Managing AI systems at scale often requires balancing capability with security. The more tools an agent can use, the more powerful that agent becomes—but with that power comes the need for fine-tuned access control.
Until now, MCP servers in CustomGPT operated under a single, broad permissions model: if an agent could connect, it automatically had access to everything exposed by the server.
This setup was functional, but it did not offer the level of precision required for advanced deployments, especially in environments where different teams, roles, or workflows require different permission boundaries.
Today, we are introducing one of the most significant updates to the MCP server system to date: Granulated Permissions.
This major enhancement gives customers the ability to choose exactly which permissions their agents are allowed to use on their MCP servers—leading to safer, more flexible, and more intentional deployments.
In this post, we’ll explore what granulated permissions mean, how they change deployment strategy, why the tool improvements matter, and how these advancements lay the foundation for a new generation of intelligent, self-directed AI agents.
A More Controlled Approach to MCP Permissions
Previously, every agent that connected to an MCP server effectively had access to all permissions exposed by that server.
This worked well for simple or internal use cases but became limiting when teams wanted to restrict access to specific actions or maintain clearer boundaries between functions.
Granulated permissions change this model entirely. With this update, customers can now choose exactly which permissions to allow on their MCP servers. This means:
- You determine what the agent can do.
- You determine what the agent should not be allowed to do.
- You can build more secure and intentional interactions.
- You can create multiple agents with different permission sets—all accessing the same underlying MCP server.
This level of control opens the door to more sophisticated deployments, especially for organizations with tiered access, compliance needs, or internal separation of responsibilities.
How Permission Defaults Work for Existing and New Agents
The update handles existing environments carefully to avoid disruption. Existing agents retain “All Permissions” All current agents automatically keep All permissions enabled, mirroring the previous model.
This ensures that workflows continue to operate exactly as they did before, without requiring manual adjustments or risking unexpected failures.
New agents start with only “Send a message” This is a major shift. Moving forward, when a new agent is created and connected to an MCP server, the only permission granted by default is Send a message. This means new agents:
- cannot perform other actions unless explicitly enabled
- start in a minimal, safe state
- allow customers to choose which capabilities to unlock
This default configuration supports a pattern of true MCP deployment, where nothing is exposed unless the customer intentionally authorizes it. It’s a more secure and more scalable model, especially for environments where different agents play different roles.
Choosing Any Combination of Permissions
One of the strengths of the new system is that any combination of permissions can be assembled. Customers are no longer locked into a single all-or-nothing structure—they can tailor access per agent, per purpose. This enables use cases such as:
- A restricted agent that can only send messages
- A research agent that can run specific queries but cannot modify anything
- A support agent with read-only access to certain tools
- An internal analyst agent with extended access to customer intelligence functions
- A high-trust agent with full permissions
- A chain of specialized agents, each responsible for a targeted set of capabilities
Each agent becomes more predictable, more secure, and easier to reason about. When teams build multi-agent systems, granulated permissions make it clearer which agent is responsible for which action—and significantly reduce the risk of unintended operations.
Why Granulated Permissions Matter
This shift brings several important benefits to the MCP ecosystem:
- Improved Security
Not every agent needs access to every tool. With granulated permissions, you can ensure each agent has the exact capabilities required—no more, no less.
- Controlled Deployment
Organizations can enforce internal policies and limit exposure when deploying agents across departments or roles.
- Reduced Surface Area
Minimizing permissions reduces the potential impact of unexpected behavior, ensuring agents operate only within their authorized boundaries.
- More Reliable Testing
Testing agents with smaller permission sets makes it easier to debug and validate specific behaviors.
- Flexible Multi-Agent Architectures
Granulated permissions allow the creation of distinct agents built for different tasks, each with their own tailored permission profile. These advantages create a cleaner and more modular foundation for advanced AI automation and internal orchestration.
A Major Upgrade to Tool Descriptions and Structure
Alongside the permission update, a significant improvement has been made to tool descriptions and overall structure. This upgrade is a fundamental step toward making MCP tooling more understandable and more usable for the AI itself.
The enhancements focus on:
- Clearer tool definitions Tools now provide descriptions that are more explicit, consistent, and easier for the agent to interpret.
- Better internal structure The updated structure makes it simpler for agents to reason about what a tool does, what inputs it requires, and when it should be used.
