Agent Tollgates & MCP Mayhem: Who Really Owns Your Data? | [Sidecar Sync Episode 123]

Summary:

 In this episode of the Sidecar Sync, Mallory and Amith dive deep into two seismic shifts rocking the AI landscape for associations: the rise of “agent tollgates” in SaaS platforms and the growing security concerns around Model Context Protocol (MCP). Sparked by comments from HubSpot’s CEO about monitoring and monetizing agent access to customer data, the conversation explores what happens when vendors start charging for AI agents to access “your” data—and why this may signal a broader shift in the software business model. Amith unpacks why true data ownership matters more than ever and explains how AI data platforms eliminate traditional ETL bottlenecks while preserving control. Then, the duo pivots to MCP security risks, breaking down real-world attack vectors—from prompt injection to supply chain compromises—and offering practical guardrails for safe experimentation. The message is clear: embrace AI boldly, but build with governance, ownership, and security top of mind. 

Timestamps:

👥Provide comprehensive AI education for your team

https://learn.sidecar.ai/teams

📅 Register for digitalNow 2026:

https://digitalnow.sidecar.ai/digitalnow

🤖 Join the AI Mastermind:

https://sidecar.ai/association-ai-mas...

🎀 Use code AIPOD50 for $50 off your Association AI Professional (AAiP) certification

https://learn.sidecar.ai/

📕 Download ‘Ascend 3rd Edition: Unlocking the Power of AI for Associations’ for FREE

https://sidecar.ai/ai

🛠 AI Tools and Resources Mentioned in This Episode:

Agent Tolls ➔ https://shorturl.at/7e8MA

MCP Security Issues ➔ https://shorturl.at/7xWKZ 

HubSpot ➔ https://www.hubspot.com

Claude ➔ https://claude.ai

ChatGPT ➔ https://chat.openai.com

Gemini ➔ https://gemini.google.com

Hugging Face ➔ https://huggingface.co

👍 Please Like & Subscribe!

https://www.linkedin.com/company/sidecar-global

https://twitter.com/sidecarglobal

https://www.youtube.com/@SidecarSync

Follow Sidecar on LinkedIn

⚙️ Other Resources from Sidecar: 

• Sidecar Blog
• Sidecar Community
• digitalNow Conference
• Upcoming Webinars and Events
• Association AI Mastermind Group

More about Your Hosts:

Amith Nagarajan is the Chairman of Blue Cypress 🔗 https://BlueCypress.io, a family of purpose-driven companies and proud practitioners of Conscious Capitalism. The Blue Cypress companies focus on helping associations, non-profits, and other purpose-driven organizations achieve long-term success. Amith is also an active early-stage investor in B2B SaaS companies. He’s had the good fortune of nearly three decades of success as an entrepreneur and enjoys helping others in their journey.

📣 Follow Amith on LinkedIn:
https://linkedin.com/amithnagarajan

Mallory Mejias is passionate about creating opportunities for association professionals to learn, grow, and better serve their members using artificial intelligence. She enjoys blending creativity and innovation to produce fresh, meaningful content for the association space.

📣 Follow Mallory on Linkedin:
https://linkedin.com/mallorymejias

Read the Transcript

🤖 Please note this transcript was generated using (you guessed it) AI, so please excuse any errors 🤖

[00:00:00:14 - 00:00:09:17]
Amith
 Welcome to the Sidecar Sync Podcast, your home for all things innovation, artificial intelligence and associations.

[00:00:09:17 - 00:00:26:02]
Amith
My name is Amith Nagarajan.

[00:00:26:02 - 00:00:27:21]
Mallory
 And my name is Mallory Mejias.

[00:00:27:21 - 00:00:42:01]
Amith
 And we are your hosts and we are excited to be with you again on another week of the AI journey here in the association market. All systems are go, everyone's excited. Let's go do this thing. How you doing Mallory?

[00:00:42:01 - 00:00:59:24]
Mallory
 I'm doing well today Amith. We have only two topics for today because I felt like we were going to spend a good chunk of time really breaking these down. I'm really excited to get to them. Otherwise, I'm still in house renovating mode, moving mode, all the things. But how are you, Amith?

[00:00:59:24 - 00:01:05:19]
Amith
 I'm good. I thought you only picked two topics for this week because there just wasn't that much going on in the world of AI, you know, it's kind of quiet.

[00:01:05:19 - 00:01:12:09]
Mallory
 Oh, no, no, no. I think we could probably have at least 10 topics an episode, but I feel like it's better to go deeper, you know, than to cover more.

[00:01:12:09 - 00:01:42:01]
Amith
 I like these episodes where we pick one or two things and take a deeper dive and relate them to each other and have a little more time to dig into them. You know, we're our podcast, I think, what are they, about 45 minutes, a little bit longer on average. And so I think if we if we push over the hour, it starts to be a little bit harder for our listeners to stay fully engaged. So I know there's some pods out there that do like the multi-hour format. I don't think that's something we'll attempt here at the sidecar sink, at least any time we're seeing, although who knows, maybe it's a good experiment.

[00:01:43:03 - 00:02:40:08]
Amith
 But the content is obviously voluminous and never sneezing to amaze all of us here at Sidecar and Blue Cypress on how much it's going on with AI. I'm doing great, too, Mallory. It's good to be back in New Orleans. I think the last episode we recorded, if I remember correctly, I was up in Utah and in the middle of a ski trip. That was awesome. Nobody hurt themselves. Well, my son did like land on his head one time, but he's 18 and he said, I'm following me. So it pretty much worked out. And so he's good. But yeah, everyone's doing good. And we had a lot of fun up in the mountains and skiing is always the highlight for me. But it's just the idea of being together as family up in the mountains and enjoying the beauty of the area. It's pretty special. So always enjoy that. But it's going to be back in New Orleans. And New Orleans is just as insane as it was when I left, minus like two million extra people that left after Marty grinded. But it's a little bit more quiet, which is kind of nice. And, you know, back to back to the grind here in New Orleans.

