MCP – The new risk in the system: Opportunities and threats for tax firms
Since the OpenAI Dev Day and Microsoft Build 2025, a term has been on everyone's lips that has the potential to profoundly change the way we work digitally: MCP – Model Context Protocol. What at first glance sounds like just another technical standard is, in fact, a strategic turning point in the interplay between AI and business applications. But with this new openness comes new dangers – especially in data-sensitive areas like tax consulting.
What is MCP?
MCP is an open protocol developed to connect AI models directly to tools, applications, and data sources—without manual bridges or API tinkering. The idea: An AI system shouldn't just passively answer questions, but should be able to actively use tools. GPT can therefore not only "know" but also act—for example, search emails, open files, or query external data sources.
What does this mean in practice? If an AI system is granted access to a mailbox, CRM, or DMS via MCP, it can perform actions independently—for example, searching for missing invoices or rescheduling appointments. This revolutionizes processes, but also poses control risks that previously didn't exist.
Tax advice: Between efficiency and loss of control
We're currently experiencing a wave of automation in tax consulting – from document recognition and dunning to AI-supported financial analysis. MCP seems to be a perfect fit here: AI gains access to a mailbox, detects gaps in documents, contacts clients, or supplements an electronic file.
But this is precisely where the problem lies: access is not selective – but systemic.
Once the connection is active, the AI itself decides when to call which function. A plug-in originally intended for document verification could suddenly have access to emails containing other clients' payroll slips, bank statements, or private documents – simply because the technical possibility exists. Separation by client, role, or professional context? Not planned. The AI uses what it can – at any time.
For those subject to professional secrecy under Section 203 of the German Criminal Code (StGB), this means that GDPR-compliant use is not possible without additional technical security measures. A client's consent does not cover full access to the entire system—nor does it cover the autonomous behavior of an AI.
What to do?
MCP is not a mistake—quite the opposite: It's a groundbreaking architecture that can simplify our digital lives. But it must be used consciously and securely:
- Access only via separate service accounts with minimal rights
- Use of API gateways or reverse proxies to release only selected functions
- DPIA (Data Protection Impact Assessment) for each real MCP integration
- Sandboxing and logging to ensure traceability of AI activities
Two fundamentally different directions – with one crucial difference
What many people overlook: There is a huge difference between M365 (e.g. Copilot) accessing external tools via MCP and an external AI gaining access to your M365 via MCP.
- In the first case: controllable, role-based, auditable, and secure via Entra ID and Microsoft Purview.
- In the second case – especially in the OpenAI environment: uncontrollable, without separation of roles, without logging, without protection against misuse.
- Especially in the OpenAI plugin ecosystem, it's currently possible for a single click by an employee to grant an AI unnoticed access to mailboxes, OneDrive directories, or client files. Without any protective mechanisms, without client separation, and without any awareness of the implications.
- This is a horror scenario for data protection, client confidentiality and compliance.
We help before things become critical
We specialize in supporting law firms and sensitive organizations with precisely these challenges – be it with:
- Raising awareness and training your teams,
- technical implementation of secure AI access,
- or as an external CTO and Data Protection Officer (DPO), bringing together legal, technical and strategic aspects.
📩 Feel free to contact us for a non-binding initial consultation – before someone else does.
