Key Takeaways
- MCP (Model Context Protocol), created by Anthropic 15 months ago, has been adopted by Microsoft as the standard enterprise agent interoperability layer in just 15 months
- Power Apps MCP Server (public preview Feb 2026) and Dataverse MCP Server (GA) enable any MCP-compatible agent to automate business processes with natural language access to business data
- The ClawHub incident demonstrates real-world AI supply chain attacks: malicious agent skills injecting code into agent workflows, analogous to npm supply chain attacks but with broader impact
- Microsoft's backdoor scanner validates only up to 14B parameters on open-weight models, leaving enterprise-deployed API models (GPT-5, Claude, Gemini) completely opaque
- Gartner projects 40% of enterprise applications will feature AI agents by end 2026 (up from <5% in 2025) -- an 8x growth rate while security maturity remains nascent
MCP: From Research Protocol to Enterprise Standard in 15 Months
Model Context Protocol, released by Anthropic in November 2024 as a tool integration standard for Claude Desktop, has been adopted by Microsoft as the interoperability layer for enterprise AI agents within an astonishingly compressed timeline:
- November 2024: Anthropic releases MCP specification
- July 2025: Microsoft Dataverse MCP Server reaches GA
- December 2025: Copilot Studio adds MCP server support; GitHub Copilot integrates Dataverse MCP in VSCode
- December 2025: Microsoft begins charging external agents for Dataverse MCP access (monetization begins)
- February 2026: Power Apps MCP Server enters public preview
The result: any MCP-compatible agent -- Copilot Studio, GitHub Copilot, Claude Desktop, or custom-built agents -- can now insert, update, read, and search records in Microsoft Dataverse using natural language. The Power Apps MCP extends this to automating tasks inside business applications (data entry, record creation, document reading) with a human-in-the-loop agent feed providing side-by-side comparison views.
The Security Implications Are Structural
The enterprise agentic surface area is expanding dramatically while security tooling lags. Three data points converge to reveal this gap:
1. The ClawHub Incident
A public AI agent skills registry was found to contain malicious skills that injected code into agent workflows. This is the AI equivalent of npm supply chain attacks -- except the attack surface is broader because agents have natural language access to business data, not just code execution. When agents can read and write to Dataverse tables via MCP, a compromised agent skill can exfiltrate business data or corrupt records through natural language interactions that bypass traditional code-level security controls.
The incident demonstrates that the agent skill ecosystem requires the same supply chain security infrastructure that took npm years to develop -- and enterprise agents are being deployed before those protections exist.
Enterprise Agent Deployment vs Security Maturity
Key metrics showing the gap between agentic deployment velocity and security infrastructure readiness
Source: Gartner, Microsoft, CSO Online
2. Microsoft's Backdoor Scanner Limitations
Microsoft's own LLM backdoor scanner, published simultaneously, can detect sleeper agent behaviors in open-weight models. But it is limited in three critical ways:
- (a) It only works on open-weight models (cannot scan the API models most enterprises use)
- (b) It has only been validated up to 14B parameters (many enterprise deployments use 30-70B models)
- (c) Distribution-output backdoors (subtle biases, insecure code generation) are harder to detect than deterministic triggers
The most widely deployed enterprise models (GPT-5, Claude, Gemini) are precisely the models that cannot be independently scanned for backdoor behaviors.
3. The DLP Inheritance Question
Microsoft's Power Apps MCP inherits existing Virtual Network integration, DLP (Data Loss Prevention) policies, and authentication controls from the Power Platform Connector infrastructure. This is pragmatic but raises a critical question: DLP policies designed for human-initiated data flows may not map cleanly to agent-initiated data flows.
An agent that reads 10,000 records to summarize a dataset creates a different DLP profile than a human reading individual records. The governance frameworks are designed for human-scale interaction patterns, not agent-scale automation. Enterprise security teams will need to redesign DLP policies for agentic access patterns -- a task that is just beginning.