[00:02:40:08 - 00:03:04:03]
Mallory
 Well, I'm happy to hear you had a great time in Utah. And I saw Marty Graf from afar this year since I'm in Atlanta. Saw lots of my friends posting pictures and videos. And it looked like a fun, crazy time as always. I mean, I know you had the Tech Fellows start. Was it a few months ago now in New Orleans? This cohort of individuals who were coming in to do A.I. all day, every day. How has that been going? We haven't really talked about it.

[00:03:04:03 - 00:06:09:20]
Amith
 It's been incredible. And so for those that have not heard Mallory and I speak about the technology fellow or tech fellow program at Blue Cypress, one of the groups within Blue Cypress that I'm very closely involved with is called Blue Cypress Labs. And B.C. Labs is kind of aspirationally what we want to be is something along the lines of a Bell Labs or an HP Labs or a Xerox PARC, if you're familiar with that institution from long ago. And the idea is to have essentially a group of people that are able to do really forward looking research and experiments and test out different ideas. And I've actually done this at other companies in the past where we found really incredible ideas by having those degrees of freedom. And so our CTO, Robert and I co-lead the Labs Group and we are focused on just trying to find what the next big thing is for the association markets outside of what we do with all the product companies across Blue Cypress, which there's a bunch of them, obviously. We're trying to figure out, well, what are the killer apps or the key use cases that haven't yet been discovered or not yet discover a bulb because the technology hasn't been invented? So what we're trying to do is in some cases do some invention of core tech, but primarily how do we apply things like audio AI in particular this year? It's two association business problems and opportunities. So coming back to the tech fellow program, the tech fellow program is a three year fellowship. It's a full time paid position, but it's a three year program where we hire people literally right out of school. We pluck them out of the universities. They can be bachelor's degree or master's degree recipients in computer science specifically, and they work really, really hard, like 60, 70, sometimes 80 or 90 hours a week, like always on kind of a position for a few years. And they're doing amazing things. So our commitment to these folks is to help them grow so that three years in their experience level really is much more like someone who's a decade in normally because they're putting in the reps and they're learning at a rapid pace. So we've had the tech fellow program going on for about 18 months with a smaller group of folks that have come in previously. We just added five people in January. We're about to add a couple more and it's going incredibly well. These are folks who have never been told by a manager that they cannot do something. So they don't have the organizational cultural debt of assuming that a complex big endeavor shouldn't be possible or it's going to take a year or things like that. To give you an example, one of the tech fellows who just joined in the last few weeks has added to our Member Junction platform. That's our open source free software platform for associations to run their enterprise AI workloads is the way to think of it. We added something called a computer use agent, and that is essentially the ability for the AI to control the browser and to be able to automate any kind of browser activity. So you can have it go to Amazon.com and do shopping for you, which is, of course, the usual somewhat trivial example that people use when they talk about computer use. I think we've demoed that here in the pod, haven't we Mallory with prior

[00:06:11:08 - 00:06:37:20]
Amith
 agent. But the idea that we built into Member Junction is the idea of making it model agnostic. So it works with Gemini. It works with Claude. It works with OpenAI. It works with any model that is capable of looking at images, essentially. And it works really, really well. The AI has gotten so good that even with fairly low end models, you know, relative to the frontier, it works. Now, this project, if I had scoped it out and given it to a classical senior type engineer or architect,

[00:06:39:05 - 00:06:52:19]
Amith
 probably I'd be told it's three months, six months, 12 months. Obviously, not universally from all senior people, but a lot of people would have scoped it as, you know, a many month project. And I gave this young man who started one week and he got it done in four days.

[00:06:52:19 - 00:06:54:18]
Mallory
 That is crazy to me.

[00:06:54:18 - 00:07:29:03]
Amith
 Now, I think he probably worked 100 hours that week, but he got it done and Claude helped a lot. And I helped a lot and we had an architecture ready to go for him. But the point is, is that people's boundaries really are fairly, frankly, unknown, you know, we're bound less in many respects. We just self-impose boundaries. And so the Tech Fellow program is all about exploring those boundaries for these young professionals and helping them just absolutely explode in their abilities over that time period. So obviously, given the intensity of what I described, we have to find people who find this extraordinarily exciting. Otherwise, they burn out in about five seconds.

[00:07:30:04 - 00:07:45:07]
Amith
 But we, that's what we do. We find amazing people and the culture of the overall company is benefiting tremendously from their contributions. So super excited. We have a lot of great things in the works. Actually, many of the things I'm describing have already been released. But we have many more exciting things in the works.

[00:07:45:07 - 00:08:27:22]
Mallory
 And I feel like that goes back to something we talk about all the time on the podcast, which is to question assumptions, to ask why, to question why things have taken so long in the past. Maybe they don't need to. Four days for this computer use agent. That's crazy. And as you said, I mean, the workload sounds very intense. But I do recall during the interview process, I mean, you were very clear with that. You posted on LinkedIn, like this is what the expectations were. So I'm sure you attracted an audience of people that were very willing to do that. But the way that these people will be able to further inject themselves into the workforce in three years after a program like this, I can't even imagine how much further ahead than their peers they will be.

[00:08:28:22 - 00:09:23:22]
Amith
 Totally. And, you know, this is just kind of adding just a little bit of commentary on that. The way I think of it is it's like anything else. How many clean reps did you get? Right. How many times did you do the thing and do it well and learn from it, whether it's your training your body or your mind. And if you have a lot of clean reps, you do you grow. And so in the context of software engineering, and this is true for all professions, if you go into an environment and you limit yourself to the classical 40 hour workweek and then you carve out of that the amount of time for administrative tasks, carve out of that the amount of time for meetings and other things, which by the way, are not unimportant. They just they exist. And a lot of organizations, I'd say half or more of the time gets chewed up by those kinds of non-core activities to the role. We tend to be pretty efficient. So I'd say probably here we're more like 20 percent of non-core activities, 80 percent core. Most organizations, if you work 40 hours a week, you'd probably put 20 hours into your core activity and 20 and other things.

