AI architecture
Agent context protocol for low-code teams: tools, context, and approval
A practical explanation of MCP, ACP, durable context, and how low-code teams should expose tools and data to AI agents safely.
Why protocol language matters
AI agent discussions get vague quickly. A builder asks for "agent context," an engineer hears API access, and a security lead hears data leakage. Protocol names help only when the team uses them precisely. Otherwise, "connect the agent to our tools" becomes a cheerful sentence hiding a permissions review.
For low-code teams, the useful split is simple: how an agent reaches tools, how agent work moves between systems, and where durable business context is stored.
This matters because a low-code workflow may cross a visual CMS, app builder, database, identity provider, ticketing system, analytics tool, and deployment process. Giving an agent broad access to that stack through a chat window creates avoidable risk. The better pattern is protocol-mediated access with named connectors, scoped credentials, role-aware permissions, approval steps, and logs that operations can inspect later.
MCP is the tool and data boundary
MCP means Model Context Protocol. It gives AI clients a common way to discover and call external tools, read resources, and use predefined prompts. In practice, an MCP server might expose actions such as "search knowledge base," "read support ticket," "create staging branch," "query approved customer fields," or "open a draft CMS page."
For a low-code team, MCP should not mean that the model can use every integration connected to the platform. Each MCP tool needs an owner, schema, permission boundary, environment boundary, and clear failure behavior. A read-only draft content tool is different from a tool that updates production billing records. A staging database query is different from a production write.
Start with narrow tools that match reviewed workflows. Prefer actions like "create draft," "request approval," "summarize changes," and "generate report" before direct production mutations. Tool descriptions should state side effects, data scope, rate limits, and whether the result needs human review before it can be used.
ACP is the handoff boundary
ACP is a less settled acronym than MCP, so teams should define it in their architecture notes. In some contexts, ACP means Agent Communication Protocol, focused on agent-to-agent interoperability. In others, it means Agent Client Protocol, focused on how a client application talks to an agent process. For governance, the common thread is handoff: how work moves between an interface, an agent, and possibly another agent.
A low-code team may use ACP-style patterns when a business user starts a request in an internal-tool builder, hands a draft to an engineering agent, receives review in a ticketing system, and routes the final change back to a visual CMS or app builder. The handoff should preserve the user, role, task, source record, proposed action, approval status, and audit trail.
Avoid silent delegation. A user should know when one agent hands work to another system, especially if the next step can write data, generate code, change permissions, or publish content.
Durable context needs ownership
Durable context is the stored knowledge an agent can use beyond one chat. It may include platform standards, component rules, data contracts, security policies, release checklists, customer tiers, connector ownership, and previous decisions. It is context, but it is also an operating asset.
Do not turn durable context into a pile of transcripts. Transcripts are noisy and may contain sensitive data, outdated reasoning, or rejected ideas. Better durable context is curated, timestamped, scoped, and owned. A platform team can own connector docs. Security can own data handling rules. Design can own component guidance. Operations can own support workflows.
Version durable context like other operational rules. When a workflow changes, update the source. When a policy is retired, remove it. When an agent gives a bad answer because context was stale, fix the source instead of adding another prompt warning.
Governance belongs in the workflow
Connector ownership, role-based access, approvals, and audit logs should be designed together. Every exposed connector needs a business owner and a technical owner. The business owner defines acceptable use. The technical owner manages credentials, scopes, uptime assumptions, logging, and deprecation. This is essential when connectors reach identity providers, CRM records, payment systems, HR tools, data warehouses, or customer databases.
Role-based access should apply before the agent acts. If a human cannot access a record, the agent acting for that human should not gain access through a broad service account. Service accounts can still be useful, but policy checks should bind each action to the requesting user, team, environment, and approval state. Development, staging, and production connectors should be separated.
Approval should appear as a product surface, not as a private chat message. High-impact actions need queues: publishing pages, changing roles, modifying schemas, updating automations, writing to operational systems, sending customer messages, and deploying production apps. The approval view should show the actor, source context, target system, diff or field changes, expected side effects, rollback option, and final decision.
Audit logging makes agent-assisted work operable. Teams need to know which user requested a change, which agent handled it, which tools were offered, which tools were called, what data came back, what approvals were granted, and what changed. A low-code platform is ready for agents when role-aware connectors, environment separation, tool-level permissions, approval hooks, audit exports, secrets handling, version history, and rollback support are visible to the teams that own production, not hidden in a demo script.