Lessons from Atlassian: AI is Like Your Dog, It Needs a Firm Master
AI will happily dive in and try to do everything you ask - but just like a mischievous dog, it sometimes gets it spectacularly wrong, warned Atlassian’s Dugald Morrow.
MCP Lets AI Actually Do Stuff Safely – But Only If You Watch It Like a Hawk
As AI moves from generating code to taking real actions, MCP provides a crucial safety net - but only if developers enforce strict controls and monitor every move.
Although today’s LLMs are exceptional at recognizing linguistic patterns, they lack grounding in the physical and operational world. An LLM can generate meaningful text, but it does not truly understand the systems, data structures, or state behind that text.
Alex Shershebnev (Head of ML/DevOps and DevRel, Zencoder) explains that this gap becomes obvious once developers try using AI in real production systems, where even a logical-sounding model output can trigger unexpected and potentially harmful effects if it interacts directly with live infrastructure.
He warned that letting an LLM act without limits – like querying databases or deploying code – could cause serious damage, from wiping data to pushing faulty code.
The key challenge, therefore, is to bridge this intelligence gap safely.
Enter MCP – a bridge between AI and infrastructure
To address this problem, the industry has turned to the Model Context Protocol (MCP), introduced by Anthropic in late 2024. MCP standardizes how LLMs connect with external tools, APIs, and systems in a secure and transparent manner. The protocol defines two core entities:
- MCP Client – usually the LLM or AI agent that determines which tools it needs to fulfill a task.
- MCP Server – the component that exposes a curated list of available tools and safely executes operations when requested.
This structure allows LLMs to extend their functionality beyond text generation, performing actions like fetching monitoring data from Grafana, reading error logs from Sentry, or triggering CI/CD pipelines without requiring unrestricted access.
Even major players like OpenAI have adopted MCP, underscoring its growing importance as an interoperability and safety standard.
Clear parameters drive accurate tool execution
Shershebnev detailed how MCP servers present resources as tools, each defined by a name, parameters, and a clear description. The MCP client (LLM) can then select and execute the appropriate tool to retrieve or modify data.
This exchange follows a predictable, auditable flow: upon initialization, the server exposes a list of all available tools, and the LLM requests specific actions based on user input. The server executes the operation, returns the results in a standardized format, and the LLM incorporates them into its response.
Alex emphasized that MCP’s design makes it language-agnostic and easy to integrate. Developers can quickly connect their existing systems by importing a lightweight MCP library and defining tool endpoints. This opens a path for automating repetitive DevOps tasks such as branch creation, ticket management, and incident reporting.
Through live examples, he showed how MCP agents can automatically handle Jira tickets, open branches, and even query Kubernetes clusters to diagnose pod issues, all without leaving the IDE. However, these same capabilities also amplify the potential for misuse if the setup is not properly secured.
MCP servers inherit all the vulnerabilities of traditional servers
“Great power comes with great responsibility,” Alex noted when addressing MCP’s dual nature. MCP servers, while powerful, inherit all the vulnerabilities of traditional servers: package hijacking, malicious dependencies, open ports, and unpatched libraries.
On top of that, they introduce new, AI-specific risks.
The most prominent among them is prompt injection, a scenario in which a malicious payload hidden inside text, code, or a web page manipulates the LLM into performing unintended actions.
Another class of attacks he called “shadow tools” exploits naming collisions: a malicious tool is registered under the same name as a legitimate one, tricking the LLM into executing unauthorized operations. These vulnerabilities highlight how tightly coupled AI logic and system control have become, and why simple sandboxing or API tokens are no longer enough.
Alex also referenced industry data showing that even advanced AI providers detect only a portion of injection-based threats, meaning some attacks still slip through. The takeaway for developers: assume partial protection and plan defense in depth.
Deploying MCP safely requires careful controls
Alex emphasized that deploying MCP safely requires careful planning and strict boundaries: “You can’t treat MCP as just another tool in your stack. Every action an agent takes must be controlled, monitored, and limited to what is strictly necessary.”
According to him, developers should define precisely which tools are accessible to the LLM, ensuring that only allowed operations are permitted.
Agents should operate with the principle of least privilege, confined to staging or read-only environments rather than production. He also mentioned the importance of input sanitization, explaining:
Never feed raw, unfiltered content directly to the model. Use intermediary layers to clean and summarize information before passing it along. Every MCP call and response should be fully auditable, with detailed logging of tool identifiers, inputs, outputs, and timestamps.
For critical operations, such as deployments or database changes, Alex recommended incorporating human approval steps to prevent unintended actions.
MCP lets AI act in the real world – but only under controlled boundaries
Finally, Alex urged teams to combine traditional DevSecOps measures with MCP-specific precautions.
Dependency scanning, code signing, and supply-chain verification remain essential, and simulation through red-team exercises can reveal vulnerabilities from prompt injections or shadow tools before they reach production. “These measures are not optional,” he said, “they are prerequisites for responsibly integrating AI into DevOps pipelines.”
Alex concluded by reminding the audience that the MCP represents a major leap forward for AI-driven automation. It allows LLMs to interact meaningfully with the real world, enabling developers to build faster, smarter, and more context-aware systems. However, without strict governance and defensive design, the same flexibility can easily become a security liability.
MCP is not just a technical framework; it’s a blueprint for trust boundaries between human developers, AI agents, and production infrastructure:
As organizations begin adopting these tools, the line between code generation and code execution will blur, and the teams that succeed will be those who treat AI not as an omnipotent engine, but as a collaborator that must operate within precisely defined limits.
