MWMS MCR

MWMS AI Tool Access Browser Automation And MCP Governance Framework

System: MWMS
Document Type: Operating Framework
Authority Level: MCR Source Of Truth
Status: Draft For MCR
Version: v1.0
Primary Location: MCR
Future Operational Destination: Automation Brain, Compliance Brain, Risk Brain, Data Brain, AIBS Brain, Research Brain, Product Brain, HeadOffice Brain
Parent Page: Automation Brain
Owner: Martyn
Developer Boundary: Do Not Touch M’s Active Build Areas Unless Specifically Assigned
Source Of Truth: MCR
Last Reviewed: 2026-06-08
Source / Origin: AI Automations by Jack AI Native Entrepreneur Architecture And Tool Decision Block
MWMS Classification: Tool Access Governance Framework / Browser Automation Framework / MCP Governance Framework / Schema Tool Calling Standard / API Versus Browser Automation Decision Standard
Primary Brain: Automation Brain
Supporting Brains: Compliance Brain, Risk Brain, Data Brain, AIBS Brain, Research Brain, Product Brain, Sales Brain, HeadOffice Brain, UX Brain, Prompting Framework, Finance Brain

Related Pages: MWMS Automation Architecture And Tool Selection Framework, MWMS AI Automation Security And Risk Checklist, MWMS AI Tool Permission And Access Framework, MWMS Prompt Architecture And Automation Output Reliability Framework, MWMS RAG Knowledge Base And Client Memory Infrastructure Framework, MWMS Client Intelligence And Business Memory Automation Framework, MWMS AI App Builder And Productized Interface Framework, MWMS AI Usage And Cost Visibility Standard, MWMS Source Visibility And Evidence Display Standard

Purpose

The purpose of the MWMS AI Tool Access Browser Automation And MCP Governance Framework is to define how MWMS decides when AI systems should access external tools, APIs, browser sessions, web pages, automations, databases, MCP servers, and structured workflow actions.

This framework exists because AI tool access can create major power and major risk.

AI systems can now:

  • call APIs
  • trigger n8n workflows
  • trigger Make scenarios
  • use browser automation
  • fill forms
  • scrape pages
  • retrieve data
  • post content
  • send messages
  • update records
  • access knowledge bases
  • run tools through MCP
  • interact with SaaS platforms
  • call webhooks
  • use schemas
  • act inside business systems

That is useful only when it is governed.

The core purpose is:

To help MWMS give AI systems the right tools, with the right permissions, for the right task, while protecting reliability, security, privacy, platform compliance, and business trust.

Core Doctrine

The MWMS doctrine is:

AI tool access must be earned by purpose, constrained by permissions, and verified by logs.

AI should not be given broad access just because it can use tools.

Before AI is allowed to act, MWMS must define:

  • what the AI is allowed to do
  • what the AI is not allowed to do
  • what tool it can use
  • what data it can access
  • what action it can trigger
  • what approval is required
  • what happens if the tool fails
  • what is logged
  • who reviews outputs
  • what risk exists
  • when human control is required

The key doctrine is:

The more power the AI has, the stronger the governance must be.

Strategic Importance

This framework is strategically important because MWMS will eventually rely on AI Employees and AIOS systems that can use tools.

Those tools may include:

  • n8n
  • Make
  • Supabase
  • WordPress
  • Gmail
  • Google Drive
  • Google Sheets
  • Google Calendar
  • CRMs
  • Airtable
  • Stripe
  • Retell
  • VAPI
  • browser automation tools
  • scraping tools
  • APIs
  • MCP servers
  • custom webhooks
  • internal MWMS plugins
  • client systems

Without governance, AI tool access can create:

  • accidental data exposure
  • wrong system updates
  • broken client workflows
  • platform bans
  • spam risk
  • unauthorized actions
  • runaway automation
  • cost blowouts
  • duplicate records
  • unsafe browser sessions
  • hidden failures
  • hard-to-debug workflows
  • client trust damage

This framework prevents tool access from becoming uncontrolled automation.

The strategic standard is:

AI Employees should act through governed tool pathways, not uncontrolled freedom.

Definition

AI tool access means an AI system can call, trigger, query, update, or interact with an external tool or system.

Schema tool calling means the AI calls a predefined tool with a strict input structure, usually with required fields and predictable output.

MCP means Model Context Protocol style tool access where an AI can discover or use connected tools through a standardized tool interface.

Browser automation means controlling a browser or website interface programmatically or through AI instructions.

Direct API access means calling a system through its official API rather than clicking around a website.

Webhook access means triggering an automation workflow through a URL endpoint.

MWMS Definition

The MWMS AI Tool Access Browser Automation And MCP Governance Framework is:

Automation Brain’s standard for deciding when MWMS AI systems may use schemas, APIs, webhooks, browser automation, MCP, and external tools, and how those actions must be permissioned, constrained, logged, reviewed, and risk controlled.

