The MNPI firewall in the MCP era: how expert networks are redesigning compliance review for agent workflows

Expert networks built their material non-public information controls around a workflow that assumed a human was always in the loop. A client signed an attestation before the call. A compliance moderator sat on the line and interrupted the expert when a question drifted toward something an issuer had not disclosed. After the call, a reviewer scrubbed the transcript and signed off before it entered the archive. That chain of custody was the product. It is also the artifact that examiners, from SEC staff to internal compliance leads at hedge funds, learned to look for when they pulled a research file.

The Model Context Protocol wave changes the surface area. When Guidepoint, GLG, AlphaSense and their peers expose transcript libraries as live retrieval endpoints for Claude, Bloomberg's ASKB, and the agentic workflows running on top of them, a single client question can fan out into dozens of retrieval calls across thousands of transcripts. The compliance officer who reviewed call number 47,283 in March 2023 is no longer on the line. The attestation that was signed before the original call does not automatically attach to the agent query that pulled three sentences from that transcript into a multi-step research workflow two years later.

Our read: the control point is migrating. It is moving out of the moderator's headset and into the schema. The next two years of MNPI compliance in this market will be decided by how well expert networks can encode their human review as machine-readable structure that survives retrieval, agent reasoning, and audit reconstruction.

The control chain the industry built, and what it assumed

The modern expert-network compliance model dates to the aftermath of the SAC Capital and Primary Global Research prosecutions, when the SEC and DOJ established that an expert paid to share material non-public information, and a fund that knowingly acted on it, were both inside the wire. The industry response was procedural and durable. Experts were vetted and trained. Clients signed call-specific attestations acknowledging the MNPI prohibition. Compliance moderators were inserted into the call itself, with authority to interrupt, redirect, or terminate. Transcripts, where produced, were reviewed by a second compliance pass before they entered the searchable library.

That chain has three structural properties worth naming, because each one is what an MCP retrieval workflow strains.

First, the human review artifact and the content moved together. When an analyst pulled a transcript, the file carried metadata showing which moderator was on the call and which reviewer signed off on the archive. An examiner reconstructing a research decision could trace the chain of custody from the analyst's memo back to the original moderator. The artifact and the content were one object.

Second, the consumer of the transcript was assumed to be a trained human. Compliance training at hedge funds, in part, exists to give the analyst a second line of defense. If a moderated transcript slipped through with a borderline disclosure, the analyst was supposed to recognize it and escalate. The control chain implicitly relied on the reader's judgment as the last filter.

Third, retrieval was rate-limited by attention. A research analyst might read ten transcripts deeply in a week. A team might cover a few hundred. The total volume of transcript surface area being actively interrogated at any moment was bounded by the number of trained humans doing the reading.

MCP retrieval breaks all three assumptions at once. The chunk that surfaces in an agent workflow does not necessarily carry the full provenance object. The consumer is a language model, not a trained compliance-aware reader. And the rate of interrogation is no longer bounded by attention. A single overnight research run can touch more transcript surface than a human team would touch in a quarter.

What the MCP architecture actually changes

The MCP server pattern, as deployed by Guidepoint and the agent workflows GLG and AlphaSense are building toward, exposes a transcript library to an LLM client through a standardized retrieval interface. The client sends a query. The server returns chunks, typically a few hundred tokens each, drawn from across the library and ranked by semantic similarity. The agent then composes those chunks into a longer reasoning chain, often calling the retrieval endpoint multiple times as it refines its question.

Three things shift in this pattern that matter for MNPI control.

The unit of consumption is the chunk, not the transcript. A traditional compliance review certified the full call. The reviewer read the entire transcript and signed off on the artifact as a whole. When a retrieval system slices that artifact into 300-token chunks, the certification has to either travel with each chunk or be reconstructable from the chunk's metadata. If neither is true, the agent is working with content whose compliance status is technically unknown at the point of use.

The query path is unpredictable. A compliance moderator on a live call could anticipate the direction of the conversation and steer away from MNPI territory. An MCP query can recombine chunks from twelve different calls across four sectors in ways no original moderator could have foreseen. Two chunks that were each individually benign can, when stitched together by an agent's reasoning, constitute a synthesis that looks closer to material non-public information than either source. This is not a new theoretical risk, mosaic theory has been argued for decades, but the scale and speed at which the recombination happens is new.

The audit trail decouples from the human review record. In the legacy workflow, an examiner asking which compliance officer signed off on the content underlying a research memo could trace the file. In an agent workflow, the question becomes: which chunks were retrieved, against which queries, at which timestamp, from which transcripts, each carrying which moderator's review record. That is a different kind of audit object. It exists only if the MCP server layer is designed to produce it.

