The short answer

Use MCP, but never point it at raw tables with a shared credential. Put a governed MCP server between Claude and your data: per-user permissions, masked PII, defined metrics, logged reads. Same protocol, defensible risk.

MCP (Model Context Protocol) is the open standard Anthropic released so that Claude and other AI tools can connect to outside systems: databases, SaaS apps, file stores. If you have seen "Claude MCP" trending, this is why. It turns Claude from a chat window into something that can read your actual data and act on your actual tools.

The tutorials all show the same happy path: install an MCP server, point it at your database, watch Claude answer questions about your data. Thirty seconds to superpowers. For a side project, that is genuinely all there is to it.

For a company, that thirty-second setup is the problem.

What the quickstart connects, exactly

A stock database MCP server typically gets a connection string. That connection string carries the permissions of whoever set it up, which in practice is often a developer account with broad read access. From that moment, anything the model requests inside those permissions, it gets. Every table. Customer PII. Salary data if it can see it. The prompt asks a friendly question; the query underneath is whatever the model decides to write.

Three specific gaps make this an enterprise incident waiting for a date:

No access boundary. The AI inherits one big credential instead of the asking user's permissions. Your row-level security, your role model, all bypassed by design.

No audit trail. When the compliance team asks what the AI read last quarter, a raw MCP connection has no answer. There is no log binding a person, a question, a query, and the data that left.

No semantic guardrails. Ask two analysts what "revenue" means and you get three answers. Ask a model connected to raw tables and you get a fourth, computed confidently from the wrong column.

The governed pattern

Enterprises that run MCP well all converge on the same shape: the AI never touches the database directly. It talks to a governed MCP server that sits in between, and that server enforces four things on every single request.

Permissioned access, per user. Queries execute with the asking user's rights, not a service account's. If Priya cannot see the salaries table in the BI tool, Claude answering Priya cannot see it either.

A data model, not raw tables. The AI queries business definitions: what a customer is, how revenue is computed, which fields are canonical. Answers come from your numbers instead of the model's guess at your schema.

PII masked before the model. Personal data is masked or blocked before it reaches the model context, and residency rules apply to AI reads the same way they apply to any export.

Everything logged. Who asked, what was queried, what left, with lineage from source to answer. When the auditor asks, the answer is an export, not an investigation.

This is the difference between an MCP server and an enterprise MCP server. Same protocol, same Claude on the other end, entirely different risk profile.

Setting it up without regret

A sane rollout order, learned from teams who did it the other way first:

1. Inventory the demand. Which teams want Claude on which data? Usually it is three or four datasets doing most of the work: sales pipeline, product usage, finance summaries.

2. Put definitions in front of tables. Even a thin semantic layer beats raw schema access. If a metric matters, define it once, centrally, before any model queries it.

3. One governed door. Route every AI data connection, Claude, ChatGPT, agents, through a single MCP endpoint with access checks, masking, and logging. One place to control, one place to audit. This is exactly what Clarista provides, and every read feeds the same compliance evidence trail as our code checks.

4. Start read-only. Write access through MCP is a different risk class. Earn confidence with reads first.

If your engineers are already rolling out Claude Code across the team, the same logic applies on the data side: the tool is excellent, the governance is your job.

Questions teams ask

Is MCP itself secure?

The protocol is fine. It is transport and structure. The security question lives entirely in what the server on your side allows, logs, and masks. MCP security is server-side governance, not protocol choice.

Does this work with ChatGPT too?

Yes. MCP has become the common standard, and a governed MCP server serves Claude, ChatGPT, and any MCP-compatible client through the same controls.

What about agents, not just chat?

Agents make governance more urgent, not less: they query without a human reviewing each request. Per-user permissions, masking, and logging on the MCP layer is what makes agent data access defensible.

Related reading

Claude Code for the enterprise. The other half of the story: governing the code Claude writes, not just the data it reads

Why every analytics platform needs an MCP server. The architectural case, written before MCP was fashionable

The Claude Certified Architect exam. MCP integration is 18% of Anthropic's new certification; here is what it tests.

Clarista's governed MCP server. How the governed door works in the product: access, definitions, masking, logging