Optro launches MCP server for governed GRC data access

Optro has launched a Model Context Protocol server that gives customers access to governance, risk and compliance data. The product is designed to connect a customer's chosen large language model to live data in the company's platform.

The move comes as companies test ways to link artificial intelligence tools with sensitive internal systems while maintaining control over permissions and oversight. Model Context Protocol, or MCP, has emerged as a standard way for large language models to communicate with external applications and data sources, but concerns about security and audit trails have also grown.

The server gives organisations a governed way to connect AI systems to Optro's environment without building custom integrations. It uses role-based permissions so access mirrors the rights already assigned to individual users.

That matters for teams handling governance, risk and compliance information, where records can include audit findings, control issues, remediation work and other sensitive operational data. In many organisations, staff still move such information manually between internal systems and AI chat tools, creating extra work and raising questions about what data is exposed and to whom.

Previously known as AuditBoard, Optro said the MCP server is intended to reduce that manual work. The service draws on live data in the customer's Optro environment rather than relying on static file uploads or separate document stores.

Anthropic introduced MCP as a standardised way for large language models to interact with other software and services. Since then, the protocol has drawn attention from software suppliers looking to make their platforms easier to connect to the fast-growing number of AI assistants used inside companies.

As adoption has spread, so has scrutiny. Businesses are under pressure to show that AI systems operate within existing access policies and that interactions with sensitive data can be reviewed afterwards. Those questions have become more pressing for risk and compliance teams, which are being asked to assess threats linked both to AI use and to the wider business environment.

Optro positioned the new server as part of that governance challenge, not just a technical integration. It said customers can connect a preferred AI system to their GRC environment while retaining controls over permissions and visibility.

Happy Wang, chief product and technology officer at Optro, said the aim was to reduce repetitive work for users moving information between systems.

"With MCP, customers will be able to meaningfully cut down the amount of time spent manually copying and pasting data to their enterprise LLM," Wang said.

Wang also described the product as a way to add a broader intelligence layer across risk and compliance work.

"This integration will extend the power of Optro's platform, meeting GRC teams where they are and adding a highly flexible, unified intelligence layer over their organization's entire GRC ecosystem," Wang said.

Security focus

One of the main issues for customers is whether an AI assistant can access more than the person using it is allowed to see. Optro said its MCP plugin honours the user's role, team and permissions, and does not return data outside those limits.

The system also queries the live environment for current information. That approach is intended to avoid responses based on outdated material that may have been uploaded earlier into separate AI tools.

Another element is interoperability. Optro said customers would not be tied to one AI provider because the MCP layer is meant to serve as a common connection point between the GRC platform and whichever supported model a company chooses to use.

Customer view

Verizon was cited as an example of the customer use case Optro is targeting. The focus is on moving from manual reporting to using AI tools in day-to-day risk monitoring and response.

"By connecting our enterprise AI with our GRC environment, we can move away from manual reporting and toward a future where we can remediate threats before they become loss events. It's the difference between managing a tool and leveraging a strategic intelligence layer," Benton said.

Optro said more than half of Fortune 500 companies use its platform. The launch adds to a broader market push to make AI assistants work with operational systems while preserving the controls companies already apply to employees, teams and regulated data.