How do enterprises let employees use AI agents safely?
Four guardrails: an allowed list of approved connectors, identity-based authentication, flags on destructive actions, and a human in the loop for anything risky. That is how Block runs AI agents across 12,000 employees at a company handling Square and Cash App.
MCP (Model Context Protocol)Enterprise AIAI Security
1. An allowed list of connectors
Employees cannot install any MCP server they find on the internet. There is an approved list, and if a connector is not on it, the agent refuses to run it. Getting on the list means a security review first, even for the ones Block builds itself.
2. Real authentication
No more API keys and tokens floating around. Block wired the agent into its identity provider, so authenticating into a tool is the same OAuth flow employees already use for Workday. Browser pops up, biometric, done. Familiar beats clever.
3. Flags on destructive actions
Tools get annotated for what they can do. Anything that can change, edit, or delete is marked destructive, and the agent is set to ask permission before running one. Non-destructive actions flow; destructive ones stop for a human.
4. A human in the loop
For the risky steps, a person stays in the decision. The agent surfaces what it wants to do and why, and a human says yes or no. The point is not blanket caution. The human stays on the few actions that actually carry risk.
Why it matters
The reason most companies are stuck in pilot programs is fear of exactly this: 12,000 people moving fast with AI and something sensitive leaking. Block’s answer is not to lock it down, it is to make the safe path the default one.
From the conversation
This explainer is drawn from these episodes — each carries its full transcript.
