PwC adds support for Model Context Protocol in agent OS

  • May 16, 2025
Matt Wood

Matt Wood

Commercial Technology & Innovation Officer, PwC US

Today, we are announcing support for the Model Context Protocol (MCP) in PwC’s agent OS—unlocking a secure, scalable way for AI agents to access the tools and data they need to act. This integration bridges two critical layers of enterprise AI, intelligent agents and the systems they rely on to deliver real outcomes. 

Connecting AI agents to action

As organizations scale their AI efforts, agent-based systems have become the preferred model for embedding intelligence into business workflows. These agents can reason, act and, when orchestrated effectively, collaborate to solve complex tasks.

But to move from experimentation to execution, agents need more than intelligence. They need structure. That means three things: governance, orchestration, and access. Agent OS already provides the first two. With the addition of MCP, it now offers the third—secure, standardized access to enterprise tools.

New capabilities through MCP

This integration unlocks a set of core capabilities that make agent systems more practical to build, easier to manage, and safer to scale. First, it enables reusable tool access across the entire environment. Once an agent system is registered as an MCP server, any authorized agent can make use of it. This eliminates redundant integration work and the overhead of writing custom logic for each new use case.

Second, it accelerates the development process. By standardizing how agents invoke tools and handle responses, MCP simplifies the interface between agents and enterprise systems. This consistency reduces development time, lowers testing complexity, and cuts deployment risk. Teams can spend less time on infrastructure and more time on business logic.

Third, governance is built in from the start. An interaction between an agent and an MCP server is authenticated, authorized, and logged. Access policies are enforced at the protocol level, which means that compliance and control are native to the system—not layered on after the fact. 

Securing tool access at scale

Tool access introduces real risk if it is not governed properly. When agents can take action across systems, it’s essential to confirm those actions are constrained, monitored, and secured. That’s why support for MCP in agent OS is implemented with a three-tiered security architecture designed specifically for enterprise environments—balancing flexibility with control and scale with safety.

1. Rigorous code-level analysis 

Every MCP server, whether developed internally or sourced from a third party, is subject to automated static code analysis and manual review. This process includes scanning for known vulnerabilities using signatures aligned to OWASP Top 10 and SANS Top 25 standards, as well as checking for risks in open-source components. These reviews are embedded in the development life cycle, enabling potential issues are identified early—before they reach production—and that code updates are continuously monitored as they evolve. This prevents security flaws from becoming latent risks as your agent network grows. 

2. Credentialed safety 

A common weakness in enterprise environments lies in hardcoded credentials—API keys, tokens, passwords—stored in source code or configuration files, where they’re vulnerable to compromise. In agent OS, we eliminate this risk by managing credentials in centralized, encrypted vaults. Credentials are never written to disk or committed to version control. Instead, they’re injected securely into the runtime environment only when needed, and access to them is fully logged. This approach confirms that in the unlikely event of a system breach, credentials remain safeguarded, traceable and governed by policy. 

3. Hardened access control 

Every request from an AI agent to an MCP server is routed through a secured API gateway that enforces strict authentication and fine-grained, role-based authorization. This confirms that only approved users and services—assessed by identity, role and context—can invoke sensitive operations. All activity is logged in real time, providing full visibility into what was accessed, by whom and under what conditions. These safeguards aren’t just defined—they’re tested regularly through red-team exercises and third-party penetration testing that simulate real-world attacks. This confirms that policies are not only well-defined but are resilient under pressure. 

In short, security in agent OS isn’t an add-on. It’s embedded in the architecture, so as agents become more powerful and tool access expands, your enterprise posture remains strong, observable and enforceable by design.

A scalable foundation for enterprise AI

The integration of MCP into agent OS isn’t just an upgrade. It’s a structural change in how enterprises can deploy and govern AI. With secure, standardized access and built-in execution controls, agents are no longer siloed. They operate as part of a coordinated, governed system that can grow as needs evolve.

MCP provides the interface to external tools and systems. Agent OS confirms that each interaction is secure, compliant, and aligned with enterprise policy. Together, they form a foundation for intelligent automation that is both capable and trustworthy. 

This enables organizations to move beyond isolated pilots toward integrated, reliable systems—where agents don’t just reason, but act inside real business workflows. It marks a shift from experimentation to adoption, from isolated tools to scalable, governed intelligence.

Follow us