Key Takeaways
- Model Context Protocol, or MCP, is an open standard for connecting AI tools to external systems and data sources.
- For CFOs, the important shift is not the acronym. It is AI moving from uploaded spreadsheets to live ERP, billing, spend and ledger context.
- Stripe, Digits and Microsoft Dynamics 365 now have public MCP-related documentation or announcements. Spendesk has already framed the issue for finance teams.
- MCP does not make finance AI safe by itself. It makes identity, access scope, approval workflows and audit trails more important.
- The right vendor question is not "Do you have AI?" It is "What can the AI read, what can it change and where is the evidence?"
Your next finance software demo may include a new acronym: MCP. Do not let the vendor keep it in the engineering lane.
Model Context Protocol is a way for AI tools to connect to other systems. For a finance team, that could mean billing data in Stripe, ledger data in Digits, ERP data in Microsoft Dynamics 365 or spend data in a platform like Spendesk. The finance implication is simple: AI is moving closer to live business records instead of waiting for someone to upload a spreadsheet.
That makes MCP useful. It also makes it a control question.
What is MCP in plain English?
Model Context Protocol gives AI applications a standard way to connect with approved tools, records and data sources outside the chat window.
Anthropic introduced MCP in November 2024 as a way to connect assistants to content repositories, business tools and development environments. The official MCP documentation describes it as a common connection layer for AI applications.
Think of it less like a new finance app and more like a connector standard. An AI assistant can use an MCP server to ask another system for approved context or to call an allowed function. The server sits between the AI tool and the source system.
The useful part is standardization. Before MCP, every AI tool needed custom integrations for every system. With MCP, a vendor can expose a controlled set of tools and data in a way many AI clients can understand.
The risky part is also standardization. Once a connection pattern becomes easier, more vendors will ship it quickly. CFOs should not wait for the security team to discover the acronym after the pilot is live.
Why should a CFO care before the next vendor call?
CFOs should care because MCP moves AI from static files toward live finance systems, changing both the value case and the control burden.
A spreadsheet upload is clumsy, but bounded. The file is static. It may be stale, but at least the scope is visible. A live connection can be more useful because the AI can retrieve current invoices, customers, purchase orders, account balances or vendor records. It can also create a wider blast radius if the permissions are loose.
This is why MCP belongs in vendor due diligence. If a finance platform says its AI can work across your stack, the next question is not whether the demo looks polished. The next question is what system of record the AI can reach and under whose authority.
Nexairi has already covered the broader AI ROI measurement problem for CFOs in How to Measure AI ROI as a CFO. MCP sits one layer underneath that problem. If the data connection is weak, the ROI case will be weak too.
Which finance vendors are already moving in this direction?
MCP is no longer only a developer topic. Several finance-relevant vendors have already made public moves.
Stripe documents an MCP server that lets agentic tools interact with Stripe's API through function calls. That can include customers, invoices, refunds, disputes and subscriptions. For a CFO, that means billing and revenue context can become available to an AI workflow if access is approved.
Digits has announced MCP support for AI agents working with ledger data. That matters because ledger context is not the same as a generic spreadsheet. A ledger has accounts, classifications, transaction history and audit implications. Nexairi covered Digits' separate move into ledger-native schedules in Digits Puts Accrual Schedules Inside the General Ledger. MCP points to the next step: agents interacting with that context.
Microsoft Dynamics 365 has a release plan for an MCP server for finance and operations apps. The stated business value is helping copilots and agents access live ERP context. That is the phrase CFOs should notice: live ERP context.
Spendesk has already explained MCP for finance teams, using examples such as payables, suppliers and purchase orders. Spendesk is a vendor, so its framing is naturally product-adjacent. But the underlying signal is useful: finance operations teams are close enough to MCP that CFO media should not treat it as a niche protocol.
Nexairi Dispatch
Get the next AI move before it turns into a workflow problem.
Join the free newsletter for concise AI news, practical checklists, and the decisions practitioners need to make next.
Free. No spam. Unsubscribe anytime.
Is MCP just another API?
Is MCP just another API? Not exactly, but CFOs do not need to overlearn the technical distinction to ask better questions.
An API lets software systems exchange data or trigger actions. MCP is a standard way for AI applications to discover and use tools or context exposed by a server. In plain English: APIs are the old plumbing. MCP is a new connection pattern designed around AI assistants and agents.
The practical distinction is what the user experience looks like. Instead of a finance analyst exporting billing data, cleaning it in Excel and pasting it into a chatbot, an AI assistant may ask an MCP server for the relevant billing data directly. That can save time and reduce spreadsheet drift. It can also hide the access path unless the vendor surfaces logs clearly.
For finance leaders, the control test is the same either way. Who authorized the access? What was read? What action was taken? Could the AI write back to the system? Could the user approve before anything changed? Could an auditor reconstruct the sequence later?