Scope

This framework applies to:

  • AI Employees using tools
  • n8n AI agents
  • Make AI workflows
  • ChatGPT connected to n8n
  • Claude connected to n8n
  • MCP tool access
  • schema-based tool calling
  • function calling
  • browser automation
  • Airtop style browser agents
  • scraping workflows
  • form-filling workflows
  • CRM updates
  • Supabase writes
  • WordPress actions
  • Google Drive actions
  • Gmail actions
  • Google Sheets actions
  • calendar actions
  • client system actions
  • webhook-triggered workflows
  • API integrations
  • RAG tool access
  • AI voice agent tool calls
  • micro SaaS tool backends
  • client-facing AI assistants
  • internal MWMS AI assistants

This framework does not approve unrestricted tool access.

It defines governance before tool use.

Core Principle

The core principle is:

Use the most predictable tool access method that safely completes the task.

Predictability matters.

If a task must be reliable, structured, auditable, or client-facing, use strict schemas, direct APIs, and controlled workflows where possible.

If a task is exploratory or flexible, MCP or browser automation may be useful, but it must be contained.

Tool Access Preference Order

In general, prefer:

  1. Manual human action when risk is high or process is not understood
  2. Direct API when available and reliable
  3. Schema-based tool calling when AI must trigger structured actions
  4. Webhook workflows when the workflow is controlled and protected
  5. MCP when flexible tool discovery is useful and risk is managed
  6. Browser automation only when API or structured access is unavailable or not practical

Rule

Do not use browser automation when a stable API or structured workflow can safely do the job.

The MWMS AI Tool Access Governance Model

Every AI tool access system should be designed across twelve layers:

  1. Purpose Layer
  2. Tool Selection Layer
  3. Permission Layer
  4. Action Boundary Layer
  5. Data Access Layer
  6. Schema And Input Layer
  7. Execution Layer
  8. Human Review Layer
  9. Error And Failure Layer
  10. Logging And Observability Layer
  11. Security And Compliance Layer
  12. Improvement And Revocation Layer

1. Purpose Layer

Every tool access pathway must start with a purpose.

Purpose Questions

Ask:

  • what is the AI trying to do
  • why does it need a tool
  • what outcome does the tool create
  • is the task internal or client-facing
  • is the task low risk or high risk
  • does the AI need read access
  • does the AI need write access
  • does the AI need to trigger an action
  • does the AI need browser access
  • can a human do this manually first
  • is this tool access worth the risk

Valid Purposes

AI may use tools to:

  • retrieve approved data
  • update a safe record
  • create a draft
  • create a task
  • summarize a file
  • retrieve a source
  • run a report
  • classify a lead
  • create an internal note
  • route a workflow
  • trigger a review queue
  • update a dashboard
  • create a follow-up task
  • call an approved API

Weak Purposes

Avoid tool access for vague reasons such as:

  • “let the AI handle it”
  • “connect everything”
  • “make it autonomous”
  • “see what it can do”
  • “automate the whole thing”
  • “because MCP makes it possible”
  • “because browser agents can click around”

Rule

No AI tool access should exist without a clear task purpose.

2. Tool Selection Layer

The tool type must fit the task.

Tool Access Types

MWMS may use:

  • direct API
  • schema tool call
  • webhook
  • MCP tool
  • browser automation
  • database query
  • database write
  • file retrieval
  • calendar action
  • email action
  • CRM action
  • WordPress action
  • Supabase action
  • voice agent tool call
  • custom internal tool

Tool Selection Questions

Ask:

  • is an official API available
  • is a strict schema possible
  • is a webhook enough
  • does the AI need flexible tool discovery
  • does the task require browser interaction
  • is the website automation allowed
  • is the action read-only or write
  • is the action reversible
  • does it affect customers
  • does it affect money
  • does it affect public content
  • does it affect client data

Rule

Choose tool access based on reliability and risk, not novelty.

3. Permission Layer

Tool access must be permissioned.

Permission Types

Use:

  • no access
  • read-only access
  • draft-only access
  • create task access
  • update safe field access
  • admin access
  • write access
  • delete access
  • payment access
  • send message access
  • publish access
  • client data access
  • browser session access

Permission Questions

Ask:

  • what can the AI read
  • what can the AI write
  • what can the AI delete
  • what can the AI send
  • what can the AI publish
  • what can the AI trigger
  • who approved this access
  • is access temporary
  • is access client-specific
  • can access be revoked
  • is there a human approval gate

Permission Rule

Default to minimum required access.

If the AI only needs to read, do not give write access.

If the AI only needs to draft, do not give send access.

If the AI only needs to create a task, do not give admin access.

Rule

Least privilege is the default MWMS tool access standard.

4. Action Boundary Layer

Every tool action needs boundaries.

