AI PM Skills
Back to library

MCP Integration Evaluation and Specification

MCP (Model Context Protocol) is the emerging standard for giving AI agents access to tools, data, and services. For AI PMs, MCP is both an opportunity and a decision: which tools does your AI need, should you build MCP servers or use existing ones, and what requirements must an MCP integration meet before it's safe to give an agent access to it?

---

Context

What MCP is (PM-level explanation):

MCP is a protocol that lets an AI model call external tools — databases, APIs, file systems, services — in a standardised way. An MCP server exposes capabilities (tools, resources, prompts) that an AI client can discover and use.

The three MCP capability types:
TypeWhat it isExample
ToolsFunctions the AI can callsearch_database(query), send_email(to, subject, body)
ResourcesRead-only data the AI can accesscustomer_record/{id}, knowledge_base/docs
PromptsPre-built prompt templates the AI can invokesummarize_meeting_notes, generate_report

---

Step 1 — Define the capability requirements

Map each system the agent needs: read/write access, trust level (internal vs. third-party), and risk if misused.

Step 2 — Evaluate build vs. use existing MCP servers

For each system, check if existing MCP servers meet criteria: correct tools exposed, actively maintained, documented security, principle of least privilege, acceptable cost. Score ≥ 4/5 → use existing; < 4 → build.

Step 3 — Specify MCP tool requirements

Per tool: name, description, system, action type, risk classification, input/output schemas, error responses, agent access rules, and rate limits.

Step 4 — Define MCP server trust and security requirements

Authentication, data handling, tool isolation, prompt injection protection, and third-party server vetting checklist. Assign trust levels: Trusted (internal), Verified (vetted third-party), or Untrusted (never use in production).

Step 5 — Define the integration specification for engineering

Client configuration, tool allow-list (explicit — not "the agent uses what it needs"), tool descriptions for the model, system prompt additions, and testing requirements including prompt injection testing.

Quality check before delivering

Every tool has a risk classification
Tool descriptions are written as the model will see them
Prompt injection risk is addressed for every server returning user-generated content
Third-party servers are assessed against the vetting checklist
Tool allow-list is explicit
Testing requirements include prompt injection testing
Suggested next step: Write the tool descriptions for the model before writing the implementations. The description is what the AI reads to decide when and how to use each tool. Vague descriptions produce unpredictable tool use.