The regulatory anchors compliance teams are mapping to

There is no MCP-specific rulemaking from the SEC or FINRA. There does not need to be. The existing framework around MNPI, supervisory obligations, and AI-assisted research already covers the conduct. What compliance teams at expert networks and their fund clients are doing is mapping the new architecture onto existing rules and recent examination priorities.

The SEC's Office of Compliance Inspections and Examinations risk alerts have returned to expert-network controls as a recurring topic across cycles. The pattern after the Primary Global enforcement actions was a sustained examination focus on how funds documented their use of expert calls, how they trained analysts on the MNPI line, and how they evidenced that the content they consumed had been through a compliance filter. The artifact examiners learned to ask for was the moderator review record. Compliance teams expect that same examiner reflex to extend to agent workflows: show us the equivalent artifact for the chunks the agent retrieved.

FINRA's recent guidance, summarized in its 2024 to 2025 communications on artificial intelligence in the securities industry, has flagged AI-assisted research as a supervisory focus area without prescribing specific controls. The supervisory obligation under existing rules, the firm has to know what its analysts are using to support investment decisions and has to be able to reconstruct the basis for a recommendation, does not change because the tool changed. If anything, it gets harder. A supervisor cannot reconstruct what an agent did on Tuesday at 3pm unless the agent's tool calls were logged.

Our read of the regulatory posture: examiners are not going to wait for explicit MCP rulemaking before asking expert networks and their clients to demonstrate that the existing controls survived the architectural shift. The first wave of questions in 2026 examinations is likely to focus on three areas. How is MNPI review being preserved when transcripts are retrieved in fragments. How is the supervisory chain being reconstructed when an agent rather than an analyst is the immediate consumer. How is the firm evidencing that AI-assisted research outputs trace back to compliance-reviewed source material.

The architectural response taking shape

The industry is not waiting on the regulatory question. The vendors building MCP-exposed transcript libraries are encoding four control patterns into the infrastructure layer. Each one is an attempt to make the human review artifact travel with the content in a form an agent and an auditor can both consume.

Chunk-level structured redaction. The legacy model redacted at the transcript level: a moderator marked a passage and the reviewer removed it before archiving. The MCP model has to redact at the unit of retrieval. A transcript split into 200 chunks needs each chunk independently verified as clean, because any chunk can surface in isolation. In practice this is being implemented by re-running compliance review against the chunked representation, not just the long-form transcript, and by holding back chunks that fall below a confidence threshold even if the surrounding context was cleared.

MNPI-likelihood tags in the metadata schema. Rather than treating compliance as a binary cleared-or-not flag, the emerging pattern is a graded tag attached to each chunk: the model's confidence that the passage contains material non-public information, the topics involved, and the date and identity of the human reviewer who confirmed the assessment. The MCP server can then filter retrieval by tag, surface only chunks above a defined confidence threshold to a given client, and log which tags were checked at query time. This is a richer object than the legacy reviewed-or-not artifact, and it is the object that survives agentic reasoning.

Prompt-time policy filters at the MCP server layer. Beyond filtering on chunk metadata, the server layer is starting to inspect the query itself. A query asking for specific guidance figures on an unannounced quarter from a covered issuer can be rejected or downgraded at the server before it reaches any transcript. This shifts part of the moderator's traditional role, the steering-away-from-MNPI function, into the retrieval infrastructure. It is imperfect, because language is ambiguous and adversarial queries are easy to construct, but it adds a control layer that did not exist when transcripts were just files in an archive.

Per-retrieval audit logs binding each agent query to the underlying review. This is the supervisory artifact for the new world. Every retrieval call writes a record: timestamp, querying agent identity, client identity, chunks returned, source transcripts, moderator sign-off identifiers on each source call, and the policy filters applied. When an examiner or an internal supervisor asks how the agent arrived at its conclusion, the firm can reconstruct the chain back to named compliance officers on specific calls. The audit object is no longer a single moderator's signature on a transcript. It is a graph linking the agent's output to the network of human reviews underneath.

What an expert network analyst would ask next

The specific questions a research compliance lead should be putting to her expert-network vendors over the next two quarters are narrower and more answerable than the general AI-and-compliance conversation in the market suggests. We would put five on the list.

How is chunk-level compliance review being performed, and is it the same human reviewer who cleared the full transcript or a separate process. What MNPI-likelihood tagging schema is in use, what are the confidence thresholds for surfacing a chunk to a client agent, and who calibrated them. What prompt-time policy filters exist at the MCP server layer, and how are they tested against adversarial queries. What does the per-retrieval audit log contain, how long is it retained, and in what format is it producible to a regulator or an internal supervisor. And when chunks from multiple calls are recombined by an agent into a synthesis, what is the vendor's position on the mosaic risk that creates, and what control sits on that synthesis specifically.

These are the questions the architecture has made answerable. They are also the questions an examiner is most likely to ask when the first 2026 sweep of agent-assisted research workflows lands.