Action Boundary Questions

Ask:

  • what action is allowed
  • what action is forbidden
  • what fields can be changed
  • what records can be accessed
  • what users can be affected
  • what clients can be affected
  • what conditions must be met
  • what requires human approval
  • what should be blocked
  • what happens if the AI is uncertain

Allowed Action Examples

Allow:

  • create draft
  • create internal task
  • summarize document
  • retrieve source
  • classify record
  • update status to needs review
  • generate report draft
  • add note to CRM
  • create approval item

High Risk Actions

Restrict or require approval for:

  • sending emails
  • sending SMS
  • publishing content
  • deleting records
  • charging payments
  • issuing refunds
  • changing access permissions
  • updating client-facing reports
  • posting on social media
  • modifying live website content
  • outbound calls
  • changing legal or financial information

Rule

High-impact actions require stronger controls or human approval.

5. Data Access Layer

AI tool access often means data access.

Data Types

Data may include:

  • internal MWMS data
  • client data
  • customer data
  • lead data
  • sales data
  • content data
  • financial data
  • support data
  • call transcripts
  • email content
  • CRM records
  • website content
  • private documents
  • API responses
  • browser session data
  • payment records

Data Access Questions

Ask:

  • what data is needed
  • is the data sensitive
  • is the data client-specific
  • is the data customer-specific
  • is the AI allowed to process it
  • should the data be redacted
  • should it be summarized only
  • should data be stored
  • should data be excluded from prompts
  • who can see the result
  • how long is it retained

Rule

Tool access must not become uncontrolled data access.

6. Schema And Input Layer

Structured actions need structured inputs.

Schema Tool Calling

Schema tool calling is preferred when the task requires predictable inputs and outputs.

A schema should define:

  • tool name
  • purpose
  • required fields
  • optional fields
  • allowed values
  • validation rules
  • output format
  • error format
  • examples
  • restrictions

Schema Questions

Ask:

  • what fields are required
  • what field types are allowed
  • what values are allowed
  • what should be rejected
  • what defaults apply
  • what errors should return
  • what should be logged
  • can the AI produce valid JSON
  • does the workflow validate the payload

Schema Benefits

Schemas help:

  • prevent malformed inputs
  • reduce AI guessing
  • improve workflow reliability
  • make logs cleaner
  • support validation
  • control actions
  • improve debugging

Rule

When AI output feeds automation, structured schema is preferred over free text.

7. Execution Layer

Execution is where the AI action becomes real.

Execution Questions

Ask:

  • when does the tool run
  • what trigger starts it
  • does the AI choose the tool
  • does the human approve it
  • does the system validate inputs
  • does the workflow check permissions
  • does the workflow check status
  • does the workflow check limits
  • does it run once or repeatedly
  • what happens after execution
  • who is notified

Execution Modes

Use:

Manual Execution

Human runs the action.

Best for high-risk or early-stage workflows.

Human Approved Execution

AI drafts or prepares action, human approves.

Best for sales, outreach, content, client reports, customer communication.

Automatic Execution

System runs without approval.

Best only for low-risk, well-tested actions.

Conditional Execution

System runs only when defined rules are met.

Best for approval workflows, lead scoring, routing, and status changes.

Rule

Automatic execution should be reserved for low-risk, tested, reversible, and well-logged actions.

8. Human Review Layer

Human review is required when actions affect trust, money, privacy, clients, or public output.

Human Review Required For

Use human review for:

  • public posting
  • sales outreach
  • client-facing reports
  • customer replies
  • refund actions
  • access changes
  • outbound calls
  • review responses
  • sensitive data use
  • proposal generation
  • compliance-sensitive output
  • voice agent high-risk actions
  • website content changes
  • paid ad changes

Review Questions

Ask:

  • is the action correct
  • is the data correct
  • is the recipient correct
  • is the claim safe
  • is the output complete
  • is the tone appropriate
  • is the action reversible
  • is compliance risk present
  • should this be approved or rejected

Rule

AI can prepare high-risk actions, but humans should approve before execution.

9. Error And Failure Layer

Tool access must handle failures.

Failure Types

Failures may include:

  • API timeout
  • invalid credentials
  • wrong schema
  • malformed JSON
  • missing required field
  • permission denied
  • rate limit
  • payment status fail
  • browser page changed
  • login expired
  • captcha
  • wrong record selected
  • webhook unavailable
  • database write fail
  • AI selected wrong tool
  • platform blocked action
  • duplicate submission
  • partial execution

Failure Handling Questions

Ask:

  • what errors are expected
  • what should happen on failure
  • should it retry
  • how many retries
  • should a human be notified
  • should the user be told
  • should the action roll back
  • should it create an error task
  • where is the error logged

Rule

A tool access system is not ready until failure behavior is defined.

10. Logging And Observability Layer

Every meaningful tool action should be logged.

