The Shift in AI Agent Operations

If you’ve been watching the AI agent space, we’re already past the “can an agent call a tool?” phase.

That’s becoming table stakes.

MCP changed the conversation because it gave agents a standard way to discover tools, understand interfaces, and invoke them without custom glue code every time. That was a real step forward.

But once you move beyond the demo, the real question shows up fast:

Who manages all of this in production?

Not one MCP server. Dozens of them. Market data tools, risk systems, compliance services, internal ops tools, vector search, document systems, deployment pipelines. Different teams, environments, credentials, and policies.

That’s why I think the next phase of the AI agent ecosystem is not just “more MCP.” It’s MCP plus a control plane.

And in financial systems, that shift matters immediately.

MCP Solved Tool Access. It Didn’t Solve Operations.

MCP is useful because it standardizes invocation.

But protocols don’t solve production operations.

The gap appears as soon as a team asks normal questions:

  • Which MCP servers are approved for production?
  • Which agents can access risk, client, or trading-adjacent systems?
  • How are credentials issued and rotated?
  • How do you separate dev from prod?
  • How do you monitor failures, usage, and unusual behavior?
  • How do you expose tools safely across teams without creating operational risk?

In finance, these are not edge cases. They are the baseline.

Standing up an MCP server is the easy part. The hard part is the lifecycle around it.

What a Real MCP Control Plane Needs

1. Discovery and ownership

Discovery and Cataloging

Teams need to know what MCP servers exist, what they expose, who owns them, and what data or systems sit behind them.

In a bank or asset manager, that matters quickly. An agent that touches trade operations, reconciliations, margin workflows, or research data cannot depend on tribal knowledge and scattered READMEs.

2. Strong identity and scoped access

Scoped Access and Credentials

This is where production gets serious.

A finance agent may need read access to positions, breaks, or operational metrics, but it should not be able to move data across environments or invoke sensitive actions without tight boundaries.

A real operating model needs:

  • strong service identity
  • short-lived credentials
  • scoped permissions
  • user-to-agent delegation
  • auditable access trails

If the MCP layer doesn’t enforce boundaries, it centralizes risk.

3. Policy outside the prompt

Policy Controls and Decision Making

Useful agents make decisions in context. That means policy cannot live only in prompts.

You need hard controls.

Examples:

  • An operations agent can open an exception ticket, but cannot update books and records.
  • A compliance agent can summarize surveillance results, but cannot suppress alerts.
  • A support agent can query client-facing status data, but cannot touch production trade flows.

MCP defines how a tool is invoked. A control plane decides whether it is allowed, under what conditions, and with what audit trail.

4. Observability and data awareness

Full Visibility and Health

In financial systems, failures rarely stay isolated.

A schema change in a downstream feed, stale reference data, expired credentials, or a malformed file can all look like “the agent failed,” when the real issue is deeper in the stack.

You need to know:

  • which tool was called
  • by which agent
  • against which data source
  • with what result
  • how long it took
  • how it failed

And you need the data layer to be part of the architecture, not an afterthought.

That means profiling, validation, transformation, data platform operations, vector ingestion, query, and error explanation need to be operationally visible to agents and humans.

In practice, the systems that win will combine MCP-style tool access with a strong control plane and data-native operations underneath it.

What Teams Should Do Now

If you’re building agent systems in finance, I’d keep it simple:

  1. Standardize on MCP, but don’t stop there.
  2. Treat discovery, identity, and policy as core architecture.
  3. Make the data layer agent-readable and observable.
  4. Separate dev and production aggressively.
  5. Invest early in auditability and operational controls.

The next winners in AI agents will not just have more tools.

They’ll have better operating models.

If you’re building agent systems that need a serious data foundation underneath them, take a look at the Datris Platform OSS repo or visit datris.ai.

Todd Fearn is the founder of Datris.ai and has spent 25+ years building data infrastructure and AI solutions across financial services, healthcare, and enterprise, from Goldman Sachs and Bridgewater Associates to Deutsche Bank, Freddie Mac, and beyond.