Your AI agent is only as useful as what it can safely reach.

Most companies are still judging AI in the wrong place.

They open a chatbot, ask it a question, read the answer, and decide whether the model is clever.

That was fine for the first phase. It was a demo-shaped phase. Useful enough, slightly weird, full of screenshots and people pretending a tidy paragraph was a transformation strategy.

The next phase is not about whether the AI can write a neat answer in a box. It is about whether it can touch the real work.

Can it read the CRM? Can it inspect the product feed? Can it compare last week’s sales calls against this week’s proposal? Can it pull the campaign data, spot the problem, draft the client note, and stop before it sends anything stupid?

Can it do any of that without someone copying half the business into a chat window like it is 2023?

That is where the useful fight is moving. Not model cleverness. Access design.

OpenAI published a developer post this week about something called Secure MCP Tunnel. A horrible name if you want a mainstream headline. A very good signal if you care about where this is actually going.

The problem it solves is simple. The systems a business cares about most are usually the ones it least wants to expose to the internet. Internal reporting. Customer data. Ops dashboards. Inventory. Finance workflows. Support systems. Client files. The weird little API that two people understand and somehow runs half the company.

If an agent cannot reach those systems, it is mostly stuck summarising whatever a human hands it. If it can reach them badly, you have a security problem with a cheerful tone of voice.

OpenAI’s answer is not to make every private server public. The tunnel works the other way round. A small client sits inside the private environment, run by the customer, and opens an outbound connection. Requests come through that controlled path. The private server stays private. There are explicit destinations, health checks, logs, and an admin screen to see what is happening.

None of that is exciting in the keynote sense. Good. Exciting is overrated. Boring is where the real system starts.

This is the part of AI that most business conversations skip. Everyone wants to talk about agents doing the work. Far fewer people want to talk about what the agent is allowed to read, what it is allowed to change, how it proves who it is, which service it can reach, what happens when it fails, where the logs live, and who gets to turn it off.

Those questions sound like plumbing because they are plumbing. And plumbing is the difference between a demo and an operating system.

A second signal made this feel more urgent. OpenAI’s own researchers published a paper on Codex adoption. They say active users grew more than fivefold in the first half of 2026, the fastest growth is now outside the original developer audience, more than one in ten users run three or more agents at once in a given week, and around a quarter use shared skills for more complex jobs. Treat those as OpenAI’s numbers rather than neutral market data, but the direction is hard to argue with.

That is not “developers write code faster.” It is people handing chunks of work to agents.

Once that spreads through a company, the limiting factor changes. The question stops being “can the model produce something impressive” and becomes: what can we safely delegate, which systems does the agent need, which stay read-only, which actions need a human yes, and which model is cheap and reliable enough for the job.

CNBC had the other half of the story. Companies are starting to rein in AI spend. The “use as much as possible” phase, where burning tokens became a badge of honour, is meeting finance. The reported examples name specific firms moving providers and putting spending tiers in place after blowing through a year’s budget in months. Worth checking those names again before anyone quotes them hard, but the shift is real. The conversation is moving to routing, budgets, and return, not frontier worship.

Dull again. Useful again.

Connect agents to private tools with no cost control and you get a very modern way to burn money. Connect them with no permissions and you get risk. Connect them with no logs and you get theatre. Do not connect them at all and you get clever answers that still need a human to do the actual work.

This is why I keep landing on the same argument. The next valuable AI companies will not just sell more output. They will build the layer between the model and the business. Tools, memory, workflows, approvals, routing, monitoring, review.

For marketing this lands straight away.

A marketing agent that cannot see Search Console, ad data, CRM notes, product feeds, call transcripts, client docs, and campaign history is guessing with better grammar. A marketing agent that can see all of that with no controls is a lawsuit in trainers.

The useful version sits in the middle. Scoped access. It knows which sources matter. It can run a weekly check, draft the recommendation, show its working, and ask for a yes before anything public or expensive happens. It logs what it did. It gets a little sharper next week.

That is less glamorous than “AI workforce.” It is also far closer to what a business can actually buy.

There is a quieter signal underneath all of this too. Work is starting on standard ways for agents to discover and call the tools and services around them. Whether any single spec wins is not the point for a business owner today. The direction is the point. Tools are becoming things agents find and call. Private tools are becoming things agents need a controlled path into. Skills are becoming reusable business assets, not clever prompts saved in a folder.

It all points one way. The advantage is moving from “who has the cleverest chat window” to “who has the cleanest surface for an agent to work on.”

Most businesses are nowhere near that. They have useful data in five systems, half-documented processes, duplicate spreadsheets, weak CRM hygiene, no permission map, and a stack of tools different teams bought in different emergencies. Then someone asks why the AI has not transformed the company by Friday.

Because the company never gave it a safe surface to work on. That is the uncomfortable bit. AI exposes the quality of your operating system. If your data is messy, your processes are vague, and your ownership is unclear, the model will not magically fix it. It will produce cleaner-looking confusion. And confusion that looks clean is harder to catch.

So the practical question is not “which AI tool should we buy.” Start here instead.

What repeated decision or workflow would genuinely be worth improving? What private systems does it depend on? Can an agent read those safely? Should it act, or only recommend? What is the cheapest reliable model for each step? Where do the approvals sit? Where do the logs live? And how would you know if it actually helped?

That is not a content calendar. It is not a prompt pack. It is not a breathless transformation deck. It is operational design.

For agencies, consultants, and marketing teams, that is the shift that matters. The value is not making more drafts. It is building the controlled loop around the work. Source access, judgement, output, approval, publishing, measurement, learning.

A clever model helps with that. But the moat is the boring stuff around it. The private connectors. The workflow shape. The permissions. The logs. The review habit. The human taste. And the willingness to kill an automation the moment it stops earning its place.

That is where this is going. Behind the firewall. In the workflow. With receipts.

Which usually means it is the part that matters.

---

Jason Sibley is the founder of Cleo, a post-agency marketing and AI company. JasonVsTheNoise is where he writes about what is actually happening with AI, marketing, and how businesses should be thinking about both.