I once heard a product manager say “we’ll do security after go-live” to describe an early phase product’s glaring lack of granularity of security controls. As anyone reading this, who has written the tiniest piece of software, you will know that “doing security after go-live” is a complete recipe for disaster. One of the challenges of emerging technology is that security is never sexy–it’s overhead, it doesn’t demo well to investors, and in a telemetry drive software world “we only see 10% of customers using this advanced security feature” is a common refrain. Which brings us to AI–I saw this post from Scott Hanselman on BlueSky last week, and had a good laugh:
The S in MCP stands for security— Scott Hanselman
(@scott.hanselman.com) August 2, 2025 at 1:29 AM
If you aren’t old, this joke goes back to the early days of the Internet of Things, where the joke was “the S in IoT stands for security”. MCP stands for “Model Context Protocol” which is the defacto standard for AI model access and communications. If you want a good read on the many flaws with MCP, read this excellent post by Julien Simon, detailing how MCP ignores 40 years of learnings from distributed systems. Where have we seen that go well before?
This brings us back to the security risks around AI. GIS Consultant, Faine Greenwood posted on BlueSky: “ChatGPT is probably the biggest honey pot of willingly-turned over highly confidential information that has ever been created in human history.” A follower replied:
I was the Director of IT at an org and one day, found out our CFO was putting all our MOUs into his personal ChatGPT account and HR was having conversations with a personal ChatGPT account to determine what salaries we should be offering staff. Very concerning!— Toneloaf (@toneloaf.bsky.social) August 11, 2025 at 2:33 PM
MOU=memorandum of understanding.
You don’t have to be a distributed systems expert to understand why it’s a terrible idea to paste sensitive business data into a third party system that you have no security controls over, or have a data sharing agreement. OpenAI will use your contracts to train their future models–and that’s if nothing happens that’s even more nefarious. Or if OpenAI has a data breach, but that could never happen.
Doing AI, But with Security
My article at Redmondmag.com this month is about SQL Server 2025’s AI capabilities. One of Microsoft’s selling points to the AI model in SQL Server is that your AI model can be self-hosted, in your own public cloud environment, or using a third party. This gives the IT organization the controls needed to ensure that sensitive business data stays within a controlled environment. Beyond that, you control all access to your data, using the robust, mature model of SQL Server security.
This gives you a few ways to have control–you have fine-grained access controls, like providing tools like row-level security, column security, and features like dynamic data masking to protect sensitive values in user viewed data. SQL Server audit allows you to track all of your inputs and outputs at the database level. By bringing AI into a database with robust security controls, you leverage a mature security model. Having full control of which AI models you are using, and more importantly where you are running them, gives you full ownership of the data flow in your AI pipelines.
Anytime we have a large technology hype cycle, security always gets put on the back burner. Wait, as a cook, that’s the wrong way of looking at it–security never makes it onto the stove, it’s just an onion, sitting in a walk-in somewhere. Whether it was the early era of cloud (remember when the only two Azure roles where Admin and Co-Admin), big data, or now AI, technology companies tend to worry about security later rather than sooner. This is one of the major pain points of being on the bleeding edge of technology. Leverage a robust security model, like SQL Server, can help you leverage new technology, while protecting your data.