MCP inside Figma: what it means for design system governance

TL;DR: AI can help normalize tokens, variants, and usage guidance when it operates on real file context rather than abstract prompts, according to Lasso Security. The governance lesson is that contextual access must be observable and bounded, or the same tooling that improves consistency can expose product architecture and expand trust assumptions.

NHIMG editorial — based on content published by Lasso Security: Building a Scalable Design System with AI & Figma MCP

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: How should teams govern AI tools that can inspect live design files?

A: Treat the integration like any other non-human identity with contextual access.

Q: Why do design tokens matter so much when AI is helping build components?

A: Tokens are the stability layer that keeps visual and behavioural rules consistent across a growing system.

Q: What is the main risk of giving AI access to component hierarchies and style mappings?

A: The risk is that the tool can expose design architecture, not just render assistance.

Practitioner guidance

• Constrain file-context access for AI tools Define which Figma files, layers, and token sets an AI integration can inspect, and route access through an observable gateway so contextual access is logged and reviewable.
• Stabilise token governance before scaling automation Normalise color, spacing, radius, and semantic surface tokens first, then let AI compare and refactor against that baseline so it does not amplify existing drift.
• Treat variants as governed contracts Document the states that are valid, remove overlapping configurations, and use AI-assisted comparisons to identify duplicated loading, disabled, or interaction patterns.

What's in the full article

Lasso Security's full blog post covers the workflow details this analysis intentionally leaves for the source:

• Step-by-step notes on how the AI was used inside Figma MCP to inspect real file structures and token definitions.
• Specific examples of token cleanup, variant consolidation, and documentation alignment that were applied during the build.
• The operational security note on routing MCP through a secure gateway to control access and improve observability.
• The author’s first-hand workflow choices for sequencing tokens, components, and usage patterns.

👉 Read Lasso Security's analysis of AI-assisted design systems with Figma MCP →

MCP inside Figma: what it means for design system governance?

Explore further

View Full Forum →  |  NHI Foundation Course →