Introducing Granulated Permissions for MCP Servers: More Control and Safer Deployments

Managing AI systems at scale often requires balancing capability with security. The more tools an agent can use, the more powerful that agent becomes—but with that power comes the need for fine-tuned access control.

Until now, MCP servers in CustomGPT operated under a single, broad permissions model: if an agent could connect, it automatically had access to everything exposed by the server. 

This setup was functional, but it did not offer the level of precision required for advanced deployments, especially in environments where different teams, roles, or workflows require different permission boundaries.

Today, we are introducing one of the most significant updates to the MCP server system to date: Granulated Permissions. 

This major enhancement gives customers the ability to choose exactly which permissions their agents are allowed to use on their MCP servers—leading to safer, more flexible, and more intentional deployments.

In this post, we’ll explore what granulated permissions mean, how they change deployment strategy, why the tool improvements matter, and how these advancements lay the foundation for a new generation of intelligent, self-directed AI agents.

A More Controlled Approach to MCP Permissions

Previously, every agent that connected to an MCP server effectively had access to all permissions exposed by that server.

This worked well for simple or internal use cases but became limiting when teams wanted to restrict access to specific actions or maintain clearer boundaries between functions.

Granulated permissions change this model entirely. With this update, customers can now choose exactly which permissions to allow on their MCP servers. This means:

• You determine what the agent can do.
• You determine what the agent should not be allowed to do.
• You can build more secure and intentional interactions.
• You can create multiple agents with different permission sets—all accessing the same underlying MCP server.

This level of control opens the door to more sophisticated deployments, especially for organizations with tiered access, compliance needs, or internal separation of responsibilities.

How Permission Defaults Work for Existing and New Agents

The update handles existing environments carefully to avoid disruption. Existing agents retain “All Permissions” All current agents automatically keep All permissions enabled, mirroring the previous model.

This ensures that workflows continue to operate exactly as they did before, without requiring manual adjustments or risking unexpected failures.

New agents start with only “Send a message” This is a major shift. Moving forward, when a new agent is created and connected to an MCP server, the only permission granted by default is Send a message. This means new agents:

• cannot perform other actions unless explicitly enabled
• start in a minimal, safe state
• allow customers to choose which capabilities to unlock

This default configuration supports a pattern of true MCP deployment, where nothing is exposed unless the customer intentionally authorizes it. It’s a more secure and more scalable model, especially for environments where different agents play different roles.

Choosing Any Combination of Permissions

One of the strengths of the new system is that any combination of permissions can be assembled. Customers are no longer locked into a single all-or-nothing structure—they can tailor access per agent, per purpose. This enables use cases such as:

• A restricted agent that can only send messages
• A research agent that can run specific queries but cannot modify anything
• A support agent with read-only access to certain tools
• An internal analyst agent with extended access to customer intelligence functions
• A high-trust agent with full permissions
• A chain of specialized agents, each responsible for a targeted set of capabilities

Each agent becomes more predictable, more secure, and easier to reason about. When teams build multi-agent systems, granulated permissions make it clearer which agent is responsible for which action—and significantly reduce the risk of unintended operations.

Why Granulated Permissions Matter

This shift brings several important benefits to the MCP ecosystem:

1. Improved Security

Not every agent needs access to every tool. With granulated permissions, you can ensure each agent has the exact capabilities required—no more, no less.

2. Controlled Deployment

Organizations can enforce internal policies and limit exposure when deploying agents across departments or roles.

3. Reduced Surface Area

Minimizing permissions reduces the potential impact of unexpected behavior, ensuring agents operate only within their authorized boundaries.

4. More Reliable Testing

Testing agents with smaller permission sets makes it easier to debug and validate specific behaviors.

5. Flexible Multi-Agent Architectures

Granulated permissions allow the creation of distinct agents built for different tasks, each with their own tailored permission profile. These advantages create a cleaner and more modular foundation for advanced AI automation and internal orchestration.

A Major Upgrade to Tool Descriptions and Structure

Alongside the permission update, a significant improvement has been made to tool descriptions and overall structure. This upgrade is a fundamental step toward making MCP tooling more understandable and more usable for the AI itself.

The enhancements focus on:

• Clearer tool definitions Tools now provide descriptions that are more explicit, consistent, and easier for the agent to interpret.
• Better internal structure The updated structure makes it simpler for agents to reason about what a tool does, what inputs it requires, and when it should be used.
• Easier tool selection With improved clarity, the agent can now determine appropriate tools with far less ambiguity, reducing the likelihood of misfires or incorrect tool choices.
• Simplified decision flow The new structure improves how agents evaluate different tool paths and assemble the correct one for a given user request.
• Greater stability in complex workflows These structural improvements help ensure that even when the agent uses multiple tools or chains them together, the process remains consistent and predictable.

Together, these enhancements create a more intuitive environment for the agent—one where tool usage becomes more accurate and significantly more efficient.

A Safer, Smarter Foundation for MCP-Driven AI

The MCP ecosystem is evolving quickly, and this update represents a foundational change.

By enabling customers to precisely determine which capabilities their agents have access to—and improving the tool environment those agents rely on—we’re shaping a more consistent, secure, and intelligent future for conversational AI. Organizations gain:

• more predictable control
• more secure deployments
• more flexibility in agent design
• better AI tool usage
• a clearer path toward autonomous NLQ agents

And because existing agents maintain their previous “All permissions” configuration, the update is backward-compatible while offering improved structure for all future deployments.

Conclusion

The introduction of Granulated Permissions marks a major advancement for CustomGPT’s MCP server ecosystem. With the ability to specify exactly which permissions each agent can use, customers now have more control, more flexibility, and more security than ever before. 

The update respects the existing system while enabling a more powerful and scalable future—where different agents can be tailored with different access levels based on their purpose. Paired with a major improvement to tool descriptions and internal structure, MCP servers are now easier for AI agents to understand, navigate, and utilize. 

This clarity brings us closer to unlocking fully autonomous workflows, including the vision of a true NLQ Analyst Agent capable of handling natural language requests, constructing filtered queries, and interpreting results.

This update strengthens the foundation for everything built on top of MCP—more modular systems, safer deployments, cleaner integrations, and smarter AI tooling.