[00:09:25:06 - 00:11:06:06]
Amith
 These folks are working 60, 70, 80 hours a week and they're probably getting there for 50, 60, 70 hours of core activities, meaning that if a typical software professional joining a typical company gets 20 reps per week and these folks are getting 50, 60, 70, it doesn't take a genius to do the math to say, OK, well, just based on the amount of practice and reps they're getting, they're going to be dramatically better over the course of time. And then you add to that a whole group of people doing the same thing. Of course, we try to hire some of the best and brightest out there. But what we're really over indexing for is attitude. We hire for two things. It's very simple. It's the attitude and mission alignment. So we're very aggressive in telling the world how deeply we care about serving this sector, the association, the broader what we call social sector, and why we think it's so critical right now to drive innovation in this space because the transformative impact of A.I. specifically, but other exponential tech is going to reshape the face of the world and really the universe over the next, you know, X number of years, starting right now, obviously, and associations that and nonprofits in general that don't get on board now are going to have a real problem. Whereas if they do get on board and really embrace it, the opportunity to have outsized impact relative to any historical precedent is truly exceptionally interesting. That's what fuels me. So these are folks who read that job description like, wow, this is cool. I can apply my trade and learn, you know, learn more, but I can also do something amazing and help help the world in a really cool way. That's the big magnet. And people who don't align with that and don't align obviously with the intensity, they go away really quick. And we're not for everyone. We know that. But that's the whole idea in my mind. And I think that's the whole idea of attracting the best talent. The best talent for us is not the best talent for everyone.

[00:11:06:06 - 00:11:26:06]
Mallory
 100 percent. Yep. Well, I feel like this conversation around tech fellows and briefly touching on agents is a good segue into our topic one of today, which is agent toll gates, how agents are disrupting the software business. All right. So agents are shaking the foundations of the software industry, not

[00:11:27:22 - 00:13:14:24]
Mallory
 in but in how software companies make money. On a recent investor call, HubSpot CEO Yomani Rangan was asked how the company plans to respond to clients using agents to pull data out of HubSpot and analyze it elsewhere. Her response, quote, we will monitor it. We will meter it and we will monetize it. Our platform is open by design, but we are not a free data pipeline for everybody to take that information out. That's a pretty blunt warning and it reflects a much bigger wave hitting the entire software sector right now. Since the start of 2025, investors have hammered the stocks of nearly every major software company. Salesforce, Snowflake, Workday and others have seen share prices drop between 20 and 37 percent. The fear here is that agents act as super users that get work done far more efficiently than people, reducing demand for individual user licenses, which is how most of these companies make their money. The tollgate idea software companies charging for agent access to data is a potential response, but perhaps risky. For 20 plus years, software companies have allowed free data exchange between applications through APIs. HubSpot has been known for its open platform. Charging agents for data access would be a sharp departure. Salesforce, for example, drew criticism last year after blocking third parties like Gleen from storing Slack customer data. The CEO of data integration company 5 Tran warned if HubSpot or anyone else clamps down on data access, they are going to war with their own customers. There's also the issue of computer use agents, which we were just talking about that interact with apps the way humans do. These may be pretty difficult for software companies to even detect or meter.

[00:13:16:00 - 00:13:26:06]
Mallory
 Ameth, I sent you this article from the information yesterday and I think it took you by surprise, at least a little bit. You said we've got to discuss this on the pod. So what was your initial reaction?

[00:13:27:06 - 00:14:49:14]
Amith
 Well, you know, you don't see public companies, CEOs being that direct all that often. You see that from a handful of people. So on the one hand, I admire that. I think it's really good for particularly public companies, but just in general for leaders to be pretty open about their intentions that's helpful for their partners, including their customers. At the same time, I think this is incredibly short-sighted. I believe that if software companies take these kinds of actions over time, their customers will leave. And that would be very disappointing in the context of HubSpot. I think they're a leader in so many ways. I admire the company. I admire the founders of the company. I think their CEO has an excellent reputation for leading the company through a lot of growth. I'm hopeful that they'll reconsider this because I don't think that's the business model of the future. I think that's a way of trying to clamp on to holding on to the revenue of the past. So I don't have an answer for HubSpot in terms of what they should do differently. I just believe that if you try to make the customer's data your own in that way, which it is your data, if you're a HubSpot user, the data you have in HubSpot belongs to you. However, because you are not an owner of HubSpot, you are simply a tenant in their building. They can indeed impose what I view as pretty draconian ideas like this where you're metered for accessing your own data. I find that concept just absolutely absurd.

[00:14:50:24 - 00:15:38:23]
Amith
 So but this is precisely what we talk about, Malara, when we talk about data platforms, which I'm sure we'll get to. But it frankly just pissed me off when I heard that. As much as I admire HubSpot, as much as we use HubSpot across eight different businesses here, I think their technology is really good. I think it's easy to use. I think they've really hit a sweet spot and tons of associations use them. But it's really nerve wracking to hear that that which is supposedly mine, the data that by law, by contract belongs to me, is somehow not available to me through the API is problematic. So I wouldn't necessarily even have a problem with a license fee for the API, but not a metered license fee that says like I have to pay for each bit of data. I understand there's costs involved in providing an API that I mean, we charge for APIs in some of our products, but metering it is the part that really, you know, rubs me the wrong way.

[00:15:40:04 - 00:15:51:21]
Mallory
 And is this the first time you're hearing anything like this, Amit, because I'm sure our association listeners are thinking their AMS systems, their LMS tools, their own CRMs. Do you think this is something that could be adopted widely?

[00:15:51:21 - 00:16:15:00]
Amith
 Well, there were companies long ago who attempted to monetize their APIs or similar things that used to be this thing long, long ago called Electronic Data Interchange or EDI, which predates APIs of the modern era. And that was very much transactional and metered. And part of it was because the infrastructure was so incredibly expensive to run that it did actually have the notable cost with the more data you ran through those pipes.