Log Fields

Track:

Tool Name:
User Or Agent:
Client Or Brain:
Action Type:
Input Payload:
Validation Result:
Permission Check:
Execution Status:
Output:
Error:
Timestamp:
Human Review Status:
Approver:
Related Record ID:
Cost Estimate:
Retry Count:

Observability Questions

Ask:

  • what did the AI try to do
  • which tool was used
  • why was it used
  • what data was sent
  • what data came back
  • did permission pass
  • did execution succeed
  • did human review happen
  • what error occurred
  • what changed in the system

Rule

If MWMS cannot see what an AI tool did, the tool access is not governed.

11. Security And Compliance Layer

Tool access creates security and compliance risk.

Security Risks

Review:

  • API key exposure
  • service role key exposure
  • webhook exposure
  • browser session leakage
  • password handling
  • client data access
  • customer data access
  • payment data access
  • unauthorized writes
  • deletion risk
  • prompt injection
  • malicious input
  • MCP tool misuse
  • wrong user permissions
  • account takeover risk
  • platform account ban

Compliance Risks

Review:

  • email rules
  • SMS rules
  • platform terms
  • scraping terms
  • privacy law
  • customer consent
  • AI disclosure
  • affiliate disclosure
  • review platform policies
  • health claims
  • finance claims
  • legal claims
  • data retention
  • deletion rights

Rule

Security and compliance are part of the tool design, not post-launch cleanup.

12. Improvement And Revocation Layer

Tool access should be improved or revoked based on performance and risk.

Improvement Inputs

Use:

  • failure logs
  • human corrections
  • incorrect tool calls
  • duplicate actions
  • user complaints
  • security warnings
  • cost spikes
  • output quality issues
  • platform errors
  • compliance flags
  • support tickets

Revocation Triggers

Revoke or pause tool access when:

  • tool is misused
  • errors are frequent
  • cost spikes unexpectedly
  • data exposure risk appears
  • platform terms change
  • credentials are compromised
  • human review is bypassed
  • client revokes permission
  • tool output is unreliable
  • workflow becomes unsafe

Rule

Tool access is not permanent. It must remain justified.

Tool Access Types

MWMS may use several tool access patterns.

Type 1: Direct API Access

Best for:

  • reliable production workflows
  • structured data exchange
  • repeatable actions
  • scalable integrations
  • official platform access

Examples:

  • Supabase API
  • Stripe API
  • Google APIs
  • CRM API
  • WordPress REST API
  • OpenAI API
  • Retell API

Risks:

  • credential exposure
  • API changes
  • permission mistakes
  • rate limits

Rule:

Use direct API when reliability and structure matter.

Type 2: Schema Tool Calling

Best for:

  • predictable AI actions
  • structured workflows
  • data extraction
  • task creation
  • report generation
  • lead classification
  • CRM updates
  • n8n or Make workflows

Risks:

  • malformed inputs
  • unclear schema
  • weak validation
  • wrong assumptions by AI

Rule:

Use schema when the AI must produce structured input for automation.

Type 3: Webhook Access

Best for:

  • triggering workflows
  • connecting AI to n8n or Make
  • simple automation entry points
  • internal tool calls

Risks:

  • exposed webhook URLs
  • fake requests
  • spam triggers
  • costly repeated calls
  • lack of authentication

Rule:

Protect webhooks with secrets, validation, and limits.

Type 4: MCP Tool Access

Best for:

  • flexible tool use
  • exploratory workflows
  • AI assistants with multiple tools
  • developer-supervised environments
  • controlled internal systems

Risks:

  • unpredictable tool selection
  • broad permissions
  • tool misuse
  • security concerns
  • harder testing

Rule:

Use MCP when flexibility is worth the reliability trade-off and permissions are controlled.

Type 5: Browser Automation

Best for:

  • websites without API
  • controlled form filling
  • short-term bridge workflows
  • browser-only tasks
  • human-supervised extraction
  • visual workflows

Risks:

  • terms-of-service breach
  • account bans
  • page changes
  • captcha
  • login risk
  • privacy risk
  • fragile execution
  • hard debugging

Rule:

Use browser automation only when structured access is not practical and risk is accepted.

Type 6: Database Tool Access

Best for:

  • retrieving records
  • writing structured outputs
  • updating status
  • logging actions
  • storing AI outputs
  • managing user records

Risks:

  • wrong table access
  • cross-client data leakage
  • unsafe write permissions
  • accidental deletion
  • service key exposure

Rule:

Database access should be limited, filtered, and logged.

API Versus Browser Automation Decision Standard

Use API When

Use API when:

  • official API exists
  • task is repeatable
  • reliability matters
  • structured data matters
  • logging matters
  • security can be managed
  • scale is expected
  • client-facing system depends on it

Use Browser Automation When

Use browser automation when:

  • no API exists
  • API access is too limited
  • the task is visual
  • form filling is required
  • workflow is low volume
  • permission is clear
  • human review exists
  • account risk is acceptable

Do Not Use Browser Automation When

Avoid browser automation when:

  • platform prohibits automation
  • account value is high
  • data is sensitive
  • workflow is mission-critical
  • page structure changes often
  • captcha appears often
  • direct API is available
  • client cannot accept risk

Rule

Browser automation is a fallback, not a default.

