Cosign all of this wholeheartedly. Push back!
The ratcheting back system scope thing is super good advice I always forget to give, too. You can get your entire software security program wrapped up in your SOC2 --- but why would you ever want to do that. The security of your software is very relevant to your customers, but it is not and should not be relevant to SOC2.
A point to add here on the scoping. This makes sense in a B2C world but for the B2B contracts, our customers specifically check that our scope clause includes all software systems that they are contracting for plus all the support systems that help make it, including your security program etc.
- With MCP Elicitations (https://modelcontextprotocol.io/specification/draft/client/e...) the server will be able to secure ask for complementary info like your name, passport and even your payments details.
- With mcp-ui (https://github.com/idosal/mcp-ui), supporting MCP Clients could allow the server to re-create the same booking flow UI that you find today on an aggregator's website
> Servers MUST NOT use elicitation to request sensitive information
For any LLM based flows to gain enough trust by the general public to handle flows that involve money, esp large sums of money, we need the equivalent of “pad lock on my browser means I’m secure” level of something easy to understand and teach everyone to see.