[00:16:16:05 - 00:18:01:12]
Amith
 But, you know, AMS vendors actually that are long gone at this point that I used to compete with in my old company sometimes had metered APIs as well. I never viewed that as an appropriate business model because the idea of the customer having to pay to access their own data, it's kind of like, you know, you go to the bank and you want to withdraw some of your cash from your bank account. They're like, well, we're going to charge you a fee to access your own money. That's how it feels. It's my asset, you know, get your hands off of it. It's kind of how I feel about it. So as far as other vendors that are doing this now, there are other people who have metered access to data, but it's typically third party data services. For example, companies like ZoomInfo or Apollo.io, these people who provide third party data sources. And that seems pretty reasonable because you're buying data from them. But when it comes to your own first party data that you and supposedly only you own, that's what seems wrong to me. And I think it's really short sighted because I don't think associations or many other organizations are going to put up with that long term. I don't think it's going to have an immediate impact because these systems are sticky. They have high switching costs, but it creates a rift between, you know, customers who generally, HubSpot has extraordinary NPS. Most of their customers love them. And that's one of the reasons we love them because their product is great and they are easy to use and our marketing teams and our sales teams are able to get in there and do their work really well and all that stuff. And they're very AI forward. They're co-founder, Dharmesh Shah, who I follow on LinkedIn. I'd encourage others to follow. He's a brilliant guy, super inspiring entrepreneur, great leader, great technician, and I'm curious what he thinks about this, right? Because he's very, very forward looking. Obviously he's in support of whatever his CEO is doing. But, you know, ultimately I just view this as like clinging on to the old business model. It's like a newspaper charging more for print.

[00:18:02:21 - 00:18:11:14]
Mallory
 Mm. It's a good way to put it. So do you see, you mentioned an AI data platform. Do you see that as a solution to this problem potentially?

[00:18:12:16 - 00:20:29:08]
Amith
 You know, I think a data platform is critically important for all organizations because of the issue that predates AI, which is the proliferation of different software tools, whether it's SaaS tools, homegrown databases, traditional package software. There are multiple sources of important business information out there. And people have been trying to solve this for years with data warehouses, data lakes, this and that, all these different kinds of solutions. The common threat is bring your data together, unify it, and then do things with that unified data. It's always been challenging to do that historically with AI. It's dramatically easier, orders of magnitude simpler to unify your data, which I can tell more about in a minute. But the essence of the idea of an AI data platform is to unify your data and then to be able to run your AI workloads on this central location of data. So what we're talking about here is instead of just running AI on your AMS data or just your LMS data or just your HubSpot data, bring all of that data to one unified container, essentially, where you have all your data. You still use those source systems, by the way. You still use your AMS for what it's good at. You use the LMS for equivalent tasks that it's good at and so on. But you bring the raw data into a data platform and then you're able to run AI agents that have access to all of that data in a secure way. You can build workflows. You can do analytics stuff. There's a lot of really powerful things you can do if you have your data unified. So the concept is really important. The difference in the last five years is the feasibility of doing this, even for fairly small associations has dramatically changed. It would have taken seven figures and year plus time investment to do any kind of data unification strategy 10 years ago, certainly, even three or four years ago. And some people are still doing these classical data warehouses and investing gobs of money and getting limited value out of them. But the idea of data unification is not new, but the importance of it has increased. With AI, there's going to be an even greater proliferation of specialty systems because it's so easy to spin these up. There's going to be more software in the world, not less, which is generally a really good thing. But if you have tons of different systems of record for different little bits and pieces of your overall picture, it makes it even more important to bring that data altogether.

[00:20:30:24 - 00:20:44:01]
Mallory
 I'm curious, though, from the perspective of Yamani, the CEO of HubSpot, if you do have an AI data platform and your data is unified there, you would still potentially feel the effects of meter data flow from HubSpot, for example, right?

[00:20:44:01 - 00:20:59:08]
Amith
 For sure. And then, of course, HubSpot's perspective is you should use HubSpot's data platform and bring all your data into HubSpot, which, of course, is the same thing that Salesforce is going to tell you and ServiceNow is going to tell you and on and on because these platforms want you to bring all of your data and they want to be the center of the universe,

[00:21:00:11 - 00:21:05:22]
Amith
 which is OK. You can do that if you want to be perpetually married to a specific vendor. That's OK.

[00:21:06:24 - 00:21:31:14]
Amith
 My belief is that it's important to have your data in an environment you own 100 percent end to end so that you are not subject to any vendors' opinions and changing views, particularly public companies that have to kind of react to how markets behave. If you haven't been paying attention, software stocks in public markets over the last several months, really the last six, seven months, have done very poorly. They're down generally about 20, 25 percent.

[00:21:32:17 - 00:22:54:06]
Amith
 And that may be a buying opportunity or it may be a forecast of what's to come. But the issue is, is people are saying, well, AI is going to eat software. I actually don't think that's going to be true for the core systems people use. I think we're just going to have more unique systems, even one off systems that are literally built for a single user, which finally solve people's problems in new ways, which is exciting. But it also means you have to do a really good job with data governance. And part of that is bringing your data back together in one place where you have control over it and you have true ownership over it. So to me, this is basically a very clear signal to the market that this is this is what's going to happen with many vendors. And I don't know what's going to happen with all vendors, obviously. But particularly if someone as big as HubSpot does this, many others will follow and say, well, HubSpot does it. So why can't I? Right. And it's a fairly easy way to juice your revenues in your term. So I'd be very thoughtful about this in all of my contracts with existing vendors. If I was an association leader, I'd take a good look at the data rules to make sure I can get my data out of those systems. However I want to, whenever I want to, whether it's by API or bulk export or whatever, but you have to be able to get your data out. And my opinion is that having an AI data platform that is something you truly own, meaning you're not reliant on any vendor for it, but it's open source, which obviously that's what Member Junction is. But there are other options as well.

[00:22:55:08 - 00:23:35:05]
Amith
 You can even build something from scratch on top of open source technology like Postgres or whatever and just set up your own data platform. That's a lot of what we've already done for the association community and it's completely free. So obviously that's what we think makes sense. But the essence of the idea is very simple. The data that you have across these different systems, it's just too important to not have unified and it's too important to not truly own. We say ownership. We're not talking about what the contract says. We're talking about the practical implications of owning. And that means that you need to own the land. You don't want to just have a tendency in somebody else's building. You want to have control over what can be done with your data, particularly in the world of AI.