Schema Versus MCP Decision Standard

Use Schema When

Use schema when:

  • output must be predictable
  • workflow is production
  • action is repeated
  • fields are known
  • validation matters
  • client-facing reliability matters
  • audit logs matter
  • the action affects records

Use MCP When

Use MCP when:

  • flexible tool discovery matters
  • the task is exploratory
  • operator oversight exists
  • actions are low risk
  • tools are read-heavy
  • experimentation is active
  • the system is internal

Avoid MCP When

Avoid MCP when:

  • action is high risk
  • tool misuse would be costly
  • permissions are broad
  • human review is absent
  • deterministic workflow is needed
  • compliance is strict

Rule

Schema is preferred for production actions. MCP is acceptable for governed flexibility.

Read Versus Write Access Standard

Read Access

Allows AI to retrieve information.

Still requires:

  • permission
  • filtering
  • source limits
  • sensitivity review
  • logging

Write Access

Allows AI to change information.

Requires:

  • stronger permission
  • validation
  • action boundaries
  • human review where needed
  • rollback plan
  • logs

Delete Access

Allows AI to remove information.

Default position:

  • do not grant delete access unless absolutely necessary
  • require human approval
  • log deletion
  • preserve deletion record

Rule

Write access is much more serious than read access. Delete access is exceptional.

Human Approval Gate Standard

Some tool actions should enter approval queues.

Approval Queue Fields

Track:

Proposed Action:
Tool:
AI Reason:
Input Data:
Output Preview:
Risk Flag:
Approver:
Approval Status: Approved / Rejected / Edited / Needs More Info
Execution Status:
Timestamp:

Use Approval For

  • emails
  • SMS
  • social posts
  • client reports
  • proposals
  • public content
  • payment actions
  • account changes
  • high-value CRM changes
  • customer-facing replies
  • outbound calls
  • review responses

Rule

Approval gates convert AI autonomy into controlled assistance.

Webhook Protection Standard

Webhooks must not be left exposed.

Webhook Protection Methods

Use:

  • secret token
  • API key
  • signed payload
  • allowed origin check
  • IP restriction where possible
  • rate limiting
  • input validation
  • required fields
  • client ID validation
  • user permission check
  • usage limit
  • logging
  • replay protection where needed

Webhook Risk Questions

Ask:

  • who can call this webhook
  • what happens if it is abused
  • does it trigger AI cost
  • does it send messages
  • does it write data
  • does it affect clients
  • can it be disabled quickly
  • is the URL stored safely

Rule

A webhook that triggers business action must be protected like an entry point.

Browser Automation Governance Standard

Browser automation needs strict governance.

Browser Automation Requirements

Before use, define:

  • target website
  • task
  • account used
  • permission basis
  • data accessed
  • fields entered
  • actions taken
  • failure behavior
  • human review
  • platform risk
  • credential handling
  • logs
  • session controls

Browser Automation Must Not

Do not use browser automation to:

  • bypass platform rules
  • evade security
  • spam forms
  • scrape prohibited content
  • misuse accounts
  • access private data without permission
  • perform high-risk actions without review
  • automate financial or legal actions without governance

Rule

Browser automation should be bounded, monitored, and replaceable.

MCP Governance Standard

MCP tool access must be constrained.

MCP Requirements

Before use, define:

  • available tools
  • allowed actions
  • forbidden actions
  • user permissions
  • client boundaries
  • data access
  • logging
  • approval gates
  • sandbox or production status
  • revocation process

MCP Risk Questions

Ask:

  • can the model choose the wrong tool
  • are there too many tools
  • are permissions too broad
  • can it access sensitive data
  • can it write or delete
  • can it send messages
  • are actions logged
  • can a human review tool use

Rule

MCP should not become a back door to broad uncontrolled system access.

Tool Access Quality Scorecard

Score each tool access system out of 100.

Score Categories

Purpose Clarity: 10
Tool Fit: 10
Permission Control: 10
Action Boundaries: 10
Data Safety: 10
Schema Or Input Reliability: 10
Execution Safety: 10
Human Review: 10
Logging And Observability: 10
Security And Compliance: 10

Interpretation

85–100: Strong governed tool access
70–84: Good with minor improvements
55–69: Internal use only with supervision
40–54: Too risky or unclear
Below 40: Do not connect tool access yet

Rule

Client-facing tool access should score highly before deployment.

