Without RBAC for Skills and MCP, your org has root access to your company
sleuth.ioIn the typical medium-to-large company that has legacy implementations of a few decades' worth of processes, RBAC is absolutely infeasible. The legacy systems evolved to accommodate specific individuals who wore multiple hats, and now that those persons are gone, the processes that they left behind can only be worked on a cargo-cult basis.
At some of the larger orgs that I've worked at each individual system had some level of RBAC. Often they would try to centralize around an Okta-style system, but the roles in there infrequently matched what was needed. In the places you are describing what have they done around security? Even without AI it sounds like they didn't have a feasible solution?
I think the author's whole point was that "some level of RBAC" is not good enough. And that assumes silos. Once you try to integrate, you wind up falling back on God accounts belonging to the integration layer and/or the database. It is surprising how many people still do not realize what a huge antipattern that is.