[00:23:35:05 - 00:23:53:03]
Mallory
 Mm hmm. When I've spoken with association leaders in the past about AI data platforms, I often get the response, oh, it's like a data warehouse or oh, it's like a data lake and you and me brought up those terms earlier. Can you clarify whether they're all the same thing or are they slightly different? What makes an AI data platform an AI data platform?

[00:23:53:03 - 00:27:53:06]
Amith
 Well, an AI data platform leans on AI to make sense of the world. So in data lakes and particularly in data warehouse architectures, what people have done for years is something called ETL. ETL stands for extract, transform and load. And it's a fancy tech term that simply means get your data from one source to another and along the way, you might change the format of the data. So it works in it's got 10 columns in one database, but in the other database, it's got six columns because they combine certain fields or whatever, right? That's what ETL does. It's basically the pipes to connect systems together. And the T in ETL is where all the money gets spent. That's where you're trying to map system A to system B to system C. In data warehouses, what people have tried to do, and this is true for most data lake topologies as well, they try to create some sense of the world for themselves, for the humans. And what I mean by that is imagine if you have an LMS, an AMS and a financial management system, an FMS, all of them have the concept of a member. They all have tables somewhere in their databases that have things like ID, first name, last name, title, email address, and they all have perhaps different field names. Some of them have something like a phone number broken up into an area code and a phone number. Some of them have that combined. And then of course, those are the simplistic examples, but there's a lot of other more complex nuances that are different from system A to B to C. And what people will typically do is they'll say, well, let's try to create one view of the world. We're going to create one unified concept in our data warehouse called member, and we're going to map these source systems over to this destination data warehouse structure. And that's where a lot of the problems come in, because you're trying to essentially squish these other data formats that are native to whatever those systems are into a common format. That's essentially what's happening. And there's obviously I'm over dramatically oversimplifying it. But because that's going on, you both lose resolution, right? It's kind of like translating languages and you lose the nuance, you lose the detail, what I'm calling the resolution when you do that. And you also generate a very brittle pipeline. It's very, very easy for those things to break. And that's one of the reasons why these things are so expensive to run. The question is, is why do we do that? Why do we do the transform? And it's because historically, if we had, you know, six different flavors of a member table in a data warehouse, even though those things are physically co-located, they're still essentially inaccessible because we'd have to build different reports and different analytics on each of them. This is where AI comes in. So in the world of human interpretation of the data, it would be very difficult for us to make heads or tails of that. But what an AI data platform does and what Member Junction specifically does is it puts a really powerful AI layer on top of that data. So we essentially eliminate the T in ETL. We simply do extract and load or what is more simply known as a one way replica. So if you say, okay, I have, you know, a hundred tables in my AMS. We literally copy them over to this data platform. It's very simple. So there's actually like setting that up literally as minutes. And for the most common AMS is Member Junction already has those connectors pre-built, right? So you literally turn them on and they suck down the data, which is of course, Yamini's nightmare of like, we suck down all the data from HubSpot. We have a connector for HubSpot and we can suck down literally every data field you have from HubSpot, typically in a few hours, depending on how big your HubSpot instances, and then you have it in a database you own and control. And then it's set up as a continuous replication. So like every 15 minutes, every half hour, it keeps updating to incrementally keep it in sync. So now the question is, is okay, you do that for HubSpot. You do that for AMS. You do that for your LMS. And I have all these different flavors of data, but then again, like for our brains, that's confusing, but for AI, it's no problem. AI can look across almost an infinite amount of complexity when in terms of data topology, which is what I'm describing and make sense of it and build analytics and help you navigate that world.

[00:27:54:16 - 00:28:32:09]
Amith
 So that's the big, big difference in our approach to an AI data platform is to eliminate the really painful bottleneck that costs an enormous amount of money, is super broken and is just, you know, it's not necessarily even helpful. So that's the idea. And it's an extraordinarily powerful concept and it wouldn't have been possible in the last, more than in the last couple of years. We started Member Junction Project anticipating this reality about five years ago and have been investing heavily in it. And now that project is very mature and, you know, the technology, the underlying AI that's doing what I'm describing is fully capable of doing this. It's really quite exciting.

[00:28:32:09 - 00:28:42:00]
Mallory
 Wow. That was a great explanation to me. So to really, really oversimplify it, if we're talking about ETL, it's taking out the T, the transform and just doing the E and D out.

[00:28:42:00 - 00:30:09:06]
Amith
 Yep. The T is the bad word in the ETL. So when you're talking about all the pain you've had in your data warehouse, most likely most of the pain has come from the T. Um, in various ways. And so when you eliminate that and then you say, well, if I eliminate that, how do I make it work? Well, you make it work with AI, right? And so that's the idea behind the AI data platform. And it's, it's, it's, it's truly remarkable what you're able to do with AI. You can do natural language conversations with your data. You can get what you want. And then the key thing is, is that because this is open source, nobody owns it. We do not own it. We have donated the intellectual property to the world, to the public domain. That's what you do when you make open source software. Um, and so the commitment we have is to keep contributing to it. Other people are starting to contribute to it and it becomes a community owned thing. Nobody owns it, which means everyone owns it. And that means that you have the safety of knowing that no vendor is going to ever be able to say your data belongs to them or it's metered or some other kind of, you know, terrible idea like that. So that's the reason we've been kind of, you know, on this soapbox, hammering this for a while, as we, as we kind of anticipated this happening. Um, and the good news is there's a solution and the even better news is it's not hard. It takes literally days or weeks to set up not months or years. And it's accessible even to the smallest association. Like we've set up something called Member Junction Central or MJ Central, which is a hosting platform that you can start literally for free to use. You just bring your own Azure account and then Member Junction does the rest. It sets the whole thing up for you and you do a handful of clicks and you're done.

[00:30:09:06 - 00:30:10:18]
Mallory
 In a few days.

[00:30:10:18 - 00:30:14:12]
Amith
 Literally a few days. Wow. It's pretty crazy.