Tool Access Readiness Checklist

Before granting AI tool access, confirm:

Purpose

  • task defined
  • outcome defined
  • user defined
  • owner defined
  • risk level defined

Tool

  • tool selected
  • API or browser decision made
  • schema or MCP decision made
  • webhook protected
  • credentials secured

Permissions

  • read access defined
  • write access defined
  • delete access avoided or approved
  • client boundaries defined
  • role permissions defined

Data

  • data accessed
  • data sensitivity reviewed
  • data retention defined
  • client separation confirmed
  • source tracking defined

Execution

  • input schema defined
  • validation defined
  • approval gate defined
  • failure handling defined
  • logging defined

Governance

  • security reviewed
  • compliance reviewed
  • cost reviewed
  • revocation path defined
  • testing completed

Rule

No tool access without a readiness check.

Tool Action Record Standard

Every meaningful action should create a record.

Record Fields

Action ID:
AI Agent Or Employee:
Tool Name:
Tool Type: API / Webhook / MCP / Browser / Database
Client Or Brain:
Action Purpose:
Read Or Write:
Input Payload:
Validated: Yes / No
Permission Passed: Yes / No
Human Approval Required: Yes / No
Human Approval Status:
Execution Result:
Error:
Records Changed:
Cost Estimate:
Timestamp:
Reviewed By:
Risk Flag:

Rule

Tool actions should be traceable after they happen.

Testing Standard

Before tool access goes live, test:

  • valid input
  • invalid input
  • missing required field
  • permission denied
  • wrong client
  • API timeout
  • duplicate request
  • rate limit
  • tool failure
  • human approval path
  • blocked action
  • logging
  • rollback if needed
  • browser page change
  • MCP wrong tool selection
  • webhook abuse attempt

Rule

Tool access must be tested for bad behavior, not only ideal behavior.

Cost Control Standard

Tool access can create cost.

Cost Risks

Costs may come from:

  • AI model calls
  • browser automation runtime
  • API usage
  • scraping credits
  • voice minutes
  • Make operations
  • n8n hosting
  • Supabase usage
  • storage
  • retries
  • failed loops
  • repeated webhook calls

Cost Controls

Use:

  • usage limits
  • rate limits
  • daily caps
  • client caps
  • retry limits
  • approval gates
  • cost logging
  • model selection
  • low-cost test mode
  • alert thresholds

Rule

An AI tool should not be able to create unlimited cost.

Application To Automation Brain

Automation Brain owns this framework.

Automation Brain should use it to:

  • choose tool access method
  • design schemas
  • protect webhooks
  • connect n8n and Make safely
  • govern browser automation
  • govern MCP
  • define approval gates
  • define failure behavior
  • define logs
  • protect execution reliability

Automation Brain Rule

AI tool access should behave like a controlled workflow, not an experiment.

Application To Compliance Brain

Compliance Brain should review:

  • browser automation
  • scraping
  • outreach tools
  • email sending
  • SMS sending
  • public posting
  • review automation
  • customer data
  • client data
  • voice calls
  • AI disclosures
  • platform terms

Compliance Rule

If the tool touches a platform, customer, or public output, compliance review is required.

Application To Risk Brain

Risk Brain should review:

  • tool misuse
  • credential exposure
  • account bans
  • incorrect writes
  • deletion risk
  • platform risk
  • financial risk
  • privacy risk
  • reputation risk
  • automation loops

Risk Rule

Risk Brain should be involved before powerful tool access is granted.

Application To Data Brain

Data Brain should define:

  • data access fields
  • client separation
  • database permissions
  • read/write rules
  • action logs
  • retention rules
  • deletion rules
  • source metadata

Data Brain Rule

AI tool access must respect data structure and client boundaries.

Application To AIBS Brain

AIBS Brain should use tool access only when it supports a client business outcome.

AIBS should ask:

  • does this tool improve the client system
  • is permission clear
  • is client data safe
  • is human review needed
  • is the tool action measurable
  • is this better than manual work
  • is this better than API access

AIBS Rule

Client tool access should be business justified and permission safe.

Application To Research Brain

Research Brain may use tool access for:

  • source retrieval
  • website analysis
  • public data collection
  • competitor monitoring
  • evidence gathering
  • content signal extraction

Research Brain must avoid:

  • prohibited scraping
  • private data access
  • unsupported source assumptions
  • tool use without source logging

Research Rule

Research tool access must preserve source visibility and platform safety.

Application To Product Brain

Product Brain should use tool access governance for micro SaaS and productized interfaces.

Product Brain should define:

  • what user actions trigger tools
  • what access is paid
  • what usage limits apply
  • what actions need approval
  • what outputs are shown
  • what errors users see

Product Rule

Productized tool access must be safer than internal experiments.

Application To HeadOffice Brain

HeadOffice should approve major tool access patterns.

