You Connected Your Books to a Chatbot. Nothing Logged What Left.
Phil Bolton · July 3, 2026 · 3 min read
A controller I work with at a $9M services company connected the company Expensify account to her personal Claude the week the MCP connector shipped. She asked it to summarize Q2 travel spend by team. Twenty seconds later she had a clean answer that would have taken her an afternoon. She was thrilled, and she told me about it like it was a productivity win, which it was.
Then I asked where the data went. Every expense line, employee names, merchant detail, amounts, all of it left the building through an OAuth connection she authorized under her own login, into an AI account the company doesn't own or administer. No email attachment. No file dropped in a shared drive. The tools that watch those doors saw nothing, because the data didn't use those doors.
The new connector inherits whatever you can see
Expensify shipped its MCP layer on June 8, and it's not alone. Ramp, Xero, Intuit, and Digits all pushed AI agent access in the first half of 2026. The pattern is the same across them. You authorize a connection over OAuth, and from that point a general assistant like Claude or ChatGPT can query the platform with your permissions.
That last part is the piece people skip. The connection runs at the authorizing user's access level. Give your controller full expense visibility and her chatbot gets full expense visibility. The AI doesn't have its own scope. It borrows hers, and it borrows it into an environment your IT never provisioned.
Your controls watch the doors nobody's using anymore
Data loss prevention tools scan email and file shares. The QBO audit log records which entries changed, not which questions got answered and what left in the reply. A finance team's whole control posture assumes data escapes as a file or a message. An MCP tool call is neither. It's a query out and a payload back, and the payload can contain every field the query touched.
You spent years locking down the exits your data used to use. The connector opened a new one, and it doesn't log what walks through it.
So the honest status for most growing companies right now is this. You can't say which employees have wired company finance data to a personal AI account. Nobody logged what those accounts were asked. There's no record of what came back. None of it is hypothetical anymore. The connectors are live and free to turn on.
What to actually do
Inventory the connections this week. Every finance platform with an OAuth or connector settings page lists the third-party apps that have been authorized. Pull that list. Names you don't recognize are the whole point of the exercise.
Then draw one line. Company-administered AI accounts on one side, personal accounts on the other, and a rule that finance data only flows to the first kind. That's not anti-AI. I want the controller to get her answer in twenty seconds. I want the query logged, the account owned by the company, and the access scoped to what the role needs, so the speed doesn't cost you the audit trail.
The connector is a genuine upgrade. It's also a data exit your security stack can't see, and right now the only person deciding what leaves is whoever clicked authorize.

Phil Bolton
Founder & Principal at Manitou Advisory
More from the blog
The Rate Cut in Your 2026 Budget Isn't Coming
Most growing companies planned this year assuming borrowing would get cheaper. The Fed just held and signaled the next move could be up. If a cut is baked into your model, it's already wrong.
Your Cash Agent Only Knows What's in the Ledger
Autonomous treasury agents optimize the cash they can see. Your real obligations aren't all booked yet, and the gap is where a company with money still gets caught short.
Revenue-Based Financing Costs You More the Better You Do
The percentage-of-revenue remittance that makes revenue-based financing feel founder-friendly is the same mechanism that quietly raises your effective rate when sales grow.
Want to talk about your finance setup?
We help growing companies build the right finance function.
Book a Call →