[00:30:15:17 - 00:32:18:24]
Mallory
 Well, it's kind of a good segue into topic two, Amith, because I know Member Junction, our open source AI data platform supports MCP or model context protocol. And that is what we're getting into for topic two. We covered this back all the way in episode 59, if you can believe it, of the SideCursing podcast when Anthropic first introduced model context protocol. At the time we were excited about MCP as the universal adapter that lets AI models connect to your data, your tools, your business systems, and it's lived up to that promise. MCP has become the de facto standard for connecting AI to external data sources. But there's a flip side. Cisco just released a report warning that this connective tissue of the AI ecosystem has created a vast and often unmonitored attack surface. The core concern here is AI tools can now execute processes, access databases and push code on behalf of humans. Cisco says this has become the dominant AI risk and warns companies not to give AI unsupervised control over critical business functions. So I want to go back a little bit on why MCP specifically changes the security picture. It's a standard pluggable interface, which is great for adoption, but also means it's easier for bad actors to plug in malicious or misconfigured servers and tools. It acts as a central control plane. One compromised MCP server can influence multiple agents and users at once. And AI models can chain tools together automatically. So a subtle manipulation early in a chain can escalate into something much more damaging. I wanted to take a little bit of time to go through some of the attack vectors as they pertain to MCP because I thought these were interesting. First is prompt injection through data sources. So malicious instructions can be hidden in documents, web pages or database records that get pulled in through MCP. The AI treats this external data as trusted context and follows the hidden instructions, potentially exfiltrating data or triggering actions the user never authorized.

[00:32:20:01 - 00:32:44:17]
Mallory
 Also fake or poison tools. Cisco highlighted a case where an attacker published a malicious package designed to look like an MCP integration for the postmark email platform. It secretly BCC'd every email sent through the agent to an attacker controlled address because AI agents handle sensitive communications, invoices, password resets, internal memos. This kind of attack can silently harvest massive amounts of sensitive data.

[00:32:45:22 - 00:33:26:22]
Mallory
 There's a supply chain risk or the SolarWinds of AI. For context SolarWinds was a widely used IT management platform and 2020 Russian hackers compromised SolarWinds software update system, which meant that when thousands of organizations like U.S. government agencies and Fortune 500 companies installed a routine update, they unknowingly installed a backdoor for the hackers. And this was devastating, of course, because the attack came through a trusted source. Cisco's warning that the same thing could happen in AI. A coordinated attack on a widely used AI library or model platform, like someone stealing a signing key for HuggingFace, could distribute malicious model updates to people who depend on it.

[00:33:27:22 - 00:34:41:02]
Mallory
 Constant fatigue is another attack vector. MCP clients often show permission dialogues, allow this tool to run. For example, attackers chain many harmless read-only tool calls to build trust and then can slip in a dangerous action. Users who've been clicking allow reflexively don't catch the one that matters. And then finally, memory attacks. As AI companies get better at detecting prompt injection, Cisco predicts hackers will move deeper into the model's memory, tampering with vector databases where AI stores learned information for later use. The bottom line here, organizations should treat MCP servers, agent tool registries, and context brokers with the same hardened security approach as API gateways or databases, until the industry matures its security practices for this agentic ecosystem, businesses face real risk in deploying AI agents at scale. Ooh, this was a scary one of me. This is a scary topic for us to cover on the pod. So we talked about the AI Data Platform, Member Junction, Sports, MCP. We've been very, I feel like we've spoken very positively about MCP on the pod. Do you think these are just regular growing pains? Do you think this is something that should make people step back from MCP?

[00:34:43:01 - 00:36:08:08]
Amith
 I think that people should be measured in how they deploy any new technology as optimistic as I am about AI if you take it and just kind of throw it out there and don't pay attention to it. Don't educate yourself and don't ultimately educate your team. You're going to run into a lot of problems with MCP and in general. So to me, the first thing you have to do here is be knowledgeable about what you're doing. So a good example of something that isn't an attack vector, but could be is connecting the HubSpot MCP server, which there is one, to something like Chat GPT or Clot. So this is not exactly what Cisco is talking about, but I'll explain why it's something you should be thinking about. Do you really want your data to go across all of your HubSpot data to be available to Chat GPT or to Clot or to Gemini or anybody else for that matter? I would argue that that risk is also high because you're essentially handing over the keys to the kingdom to all your proprietary data to a model company that is incented to figure out ways to make their models smarter than the next guy, which is an incredibly insane race that's happening right now. So having access to that data outside of a hacker, gaining access to it, it's still something where people are kind of very they're just kind of cavalier about it. They're like, oh, yeah, there's an MCP server for HubSpot. Let me plug it into Chat GPT and see what happens. And yes, you can do some very cool things. However,

[00:36:09:10 - 00:38:27:03]
Amith
 there's no intermediary. There's nothing tracking when your MCP is being used by OpenAI. I'm not saying that OpenAI or Enthropic or anyone specifically is going to do something bad. I'm simply saying that the opportunity exists for something bad to happen. And there's really no recourse because these companies are moving so fast and have so many resources that your association bringing a lawsuit or whatever it is you would think is recourse is not a real thing. You'll be run over by a steamroller if you attempt to do that. So what you have to do is look at what are the incentive structures in terms of economics and why would someone do or not do that? And I think it's kind of going back and beating the same drum from the last topic, Mallory. But this is also a reason why having some kind of platform that you control that is where you decide to feed little bits and pieces of your data to AI rather than dumping the whole thing in the AI system, which is what's happening when you are giving access to the MCP directly to the model company. So that is not exactly what the Cisco report was talking about. But going back to the Cisco report, essentially it is kind of the even worse case of that where you have a fake MCP server or you're connecting it to perhaps a fake AI tool. Right. You think you're connecting to some really cool, great new AI chat agent that came out and it's actually a hacker that's taken like a mediocre AI tool under the hood and said, hey, I have, you know, it's a free tool. You can connect to your MCPs to it. It's great. And people just start doing this with any random AI tools that they hear about. You know, I was talking to an association executive the other day like, oh, we're using this blah, blah, blah AI tool. It's really cool. It's got a really clean interface. We like it a lot. I'm like, well, what's the underlying model they're using? Well, I don't know, but it's pretty smart. But it allowed me to just very easily click and include it, like add all my stuff to it. And I'm like, yeah, the idea is awesome. The power is really great. But traditionally when associations would sign up for new tech, they'd be pretty diligent about looking at the contracts, making sure ownership was buttoned up. And now people are moving so fast, partly because of fear of missing out and all these other things, which we talk about, right? We're talking about how important it is to experiment. That's where governance, that's where education is so, so important, because if you don't know what you're doing, you're definitely going to get yourself into trouble pretty quickly.