HeadOffice should ask:

  • does this tool access support MWMS strategy
  • does it create risk
  • does it burden M
  • is it necessary now
  • is it prototype or production
  • is human review included
  • can access be revoked
  • is it logged

HeadOffice Rule

Broad tool access should not be granted without HeadOffice-level awareness.

What Not To Do

Do not:

  • connect AI to tools without purpose
  • give broad permissions
  • give delete access by default
  • expose webhook URLs
  • store API keys in frontend
  • use browser automation when an API exists
  • ignore platform terms
  • connect MCP with too many tools
  • allow AI to send messages without review
  • allow AI to publish content without approval
  • allow AI to change payment or access records casually
  • skip logging
  • skip error handling
  • skip cost controls
  • let tool access grow without review
  • assume working once means safe

Rule

Ungoverned tool access is not automation maturity. It is operational risk.

Deferred Update And Parking Lot Section

This page creates later update needs.

Later Update 1: MWMS AI Automation Security And Risk Checklist

Add:

  • schema tool calling risk
  • MCP risk
  • browser automation risk
  • webhook protection
  • read/write/delete permission levels
  • frontend secret exposure
  • credential handling
  • tool action logging
  • cost limit rules

Later Update 2: MWMS AI Tool Permission And Access Framework

Add:

  • tool permission levels
  • AI Employee access matrix
  • per-tool allowed actions
  • revocation rules
  • client-specific permission boundaries
  • least privilege standard
  • high-risk action approval gates

Later Update 3: MWMS Automation Architecture And Tool Selection Framework

Add:

  • API versus browser automation decision standard
  • schema versus MCP decision standard
  • read versus write access standard
  • tool access readiness checklist
  • browser automation fallback rule

Later Update 4: MWMS Prompt Architecture And Automation Output Reliability Framework

Add:

  • structured schema prompt requirements
  • JSON validation
  • tool choice instructions
  • no invented fields rule
  • tool action explanation requirement
  • failure response format
  • human approval output format

Later Update 5: MWMS RAG Knowledge Base And Client Memory Infrastructure Framework

Add:

  • RAG as a read tool
  • retrieval permissions
  • source filtering
  • client boundary enforcement
  • no unauthorized memory access
  • retrieved source logging

Later Update 6: MWMS AI App Builder And Productized Interface Framework

Add:

  • tool triggered interface actions
  • webhook protection for app buttons
  • paid user action limits
  • client dashboard action logs
  • approval queues inside interfaces

Later Update 7: MWMS Client Intelligence And Business Memory Automation Framework

Add:

  • client memory tool access
  • business system read access
  • private source permission
  • tool action evidence
  • client data boundaries

Later Update 8: MWMS Compliance Brain

Add:

  • browser automation policy review
  • scraping policy review
  • MCP governance review
  • outbound tool action review
  • public posting action review
  • customer communication tool review

Future AI Employee Ideas

These AI Employee ideas are parked candidates only.

Tool Access Governance Reviewer

Primary Brain: Automation Brain / Compliance Brain
Status: Parked Candidate
Purpose: Reviews proposed AI tool access pathways for purpose, permission, safety, logging, and revocation.

Browser Automation Risk Analyst

Primary Brain: Risk Brain / Automation Brain
Status: Parked Candidate
Purpose: Reviews browser automation use cases for platform terms, account risk, session handling, fragility, and safer API alternatives.

MCP Governance Analyst

Primary Brain: Automation Brain / Risk Brain
Status: Parked Candidate
Purpose: Reviews MCP tool availability, permissions, action boundaries, and tool misuse risk.

Schema Tool Designer

Primary Brain: Automation Brain / Prompting Framework
Status: Parked Candidate
Purpose: Designs strict tool schemas, required fields, validation rules, and output formats for reliable AI automation.

Webhook Security Reviewer

Primary Brain: Risk Brain / Automation Brain
Status: Parked Candidate
Purpose: Reviews webhook protection, secret handling, rate limits, validation, replay risk, and abuse prevention.

AI Action Log Auditor

Primary Brain: Data Brain / Risk Brain
Status: Parked Candidate
Purpose: Reviews tool action logs to detect failures, misuse, unexpected costs, and unsafe automation behavior.

Tool Cost Controller

Primary Brain: Finance Brain / Automation Brain
Status: Parked Candidate
Purpose: Monitors tool usage, API costs, browser automation costs, AI call costs, retries, and runaway automation risk.

AI Permission Matrix Manager

Primary Brain: Data Brain / Compliance Brain
Status: Parked Candidate
Purpose: Maintains AI Employee permission levels, allowed actions, forbidden actions, and client-specific access rules.

