Download Transcript (pdf)

ClearTech Loop kicks off Season 3 with Phil Stafford, AI security architect and researcher, in a conversation about AI governance, agent permissions, fractional identity, MCP servers, and why AI security is becoming an operational risk issue.

ClearTech Loop Season 3: Phil Stafford on AI Governance, Agent Identity, and MCP Risk 

Season 3 of ClearTech Loop begins with a conversation technology and security leaders cannot afford to treat as theoretical anymore: what happens when AI agents move from interesting experiments into real business environments. 

In this episode, Jo Peterson speaks with Phil Stafford, an AI security architect, security researcher, and cybersecurity professional, about the operational side of AI governance. The conversation focuses on how organizations can understand what agents are doing, control the authority those agents are using, and evaluate the MCP servers and third-party tools that increasingly connect AI systems to enterprise workflows. 

Phil brings a practical security lens to a topic that is moving quickly. AI agents are no longer just generating content or answering questions. They are beginning to act on behalf of users, call tools, touch systems, inherit permissions, and create downstream risk. That shift changes the governance conversation because once agents start taking action, organizations need more than policy language. They need visibility, controls, accountability, and evidence. 

Listen to the full episode: https://www.buzzsprout.com/2248577/episodes/19387427 
Watch more ClearTech Loop episodes: https://www.youtube.com/@ClearTechResearch

Episode Overview

The AI governance conversation is maturing quickly. Early guidance around acceptable use, approved tools, and employee awareness still matters, but it is no longer enough when agents are being connected to workflows, cloud environments, internal applications, and third-party tools. 

In this episode, Phil and Jo discuss why AI governance has to become operational. Organizations need to know what agents are actually doing in the environment, what authority those agents are using, whether their permissions are scoped appropriately, and how leaders can prove due diligence if something goes wrong. 

The conversation also explores the security implications of MCP servers. Often described as the “USB for AI,” MCP servers make it easier for AI systems to connect to external tools and data. That usefulness is exactly why they require serious security review. Easy connection has never automatically meant safe connection, and MCP servers are quickly becoming part of the broader AI supply chain risk conversation. 

The Season 3 Questions We’re Asking

How do we move AI governance from policy theater to operational reality? 

Phil’s answer starts with measurement. Before an organization can govern AI agents, it needs to know what those agents are actually doing. Policy documents may define intent, but governance has to show up in the environment through logging, access control, approval paths, monitoring, and evidence. 

The legal system is still catching up to AI agent behavior, which means organizations cannot wait for perfect clarity before building controls. They need to be able to show how tools were reviewed, what was approved, what permissions were granted, and whether the organization exercised due diligence before deployment. 

How do we control what AI agents can actually do inside enterprise systems? 

Phil and Jo also discuss the “confused deputy” problem, where an AI agent may be seen by the system as the user and therefore inherit more authority than the task requires. If an agent carries a user’s full permissions, it may be able to access or change far more than intended. 

This is where fractional identity becomes important. An agent can still be tied back to a human user for accountability, but it should only receive the subset of permissions required for its specific job. That includes limiting what the agent can access, when it can operate, whether it can call other tools, and whether it can create sub-agents. . 

Are MCP servers becoming the next software supply chain risk?

MCP servers are useful because they help AI systems connect to tools, workflows, and data. But that usefulness also creates risk when organizations do not know which MCP servers are approved, what those servers call, what dependencies they rely on, or what they are allowed to touch. 

Phil compares MCP servers to the USB for AI, which is a helpful analogy for understanding both the value and the risk. 

“MCP was sold to us as the USB for AI… You would not pick up a USB stick in your parking lot and put it into your enterprise environment. That’s what people are doing right now.” 
— Phil Stafford 

The point is not that MCP is bad. The point is that MCP servers need to be treated like part of the enterprise stack. That means approved lists, dependency review, signing, validation, behavioral visibility, and detection for anything that should not be running or calling out. .  

Key Takeaways 

• AI governance needs evidence Governance cannot stop at written policy. Organizations need to be able to show what agents are doing, what controls are in place, and how deployment decisions were reviewed. 

• Agent authority needs boundaries If an AI agent is acting on behalf of a user, the organization needs to understand what authority it is using and where that authority stops. Full user permissions should not automatically become full agent permissions. 

• MCP security is supply chain security MCP servers should be evaluated as part of the enterprise technology stack. Security teams need visibility into what they do, what they connect to, what they depend on, and whether they have been approved for use. 

• AI security is becoming operational risk Once agents move into workflows and systems, the risk is no longer abstract. Security leaders, technology leaders, and business leaders need operational controls that match how AI is actually being deployed. 

From AI Governance to AI Control

The next phase of AI security will require organizations to move from broad policy discussions to practical control. 

See the agents 
Know what AI agents are doing in the environment. 

Limit the authority 
Give agents only the access they need. 

Validate the tools 
Treat MCP servers like supply chain components. 

Monitor the behavior 
Detect what should not be running or calling out. 

Prove the process 
Document due diligence before something goes wrong. 

About the Guest | Phil Stafford

Phil Stafford is an AI security architect, security researcher, and cybersecurity professional. He advises organizations on AI security infrastructure, cybersecurity foundations, AI transformation strategy, and secure implementation practices. His work focuses on practical approaches to AI security, MCP risk, agent reliability, and the infrastructure needed to support safer AI adoption. 

Phil is also the creator of Credence, an AI open-source public attestation layer designed to help validate AI tools such as MCP servers, and Thinktank, a multi-model, multi-agent debate swarm designed to improve analysis and reporting through structured dissent. 

Listen • Watch • Subscribe

Listen to the full ClearTech Loop Season 3 kickoff episode with Phil Stafford: https://www.buzzsprout.com/2248577/episodes/19387427 

Watch more ClearTech Loop conversations and subscribe on YouTube: 
https://www.youtube.com/@ClearTechResearch 

Stay in the Loop with new Season 3 episodes from ClearTech Research.

Additional Resources

• Singularity Systems 
  https://securingthesingularity.com/ 

• The Adversarial Trust Layer: Why the MCP Ecosystem Needs Cryptographic Attestation and Multi-Agent Verification 
  https://credence.securingthesingularity.com/papers/adversarial-trust-layer.html 

• Phil Stafford on Medium 
  https://medium.com/@pe.stafford 

• Season 2 of ClearTech Loop 
  https://www.youtube.com/@ClearTechResearch