[00:38:28:11 - 00:39:21:14]
Amith
 So I was compelled for us to include this topic, not because I want people to think that they should take a step back from MCP at all. MCP is an incredible technology, but rather to be thoughtful about it. That's really what it is. It's when you deploy an MCP server from your own database, you have to think about who you're going to let connect to it. When you're adding MCP servers into your corporate AI environment with, say, something like Claude or chat GPT, once again, you have to be thoughtful about what you're allowing to include. Just like you shouldn't really forget about AI for a minute, just some random software that's out there. You shouldn't use it for mission critical things with key data unless you have a good idea about the company and they have been around a while. Who's behind it? Things that people would call diligence on a larger contract. But we just kind of have to balance those risks a little bit better because people are moving at a blazingly fast pace right now.

[00:39:21:14 - 00:39:43:03]
Mallory
 Yeah. You know when you're hearing Amith tell everybody, maybe slow down a little bit, maybe pump the brakes. It's definitely a serious issue. I mean, you mentioned the concerns around connecting something like your HubSpot with chat GPT without too much thought. Can you explain how that's different from, let's say, unifying all your data in an AI data platform and then using MCP to connect it to a tool?

[00:39:43:03 - 00:41:51:12]
Amith
 Let me start off by kind of giving our listeners a little bit of a background on how MCP works. So the magic behind MCP is that it's actually just an API. It's like any other API in one way in that it allows two computer programs to talk to each other. So it's a standard way for a program on one machine to talk to a program on another machine. That's basically what APIs have done forever. Now what's novel about MCP is this discovery mechanism. So built in MCP is this idea that the connecting what's called the MCP client can talk to the MCP server and say, hey, what can you do for me? What are your tools? What are your capabilities? So rather than the idea of having it hard coded and knowing ahead of time that the HubSpot tool has these five capabilities, which is what APIs typically would have in their documentation, you can discover those dynamically. And then most importantly, because AI is capable of reasoning over all sorts of things, including text, once the AI knows, oh, these are the five tools that HubSpot has available. It's probably more like 50 tools that HubSpot has available. What can I do with that? The users asked me to solve these problems, to build these solutions. I have access to these tools just like a human might. They might say, oh, I have this really great tool for that particular problem. But they can dynamically discover which tools are available. Nothing was hard coded into chat, GPT or cloud that says these tools from HubSpot should be used at these times. There's a list of tools and descriptions of what those tools can do and what they don't do. And so that's what MCP servers do. So that's the magic of MCPs is really AI discovering and then self-determining which tools to use, which is what makes it powerful. Now, what I would tell you to answer your question is what's the difference between the direct connection between your AI tool of choice and your MCP server versus using a data platform you control is two things. First, in the data platform, you are bringing your data that you own to a central area that you also own, which is the data platform.

[00:41:52:16 - 00:42:55:04]
Amith
 And then when you are connecting to an AI model, you're doing it kind of by sending little bits and pieces across rather than dumping, like, you know, backing up your semi-truck of data to the open AI dock, you know, for the loading dock, unloading dock, which is what you're doing when you're connecting directly. You're just giving them unfettered full access. Here, what you're doing is you're choosing through your data platform which pieces and parts go across and you're connecting with open AI, anthropic, Gemini and other providers through the API. And I want to take just a minute to explain the difference between that and using the apps. When you use the apps directly, your data is being saved by those vendors in their systems. How can you know this to be a true statement? Well, you can go back and you can look at the chat history and your data from your members or from your sensitive documents is still in your chat history. And it has to be because for those applications to provide you a good experience, if they never retain the chat history, they would be a limited utility, right?

[00:42:56:05 - 00:44:50:23]
Amith
 But by definition, you therefore know that they have your data and they have unlimited access to that data because it's stored in their system. In comparison, if you have an intermediary, which is what the data platform does, you only send across a little bit of data to the API, which is definitionally not persisted or stored by the AI vendor. They never actually store any of the data. And then the response comes back from the AI and then it's stored in your data platform securely for you. And it's not accessible to the AI company anymore. It's a completely different approach. It looks very similar. So if you go in member junction and this is true for other systems, if you go have a conversation there, you can talk to agents, you can talk to AI models, but the AI is never actually accessing your data directly. We're sending across just little tiny bits of data. So it's a dramatic, it's an inherently more secure approach. And so if member junction consumes an MCP server and puts all the data in MJ, it's stored there in your database, not in the AI vendor system. It sounds like I'm talking about like a bunch of really technical things, but the important part is control and ownership. And then the last thing I'll tell you, Mallory, that's really important is logging everything, right? So knowing when systems were accessed. If you connect your MCP server from HubSpot directly to, and this is just an example, to open AI, you don't really have any traceability. You know, in theory, you can look at the logs on both sides, but that's very difficult. You don't necessarily know every single time an MCP was used. Whereas if you have a data platform in the middle, you have very rich, what we call trace logging, knowing every single thing that was done, and that's yours. It's your data as well, right? So if there's improper use at some level, somehow, anyway, you're way more likely to find out about it through monitoring tools and the like, as opposed to this direct connection. So think of it as almost like a supervisory layer, right, that helps protect you.

[00:44:50:23 - 00:45:14:11]
Mallory
 Yep. That's actually really eye opening, Ethan. I don't feel like the explanation was too technical at all, but I can now fully understand how not secure it would be to just open up, as you said, keys to the kingdom, HubSpot, connecting it to chat GPT, thinking I'm experimenting, I'm seeing what I can do when chat GPT has access to our data, but not realizing exactly what you're doing. And that's concerning.