The 40% Adoption Projection Creates Urgency
Gartner projects 40% of enterprise applications will feature AI agents by end 2026, up from less than 5% in 2025. This 8x growth in agentic surface area is happening against a security infrastructure that was designed for the pre-agent paradigm. The IASR 2026 report explicitly catalogs AI tools being sold in underground marketplaces -- the offense-side ecosystem is mobilizing alongside the legitimate enterprise deployment.
Microsoft's strategic calculation is clear: capture the agentic infrastructure layer through MCP standardization, inherit enterprise security controls from existing Power Platform governance, and monetize through consumption-based pricing for external agents while keeping Microsoft ecosystem agents (Copilot) frictionless. This is the same platform strategy Microsoft executed with Azure, Office 365, and Teams -- but the security stakes are higher because agents have data access capabilities that exceed what any individual human user would have.
MCP Protocol: Research Tool to Enterprise Standard in 15 Months
The trajectory from Anthropic research protocol to Microsoft enterprise infrastructure standard
Protocol for Claude Desktop tool integration
Microsoft's data layer becomes MCP-accessible
MCP support added to Microsoft's AI orchestration tools
External agents charged for Dataverse access
Business application layer opens to any MCP agent
Malicious skills in public agent registry -- real-world attack
Source: Microsoft Power Platform Blog, The Hacker News, Anthropic
The Protocol Standardization Implications
MCP's adoption by Microsoft creates a de facto standard for agent-to-application communication. This has positive and negative implications:
Positive: Interoperability and Multi-Model Deployment
Interoperability means enterprises are not locked into a single AI provider. Claude, GPT-5, and custom models can all operate through MCP, creating genuine multi-model deployment options. The agent feed's human-in-the-loop design provides the audit and approval workflow that enterprise compliance requires.
Negative: Standardized Attack Surface and Economic Incentives
Protocol standardization also standardizes the attack surface. A vulnerability in MCP implementation affects every agent using it. The charging model (external agents pay, Microsoft agents free) creates an economic incentive for enterprises to prefer Copilot over third-party agents, even when third-party models may be technically superior for specific tasks. The 'vendor lock-in through infrastructure' pattern recurs.
What This Means for Engineering Teams
Organizations deploying MCP-based agents should implement multi-layer defense:
- Agent-workflow-level monitoring: Beyond model-level scanning, monitor agent workflows for unusual data access patterns (sudden spike in record reads, writes to unexpected tables)
- Audit DLP policies for agent patterns: Redesign DLP policies specifically for agent interaction patterns, not just human data flows
- Vet third-party agent skills rigorously: Treat agent skill registries with the same skepticism you would apply to npm packages -- verify source, audit code, test in isolated environments
- Human-in-the-loop for sensitive operations: Use the Power Apps agent feed for all write operations to business-critical data, requiring human approval before execution
- Implement gradual rollout: Pilot agent deployment in non-critical workflows first, monitor for security incidents, then expand to mission-critical operations
Adoption Timeline
- Power Apps MCP public preview: Now (US-first rollout, Feb 2026)
- Power Apps MCP GA: Expected within 3-6 months
- Enterprise security frameworks for agentic workloads: 6-12 months to mature
- Agent-specific DLP policies: Available now through Power Platform but require customization for agent-specific access patterns
Competitive Implications
- Microsoft: Captures the enterprise agentic infrastructure layer through MCP standardization, creating lock-in through infrastructure rather than model capability
- Anthropic: Benefits indirectly -- MCP is their protocol -- but Microsoft captures the enterprise monetization opportunity
- OpenAI: Enterprise play lacks equivalent infrastructure depth; GPT-5 faces integration friction outside OpenAI's ecosystem
- Salesforce and SAP: Face competitive pressure to adopt MCP or develop competing agent integration standards
Contrarian View
The security concerns may be overstated. Enterprise deployment of agents with MCP follows the same pattern as enterprise API adoption a decade ago -- initial security gaps were addressed iteratively as deployment experience accumulated. DLP policies will be adapted for agent interaction patterns. The human-in-the-loop agent feed provides a meaningful safety layer. The ClawHub incident, while concerning, was detected and disclosed -- indicating the security community is already monitoring these vectors. The greater risk may be enterprises delaying agent adoption (losing competitive advantage) due to overweighted security concerns rather than deploying and iterating.