For about a year, the standard advice for "let an agent touch my database" has been a build instruction: stand up a Model Context Protocol server in front of your data, wire in the driver, own its auth, keep it up. This week Snowflake flipped the direction of the arrow. With Managed MCP Servers (public preview), the warehouse is the MCP server — and the thing you were going to build becomes a line of SQL.
What shipped#
A Managed MCP Server runs inside your Snowflake account and publishes a set of tools to any MCP-speaking client. Three matter most:
- Cortex Analyst — natural language to SQL against a governed semantic view. The agent asks a business question; Analyst writes and runs the query.
- Cortex Search — semantic retrieval over unstructured documents indexed in Snowflake.
- Governed SQL — direct SQL execution, including your own functions and stored procedures.
You choose what's exposed with a CREATE MCP SERVER statement that reads like an allow-list. Nothing you don't name is reachable. The integration surface that used to be a service you operate is now a declaration you write.
The pattern used to be 'put a server in front of the data.' Snowflake made the data the server — and handed the governance problem back to the layer that already solved it.
The part that actually matters#
The convenience is the headline; the auth model is the story. Access uses Snowflake's built-in OAuth, and every user authenticates individually — so each agent tool call runs under that user's DEFAULT_ROLE. Your masking policies, row-access policies, and grants apply to the agent exactly as they apply to that person in a Snowsight worksheet.
That quietly resolves the ugliest question in enterprise agents: what can this thing see? For a year the answer has been "whatever the one service account you gave it can see, minus whatever filtering you remembered to add in Python." Now the answer is "exactly what the calling human is allowed to see." The governance you already built stops being something you re-implement in application code and becomes the agent's guardrail for free.
Who's plugging in#
This isn't a closed party. Any MCP client can connect, and the frameworks are already there. CrewAI added native Snowflake Cortex support in its July 2026 release train; you can point a crew at the managed endpoint over streamable-HTTP with an OAuth token and the Cortex tools show up as ordinary agent tools — we walk through the exact wiring in how to give a CrewAI crew governed warehouse access. Microsoft's Agent Framework and bespoke agents connect the same way. The common interface is the whole point: one MCP surface, many clients.
The founder read#
Two things to price in.
The convenience is real. If Snowflake is your source of truth, you can delete a connector service, a driver dependency, and a pile of secret-handling code, and inherit per-user governance you'd otherwise have to fake. For a small team, that's a genuine reduction in the surface you have to secure and staff.
The lock-in is also real. When your governed data can be handed to any agent with zero glue, the agent-tool layer becomes another form of data gravity. The easier it is to build agents on top of a platform's managed tools, the more expensive it becomes to leave — not because of the data alone, but because of everything you built assuming the tools would always be one SQL statement away. That's not a reason to avoid it; it's a reason to keep your agent's tool access behind your own thin abstraction, so the day you want to re-point it at a different store is a config change, not a rewrite.
Managed MCP Servers are public preview, not GA — so treat the specifics as moving. But the direction is set: the platforms that hold your governed data now want to be the ones that hand it to your agents, and they're using the open protocol to do it. That's good for builders this quarter and worth watching closely next.



