSlug": "consulting-deck",
  "documentKindLabel": "Consulting deck",
  "sourceTypeSlug": "strategy_consulting",
  "sourceTypeLabel": "Strategy consulting",
  "presentationDate": null,
  "orientation": "landscape",
  "aspectRatio": 1.778,
  "pageNumber": 24,
  "pageCount": 37,
  "prevPage": 23,
  "nextPage": 25,
  "slideType": "risk_register",
  "function": "diagnose",
  "density": "dense",
  "nDataPoints": 0,
  "notes": "The slide uses a numbered list to map specific risks to a system architecture diagram.",
  "elementsJson": [
    "headline_text",
    "numbered_list",
    "process_diagram",
    "callout_box",
    "footnote"
  ],
  "metadataConfidence": 1,
  "imagePath": null,
  "slideHref": "/slides/019dd923-5e88-73ef-bd5d-47815abb602b/24",
  "deckHref": "/decks/019dd923-5e88-73ef-bd5d-47815abb602b",
  "deckJsonHref": "/decks/019dd923-5e88-73ef-bd5d-47815abb602b.json",
  "deckAnchorHref": "/decks/019dd923-5e88-73ef-bd5d-47815abb602b#slide-24",
  "components": [
    {
      "bbox": {
        "h": 0.25,
        "w": 0.5,
        "x": 0.46,
        "y": 0.65
      },
      "kind": "callout",
      "text": "Treat all tool logic and servers as untrusted. Enforce OAuth + RBAC on every call, and pin tool versions. Isolate trust domains to prevent cross-server hijacks. Log agent reasoning traces, not just outputs. And don't rely on random GitHub code—verify or build your own.",
      "attrs": null,
      "subkind": "primary",
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "ecc9d0e9-d44d-41d2-8cb7-d9ab0bf91810",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": null,
      "kind": "callout",
      "text": "Treat all tool logic and servers as untrusted. Enforce OAuth + RBAC on every call, and pin tool versions. Isolate trust domains to prevent cross-server hijacks. Log agent reasoning traces, not just outputs.",
      "attrs": null,
      "subkind": null,
      "toolName": "Visual emphasis",
      "toolSlug": "visual-emphasis",
      "confidence": null,
      "componentId": "019dd952-47c6-7671-887e-b956c895917e",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": {
        "h": 0.55,
        "w": 0.38,
        "x": 0.06,
        "y": 0.25
      },
      "kind": "diagram",
      "text": "Architecture diagram showing Application Front-end, MCP Client, LLM, and MCP Servers",
      "attrs": null,
      "subkind": "process",
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "71fd543e-b046-4d93-bea9-a957744a4467",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": {
        "h": 0.35,
        "w": 0.5,
        "x": 0.46,
        "y": 0.25
      },
      "kind": "list",
      "text": "1. Malicious tools can read and access local credentials... 2. Agents can be vulnerable to invisible tool poisoning... 3. Users may see safe summaries... 4. Tool logic can be altered... 5. One compromised MCP server can influence...",
      "attrs": null,
      "subkind": "numbered",
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "4d2ca1c0-4a06-40e8-9ff0-02f4d5ffaeb4",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": {
        "h": 0.05,
        "w": 0.5,
        "x": 0.05,
        "y": 0.92
      },
      "kind": "source-note",
      "text": "Source: Anthropic; Invariantlabs; BCG Experience. 1. Secure Shell 2. Role based access control. Illustrated agent tool use risks are applicable to any AI agents and not unique to MCP",
      "attrs": null,
      "subkind": null,
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "eedfb01f-0408-40e1-8183-8a4ce539eaee",
      "frameworkName": null,
      "frameworkSlug": null
    },
    {
      "bbox": {
        "h": 0.05,
        "w": 0.9,
        "x": 0.05,