[00:45:14:11 - 00:48:08:24]
Amith
 You know, you mentioned something about hugging face and like the possibility of someone getting a signing key and hugging face for those who aren't familiar is kind of like the central hub of AI models who people download from and a lot of other things. And they're a really cool company that do really important work. And so it wouldn't actually take a lot for that scenario to unfold. Imagine a scenario where someone actually, you know, is figures out who at hugging face has access to those signing keys and threatens them and gets them to give them the key. Right. And then that happens and nobody knows about it. And, you know, it's a real problem. So those kinds of things, those attack factors that are in the physical world as well, it can exist. There's all sorts of safeguards for these kinds of things that are in place and companies of that scale. But nonetheless, there are vulnerabilities like that. And the same thing can be true at any of these organizations. So I think that, you know, the idea of trusting certain partners that you're going to work with is important, but it's a trust and verify scenario. And it's also a scenario where you want to align economics. You want to align the incentives of the partners you're working with. So if you have people in situations where your data, let's say, is real valuable and by contract and by expectation, you know, no one's going to improperly use it at these other companies. And that's true almost all the time until it isn't. And if there's one employee at Anthropic or OpenAI or Google or anywhere else who decides to do otherwise and they happen to have those access capabilities and, you know, it's more than one person at these companies who have those kinds of capabilities and maybe not of their own free will, right, to do those things, bad things can happen. And I think associations sometimes kind of belittle the probability of them being a target for this because they'll say, well, we're, you know, we're a little bitty association, which isn't necessarily true. You know, hackers go after the most vulnerable targets at scale, not necessarily the hardest targets who have the biggest dollar amounts or the most data or whatever. They do that as well. But, you know, associations, I think, are going to increasingly see challenges from this and it's important to be aware of them. That's really the reason I think it's so important to be talking about it here. And I would love to have other voices talk about what they've seen in the market where they've had challenges. So if you're a listener and you've deployed MCP and you've had problems or you haven't had problems, but you think there's other angles to be thinking about this where you've just kind of gained inspiration on how you might do things differently based on your experience, ping us. You can comment on the pod directly on your listening platform. You can email us. We'd love to hear from you. I think it's a really, really critical topic. Again, my goal isn't to scare people off. I want people to adopt this technology. I just want people to be smart about it. I think that's where going back to our standard drumbeat here at the Sidecar Sync about education, whether it's Sidecar's education or anything else. Just focus on this. The more you learn, the less likely you are to be that most vulnerable target that's out there.

[00:48:10:24 - 00:48:42:06]
Mallory
 I'm thinking practical takeaways for our listeners, Amith. If we have association listeners, leaders listening who are trying to guide their staff when it comes to MCP, of course, education is the first essential step. But I'm curious what you, Amith, would tell a new staff hire, maybe not a tech fellow because they're pretty technical, but a new staff hire like Mallory on her first day who's really excited and eager to experiment with AI, doesn't maybe fully understand what MCP is. What would you say in terms of, hey, go experiment with this, but here are the guardrails. Don't do this.

[00:48:42:06 - 00:49:09:20]
Amith
 So one quick thing that's kind of funny is I actually find that the most technical people sometimes are the absolute worst at figuring out when there's a security vulnerability because they know so much. And therefore they're like, no, no, I know this. I got this. And then we're all human and we're all, you know, myself included, right? We all make mistakes. And so it's easy for people who are quite knowledgeable about some of these subjects to actually make the greatest mistakes was like, no, no, no, it's OK for me to do that because I know what I'm doing. I'm good.

[00:49:11:06 - 00:49:20:04]
Amith
 So I think that's a challenge. But what I would tell people in general is always start off with if you're trying something new, a new tool, a new vendor,

[00:49:21:06 - 00:51:28:21]
Amith
 use an account that is not connected to anything real. So don't use your Blue Cypress account or your Sidecar account. Spin up a Gmail account that doesn't have access to any real data and use that for a totally new tool that you do not know who it's from. That allows you to have some degrees of freedom and experimentation, but it doesn't put you at risk of, you know, because when you often authenticate in through your, you know, your company email, a lot of times you don't even realize this, but you're giving the other vendor access to certain key information about you. It may only be your email and your avatar and some other things, but a lot of times it's more than that. A lot of times it's giving them access to like read messages or look at files or whatever. And people are pretty, you know, I would just say just they don't think deeply enough about that. So I would set up kind of like a demo account on Gmail or Outlook or whatever you use and then test out things with that separate account. I definitely do that. And I find that to be helpful. So that allows you to go experiment with things you're not quite sure about, but do it in a somewhat safer way. I'd also tell people don't download software to your own computer unless you have a fairly good idea that you can trust a partner or the vendor that you're working with. Most things are web based these days, so a little bit safer. Make sure that you're using a good browser. So something like a modern version of Chrome or Firefox or Edge that has some pretty good safeguards built in. You'd be surprised the number of people that have an update of their browser in five years or something. There's just it's kind of crazy. They'll turn off auto updates and they'll just kind of sit there with, you know, really old browsers and browsers are an incredibly common attack surface for hackers. So there's a lot of these basic things I would just try to impart on people an incredible amount of optimism and enthusiasm while at the same time to just take steps incrementally so that you understand what you're doing and you'll learn more as you go. So if you use some tool you never used before, use it with a demo account and you realize, whoa, this thing's just kind of weird. I'm not sure I'm comfortable with it. No harm, no foul. Right. You've only connected it to a account essentially. Whereas if you connected it to your actual email account and you authorized it to do certain things, you know, you can go clean that up. But it's just that's a little bit nerve wracking, I would think.

[00:51:29:21 - 00:51:46:08]
Mallory
 Well, that's some good practical advice, Mee. I think we've got two big takeaways for today. We already know AI agents are reshaping the software landscape and your vendor relationships will feel the effects and the infrastructure that powers agents. Think MCP needs to be treated with the same

[00:51:46:08 - 00:51:51:21]
 (Music Playing)

[00:52:02:14 - 00:52:19:13]
Mallory
 Thanks for tuning into the Sidecar Sync podcast. If you want to dive deeper into anything mentioned in this episode, please check out the links in our show notes. And if you're looking for more in-depth AI education for you, your entire team, or your members, head to sidecar.ai.

[00:52:19:13 - 00:52:22:19]
 (Music Playing)