What can go wrong when AI gets live financial context?
The main MCP risk is not that the protocol exists. The risk is vendors shipping live-system access faster than finance teams update their controls.
The official MCP authorization specification uses OAuth 2.1 mechanisms for authorization. That is a good sign because it points toward familiar enterprise identity patterns. But a standard does not guarantee a safe implementation. GitHub Security Lab published MCP server hardening guidance in May 2026, warning developers to think carefully about token handling, server-side request forgery and prompt injection.
Independent security researchers have also started flagging MCP implementation risks. Some of that research is early and focused on open-source servers, not every enterprise deployment. Still, the direction is clear: when AI tools get connected to more systems, the attack surface grows.
Finance teams should pay attention to four failure points.
| Failure Point | What It Means | CFO Question |
|---|---|---|
| Overscoped access | The AI can read more records than the user actually needs. | Can access be limited by role, entity, department and workflow? |
| Weak approval gates | The AI can suggest or perform actions without a clear human signoff step. | Which actions require approval before anything changes in the system? |
| Poor audit logging | The team cannot reconstruct what the AI read, returned or changed. | Can we export logs showing prompt, source, action, reviewer and timestamp? |
| Unclear pricing and support | MCP access may create new usage costs, implementation work or support tiers. | Does MCP access change our contract, support level or security review? |
This is the same pattern Nexairi flagged in Xero and QuickBooks Are Moving AI Into Client Data. AI features become finance governance issues when they touch real client or company records.
What should CFOs ask vendors now?
The best MCP conversation is short, concrete and uncomfortable enough to reveal whether the vendor has done the implementation work.
Start with these questions:
- Do you support MCP today, or is it only on the roadmap?
- Which systems can your MCP server connect to: ERP, billing, AP, spend, payroll, tax, CRM or data warehouse?
- What can the AI read, and what can it change?
- Can access be scoped by role, legal entity, business unit, department and workflow?
- Which actions require human approval before writeback?
- Can we see a full audit trail for AI requests, retrieved records, tool calls, approvals and changes?
- How are OAuth tokens handled, rotated and revoked?
- What happens if a user asks the AI for data they normally cannot access?
- Does MCP access change pricing, support, implementation time or security review?
- Can we disable MCP access without disabling the core product?
That list is intentionally basic. A CFO does not need to debug the protocol. A CFO needs to know whether the vendor can explain access, scope, approval and evidence without hiding behind the roadmap.
The real MCP shift is control over context
MCP is easy to oversell because it sounds like a universal connector for AI. The better CFO interpretation is narrower and more useful: MCP is part of the move from static AI prompts to governed live context. The winners will not be the teams that connect everything first. They will be the teams that know which context belongs in the AI workflow, which actions require review and which logs need to survive an audit. In finance, context without control is not intelligence. It is exposure.
How should finance teams audit their stack in the next 30 days?
Finance teams should audit MCP readiness by mapping systems of record, vendor AI access, data sensitivity and approval requirements before pilots begin.
First, list the systems of record your finance team depends on: ERP, general ledger, billing, AP, procurement, payroll, tax, FP&A and data warehouse. Second, identify which vendors have announced MCP support, AI agents or live data connectors. Third, classify each system by risk. Reading a vendor directory is not the same as reading bank details, payroll data or unreleased revenue numbers.
Fourth, decide where AI access would actually help. Month-end variance explanation, invoice lookup, customer billing analysis and spend policy questions are plausible use cases. Posting journal entries, changing payment instructions and approving refunds should require stronger controls or stay out of scope until the evidence trail is mature.
Finally, update the AI vendor review checklist. MCP should sit next to SOC reports, data retention, subprocessors, model training policy and incident response. Nexairi's AI Compliance Tools for CFOs explains the broader governance layer. MCP is the connector detail that now belongs inside that review.
The CFO takeaway is simple: MCP is not something to fear, but it is something to govern. If vendors can show tight scope, clear approvals and exportable logs, MCP can make finance AI more useful. If they cannot, the feature is not ready for your live books.
Sources
- Anthropic - Introducing the Model Context Protocol
- Model Context Protocol Documentation - Introduction
- Model Context Protocol Specification - Authorization
- Spendesk - What Is MCP and What Does It Mean for Finance Teams?
- Stripe Docs - Model Context Protocol Server
- Digits - Introducing Digits MCP
- Microsoft Dynamics 365 Release Plan - Use MCP Server for Finance and Operations Apps
- GitHub Security Lab - How to Secure Your MCP Server
- Pillar Security - Security Risks of Model Context Protocol
Free Assessment
Is your firm ready for AI?
A 5-minute governance check for CPA firms using ChatGPT, Copilot or AI accounting software. Get your score and your top gaps — free.
Curated insights from the NEXAIRI editorial desk, tracking the shifts shaping how we live and work.
