AI
Elicitation as a Security Primitive
MCP elicitation is the mechanism by which an agent requests additional information or approval from a human. Users already see this in tools like Cursor, where the agent asks before running a command. James framed elicitation as a security primitive, not a UX feature. Agents act autonomously with access to tools and sensitive data. A broad OAuth token cannot handle non-deterministic, contextual decisions. Elicitation enforces authorization at runtime, creates consent chains for sub-agents, and provides human accountability for high-stakes actions like sending $50,000.
Four Elicitation Patterns
James described four patterns in an agent’s task lifecycle. Clarification happens before execution to reduce ambiguity, like asking whether to archive or delete emails. Approval gates are consent checkpoints before irreversible actions, such as emailing 100 people. Step-up authentication requires elevated permissions for sensitive scopes, like deploying to production. Anomaly-driven interrupts occur when an agent hits an unexpected error and returns to the human for guidance. Each pattern has a cost: it interrupts flow. The design challenge is knowing when the benefit exceeds that cost.
Demo: Booking a Hotel with Elicitation
James showed a pre-recorded demo of an AI booking agent for Acme Hotels. An anonymous user asked for available hotels. The agent responded with a form asking for city and dates, using MCP’s form mode for clarification. After the user selected Le Chateau Paris, the agent switched to URL mode, mandated by the specification for sensitive information. The user authenticated and authorized the booking. A step-up authentication challenge verified the payment, completing the flow. The demo illustrated clarification, consent, and step-up auth in a single transaction.
Designing Elicitation That Doesn’t Kill the Experience
James offered five design principles. Match friction to risk: not every action needs confirmation. Use async elicitation to avoid blocking the entire agent flow. Write informative prompts that state what the agent will do, why it’s asking, and the consequence of each choice. Provide tunable thresholds so users can configure their preference for elicitation while keeping guardrails for high-stakes actions. Design machine-readable elicitation interfaces for agents. Ambiguous prompts produce bad agent behavior. These principles reduce friction and prevent developers from disabling elicitation entirely.
Q&A
What does MCP elicitation represent for the future of agents? Trust is not a feeling, it is an architecture built from decisions about when to act, ask, and escalate. ▶ Watch (16:07)
Notable Quotes
trust isn’t a feeling, it’s an architecture. It’s the accumulation of the right, uh, the correct decisions, like when to act, when to ask, when to escalate. Kay James · ▶ Watch (16:51)
elicitation is a security primitive Kay James · ▶ Watch (6:08)
ambiguous prompts produce bad agent behavior Kay James · ▶ Watch (15:34)
Key Takeaways
- Elicitation is a security primitive that enforces runtime authorization for non-deterministic agents.
- Four patterns exist: clarification, approval gates, step-up auth, and anomaly-driven interrupts.
- Design must match friction to risk and provide tunable thresholds to avoid killing the user experience.
About the Speaker(s)
Kay James is a Technical Product Marketing Manager at Gravitee.