        "y": 0.09
      },
      "kind": "title",
      "text": "Access to tools creates new risks — security must be foundational, not optional",
      "attrs": null,
      "subkind": "headline",
      "toolName": null,
      "toolSlug": null,
      "confidence": null,
      "componentId": "234afa81-8a95-4f01-ab8b-cb9fad2631b0",
      "frameworkName": null,
      "frameworkSlug": null
    }
  ],
  "metrics": [],
  "tools": [
    {
      "name": "Loss Aversion",
      "slug": "loss-aversion",
      "agent": "Storyteller",
      "layer": "block",
      "matchId": "019dd95a-121f-71e6-8e86-371cc590ee26",
      "evidence": "Frames MCP integration through what could go wrong",
      "confidence": 60
    },
    {
      "name": "Problem-Agitate-Solve (PAS)",
      "slug": "problem-agitate-solve-pas",
      "agent": "Storyteller",
      "layer": "block",
      "matchId": "019dd95a-121f-71e6-8e86-32b27db0c6ae",
      "evidence": "Identifies risk, agitates with prescriptions (OAuth+RBAC, version pinning), prescribes posture",
      "confidence": 60
    },
    {
      "name": "Action Titles",
      "slug": "action-titles",
      "agent": "Architect",
      "layer": "slide",
      "matchId": "019dd95a-121f-71e6-8e86-2a2f9f2a1fbf",
      "evidence": "Title states the rule: 'security must be foundational, not optional'",
      "confidence": 85
    },
    {
      "name": "Emotional Appeal",
      "slug": "emotional-appeal",
      "agent": "Storyteller",
      "layer": "slide",
      "matchId": "019dd95a-121f-71e6-8e86-2e78845bc2b7",
      "evidence": "Language 'untrusted', 'hijacks' invokes risk emotion",
      "confidence": 70
    }
  ],
  "frameworks": [
    {
      "name": "zero-trust-security",
      "slug": null,
      "matchId": "cc5c086a-b11f-404f-a05f-a722ff8808de",
      "evidence": "Treat all tool logic and servers as untrusted",
      "confidence": 0.9
    }
  ],
  "arcBeats": [
    {
      "to": 26,
      "from": 24,
      "beatId": "019dd95a-0682-776c-8e39-f422f49a28f7",
      "arcName": "The Consultant's Gambit",
      "arcSlug": "consultants-gambit",
      "beatName": "Evidence & Proof",
      "beatSlug": "consultants-gambit-evidence-proof",
      "evidence": "Security treatment, A2A coexistence, target-state platform diagram",
      "position": 4,
      "confidence": 82,
      "parentBeatName": "Evidence",
      "parentBeatSlug": "evidence"
    },
    {
      "to": 27,
      "from": 18,
      "beatId": "019dd95a-0682-776c-8e3a-0662ddf93f56",
      "arcName": "The Triple Take",
      "arcSlug": "triple-take",
      "beatName": "The Action (Now What)",
      "beatSlug": "triple-take-the-action-now-what",
      "evidence": "Section 04 + key points prescribe MCP-based enterprise build",
      "position": 3,
      "confidence": 55,
      "parentBeatName": "Resolution",
      "parentBeatSlug": "resolution"
    }
  ],
  "loops": [
    {
      "to": 26,
      "from": 24,
      "name": "Pre Mortem",
      "slug": "19-pre-mortem",
      "bestFor": "Project kick-offs, risk management, building trust with skeptical stakeholders",
      "matchId": "019dd95a-088b-72c8-b7e0-041d413f6f30",
      "evidence": "p24 security risks, p25 A2A protocol fragmentation warning, p26 future architecture mitigation",
      "position": 7,
      "objective": "Surface failure modes and target-state guardrails",
      "structure": "The Future Disaster (Hypothetical) -> What Went Wrong -> The Prevention Plan",
      "confidence": 62,
      "description": "Build trust by anticipating failure modes before they happen and solving them in advance"
    }
  ],
  "imagePathAlt": null,
  "thumbSrc": null,
  "thumbSrcAlt": null,
  "locked": true
}