- Easier tool selection With improved clarity, the agent can now determine appropriate tools with far less ambiguity, reducing the likelihood of misfires or incorrect tool choices.
- Simplified decision flow The new structure improves how agents evaluate different tool paths and assemble the correct one for a given user request.
- Greater stability in complex workflows These structural improvements help ensure that even when the agent uses multiple tools or chains them together, the process remains consistent and predictable.
Together, these enhancements create a more intuitive environment for the agent—one where tool usage becomes more accurate and significantly more efficient.
A Safer, Smarter Foundation for MCP-Driven AI
The MCP ecosystem is evolving quickly, and this update represents a foundational change.
By enabling customers to precisely determine which capabilities their agents have access to—and improving the tool environment those agents rely on—we’re shaping a more consistent, secure, and intelligent future for conversational AI. Organizations gain:
- more predictable control
- more secure deployments
- more flexibility in agent design
- better AI tool usage
- a clearer path toward autonomous NLQ agents
And because existing agents maintain their previous “All permissions” configuration, the update is backward-compatible while offering improved structure for all future deployments.
Conclusion
The introduction of Granulated Permissions marks a major advancement for CustomGPT’s MCP server ecosystem. With the ability to specify exactly which permissions each agent can use, customers now have more control, more flexibility, and more security than ever before.
The update respects the existing system while enabling a more powerful and scalable future—where different agents can be tailored with different access levels based on their purpose. Paired with a major improvement to tool descriptions and internal structure, MCP servers are now easier for AI agents to understand, navigate, and utilize.
This clarity brings us closer to unlocking fully autonomous workflows, including the vision of a true NLQ Analyst Agent capable of handling natural language requests, constructing filtered queries, and interpreting results.
This update strengthens the foundation for everything built on top of MCP—more modular systems, safer deployments, cleaner integrations, and smarter AI tooling.
Build a Custom GPT for your business, in minutes.
Drive revenue, save time, and delight customers with powerful, custom AI agents.
Trusted by thousands of organizations worldwide
Frequently Asked Questions
Can granulated permissions control what an agent does on a connected MCP server?
TaxWorld’s assistant answers 189,351 complex tax queries with a 97.5% success rate, showing why teams want tighter controls around high-volume agent workflows. Granulated permissions let you choose which permissions an agent may use on a connected MCP server instead of giving broad access by default. Existing agents keep All permissions, while new agents start with only Send a message, so you can enable additional capabilities intentionally as needed.
Will an agent use MCP server actions automatically by default?
Chicago Public Schools resolved 12,345 HR questions without a human at a 91% success rate, showing why many teams prefer a safe starting state before enabling broader automation. New agents connected to an MCP server start with only Send a message enabled. They cannot perform other actions unless you explicitly allow those permissions, which helps you roll out automation gradually.
What do MCP Server Permissions let an agent do?
MCP Server Permissions let you decide exactly which server permissions an agent may use. Existing agents keep All permissions so current workflows continue without disruption, while new agents start with only Send a message. Any additional server actions stay unavailable until you explicitly enable them, giving you finer control over what the agent can and cannot do.
Why are granulated permissions safer than the old all-access model?
VdW Bayern DigiSol cut task time by 50-60% across 500+ housing organizations after launching a compliance assistant trained on 3,620 documents. In environments with compliance needs, tiered access, or separation of responsibilities, granulated permissions are safer because an agent no longer has to inherit every permission exposed by the server. You can allow only the actions a specific agent needs, keep other actions blocked, and run multiple agents with different permission sets on the same MCP server. If audited controls matter, the platform is SOC 2 Type 2 certified, GDPR compliant, and states that customer data is not used for model training.
Can multiple agents share one MCP server with different permission sets?
Yes. You can create multiple agents with different permission sets while they access the same underlying MCP server. That makes it easier to support different teams, roles, or workflows without duplicating the server itself, while still keeping clear permission boundaries between agents.
How should teams roll out MCP permissions across different departments or roles?
Ontop’s AI Agent, Barry, handles over 100 legal questions weekly, cutting response time from 20 minutes to 20 seconds and saving 130 hours per month. A practical rollout is to create separate agents for separate teams or workflows, connect them to the same MCP server when appropriate, and keep each agent’s permissions narrow. New agents start with only Send a message, so teams can enable additional permissions gradually only where a workflow truly requires them.