SaaS and endpoint security were built to watch software the company bought. They were not built to watch software the employee installed that can now read the company's files on its own. The Model Context Protocol, the open standard AI apps use to plug into file drives, calendars, and internal databases, has turned every installed AI client on a managed laptop into a potential data-egress path. The monitoring layer built for SaaS, endpoints, and DLP cannot see it.
The vendor category forming around that gap is following the arc that produced CASB a decade ago: a new shadow-IT surface, a wave of point tools, and a consolidation nobody can name yet. Traceforce, a Y Combinator S26 launch, is one recent example of that arc. Its agent tracks every AI tool call and MCP connection on a managed device, blocks high-risk actions, and ships a TraceGraph view of prompts, tool calls, and outcomes. The load-bearing detail sits in its open-source companion, mcp-xray: Traceforce's Atlas registry already indexes more than 600 MCPs, meaning the visibility problem is being enumerated by the people trying to fix it.
Whether the category scales is decided by the trust posture the vendor ships with on day one. Traceforce collects only metadata by default, inspects content locally, and only stores prompts when an org admin opts in, but the product is, functionally, employee-side monitoring of which AI tools a person runs. The founders' own fifty-plus CISO conversations surfaced adoption as conditional on user comfort with what is collected. The mechanism is older than MCP: the tools that win the shadow-IT cycle are the ones whose transparency claims survive the first audit.
Reported by Sky for Type0, from traceforce/mcp-xray README. Read the original: github.com