Drift Protection

This framework protects MWMS from:

  • uncontrolled AI autonomy
  • broad tool permissions
  • AI writing to systems without approval
  • unsafe MCP access
  • browser automation abuse
  • platform account bans
  • exposed webhooks
  • exposed credentials
  • malformed JSON breaking workflows
  • unlogged actions
  • unbounded AI costs
  • unauthorized client data access
  • AI deleting records
  • AI sending messages incorrectly
  • tool access becoming impossible to debug
  • tool hype replacing governance

Drift Signals

Watch for:

  • “Let the AI use all the tools.”
  • “MCP will handle it.”
  • “The browser agent can just click through.”
  • “No need for a schema.”
  • “The webhook URL is fine.”
  • “We do not need logs yet.”
  • “It only failed once.”
  • “Give it admin access for now.”
  • “Delete access will be useful.”
  • “The AI can send the message.”
  • “The AI can publish it.”
  • “The AI can update the client record automatically.”
  • “We can add security later.”
  • “The tool worked in the demo.”

Rule

When these drift signals appear, return to purpose, permission, schema, approval, logging, and revocation.

Strategic Summary

The AI Native Entrepreneur Architecture And Tool Decision Block showed that AI systems can now connect to powerful tools through schemas, MCP, browser automation, webhooks, APIs, and workflow platforms.

The strongest MWMS lesson is not that every tool should be connected.

The strongest lesson is:

Tool access must be governed before it is scaled.

For MWMS, this framework ensures AI Employees and AIOS systems can act safely.

It creates discipline around:

  • API versus browser automation
  • schema versus MCP
  • read versus write access
  • webhook protection
  • human approval
  • tool action logs
  • cost control
  • client data safety
  • platform risk
  • revocation

The strategic standard is:

AI tool access should make MWMS systems more capable without making them less trustworthy.

Final Standard

The MWMS final standard is:

No MWMS AI Employee, AIOS system, client assistant, productized interface, browser automation, MCP connection, webhook workflow, or tool-enabled AI system should be activated until its purpose, tool type, permission level, allowed actions, data access, input schema, execution mode, human review needs, failure behavior, logging, security, compliance, cost controls, and revocation path are defined.

A valid MWMS AI tool access pathway must define:

  • purpose
  • tool name
  • tool type
  • owner
  • user
  • client or Brain
  • read access
  • write access
  • forbidden actions
  • schema or MCP method
  • API or browser method
  • webhook protection
  • data accessed
  • permission check
  • validation rules
  • execution mode
  • human approval gate
  • error handling
  • logs
  • cost controls
  • security risks
  • compliance risks
  • revocation process

That is the MWMS AI Tool Access Browser Automation And MCP Governance standard.

Change Log

Version: v1.0

Date: 2026-06-08
Author: HeadOffice

Change:
Created the MWMS AI Tool Access Browser Automation And MCP Governance Framework from the AI Automations by Jack AI Native Entrepreneur Architecture And Tool Decision Block.

Captured the strongest lessons from practical and strategic workshop material involving:

  • ChatGPT connected to n8n
  • Claude connected to n8n
  • schema-based tool calling
  • JSON payload control
  • MCP style tool access
  • browser automation in n8n
  • Airtop style browser automation
  • API versus browser automation decisions
  • webhook-triggered workflows
  • AI agents using external tools
  • direct API reliability
  • flexible tool discovery risks
  • browser session risks
  • form filling automation
  • scraping and platform terms risk
  • human review for high-risk actions
  • tool action logging and observability

Defined the MWMS AI Tool Access Governance Model with twelve layers:

  1. Purpose Layer
  2. Tool Selection Layer
  3. Permission Layer
  4. Action Boundary Layer
  5. Data Access Layer
  6. Schema And Input Layer
  7. Execution Layer
  8. Human Review Layer
  9. Error And Failure Layer
  10. Logging And Observability Layer
  11. Security And Compliance Layer
  12. Improvement And Revocation Layer

Added key operating sections:

  • Tool Access Types
  • API Versus Browser Automation Decision Standard
  • Schema Versus MCP Decision Standard
  • Read Versus Write Access Standard
  • Human Approval Gate Standard
  • Webhook Protection Standard
  • Browser Automation Governance Standard
  • MCP Governance Standard
  • Tool Access Quality Scorecard
  • Tool Access Readiness Checklist
  • Tool Action Record Standard
  • Testing Standard
  • Cost Control Standard
  • Deferred Update And Parking Lot Section
  • Future AI Employee Ideas

Mapped the framework across:

  • Automation Brain
  • Compliance Brain
  • Risk Brain
  • Data Brain
  • AIBS Brain
  • Research Brain
  • Product Brain
  • Sales Brain
  • HeadOffice Brain
  • UX Brain
  • Prompting Framework
  • Finance Brain

Purpose of creation:
To establish a formal MWMS standard for governing AI access to schemas, APIs, webhooks, browser automation, MCP, databases, client systems, and external tools so AI Employees and AIOS systems can act safely, predictably, observably, and within approved permissions.

END — MWMS AI TOOL ACCESS BROWSER AUTOMATION AND MCP GOVERNANCE FRAMEWORK v1.0