
Roughly eighteen months ago, the Model Context Protocol was a tidy Anthropic side-project — a JSON-RPC convention for letting a model call a tool without every vendor reinventing the wiring. Today it is closer to the TCP/IP of AI agents: the default way models reach data, take actions and, increasingly, talk to each other, running across thousands of public servers. In the span of a year and a half it was donated to the Linux Foundation, rewritten to be stateless, wrapped in mandatory OAuth 2.1, and extended into something that looks a great deal like an app store.
That is a remarkable run for a wire format. But the interesting question is no longer whether MCP won the tool layer — it did. It is where the value goes now that it has. And the uncomfortable answer, from someone who runs a production OAuth MCP server, is that the protocol itself is the least defensible part of the stack — while the security layer beneath it is quietly on fire.
From side-project to standard
The decisive move came in December 2025, when Anthropic donated MCP to a new Agentic AI Foundation under the Linux Foundation, co-founded with Block and OpenAI and backed by AWS, Google, Microsoft, Bloomberg and Cloudflare. Overnight, a single-vendor protocol became neutral infrastructure, with maintainers keeping technical control through a public enhancement-proposal process rather than a corporate roadmap.
It is tempting to read that as generosity. It is smarter to read it as strategy. A US-origin protocol owned by one AI lab is a governance problem for any serious buyer, and an especially hard sell to a European board. Ask a Norwegian or German CTO to route their systems' tool-calls through a format controlled by a single American vendor and you will get a very short procurement conversation. Neutral stewardship is precisely what makes a US-origin standard palatable — it de-risks lock-in, slots into how European procurement treats open standards, and aligns with the accountability regulators are now demanding. The EU AI Act's obligations for general-purpose models become enforceable on 2 August 2026, with fines up to 3% of global turnover. Governance, not code, is what made MCP safe to adopt.
The stateless rewrite that made MCP infrastructure
If the donation made MCP politically safe, the spec's largest rewrite since launch made it operationally boring — in the best possible way. Release-candidate-locked in May and landing as the 2026-07-28 revision, it strips sessions out of the protocol entirely: gone are the initialize handshake and the session ID, folded into six enhancement proposals. It mandates OAuth 2.1, adds an extensions framework, and deprecates three original primitives — Roots, Sampling and Logging.
Killing sessions sounds like a footnote. It is the whole game. A stateless protocol means any request can land on any server instance without sticky routing — which means MCP now runs on the same commodity substrate as everything else: plain HTTP behind a load balancer, a CDN edge, a serverless function that spins up and dies. Pair that with mandatory OAuth 2.1 and you get what enterprises actually need: a tool layer that scales horizontally and throws off real audit trails, where every call is an authenticated request you can log, rate-limit and revoke. This is the enterprise-readiness the protocol had been circling toward — SSO-integrated authentication, predictable gateway behaviour, tamper-evident logs — delivered as properties of the wire itself rather than bolted on afterwards. MCP stopped being a clever demo and started being infrastructure.
The stack grows: apps above, agents beside
Two extensions show where this is heading. MCP Apps lets a server ship not just tools but sandboxed HTML, rendered inside an iframe by the host and talking back over the same JSON-RPC channel. OpenAI's Apps SDK is built directly on MCP; when it renamed connectors to "apps" in December 2025, it effectively turned ChatGPT into an app store where third-party servers are reasoned about like built-in tools. Claude does the same. The host becomes the platform, and MCP is the submission format. Which is the tell: whoever hosts the agent owns distribution, and the servers competing for a slot inside ChatGPT or Claude are the ones adapting to the host, not the other way around.
Alongside it sits a second protocol. The emerging reference architecture is two layers: MCP for tool and data access, and Google's A2A protocol for agent-to-agent coordination. A2A reached v1.0 with gRPC, signed Agent Cards and multi-tenancy — and was itself donated to the Linux Foundation, putting both halves of the agent stack under one neutral roof with a reported joint interoperability effort between them. The plumbing is becoming a plumbing system.
The plumbing is leaking
Here the metaphor turns. The more load-bearing MCP becomes, the more its security surface becomes a first-order problem — and the numbers are ugly. In May 2026, OX Security disclosed an estimated 200,000 vulnerable MCP instances tied to SDKs with more than 150 million downloads. The MCPTox benchmark clocked tool-poisoning success rates as high as 72% across 45 live servers and 353 tools, and Google reported a 32% rise in malicious indirect prompt injection in the three months to February 2026.
Tool poisoning is the canonical MCP attack: a malicious or compromised server hides instructions inside a tool description or result, and the model — which trusts tool metadata implicitly — dutifully carries them out. MCP is dangerous precisely because it assembles the three ingredients of a security disaster in one place: access to private data, a channel for untrusted content, and the ability to act on the outside world. The most damning figure in the benchmark is not the 72%; it is that a frontier model refused the poisoned calls less than 3% of the time. That single number is the whole case against letting the model defend itself. Guardrails are necessary and nowhere near sufficient: they are probabilistic, and adversarial testing finds bypasses within weeks. The stateless rewrite even opens fresh doors — client-held state you can tamper with, metadata fields ripe for privilege escalation, cross-site scripting smuggled through those new MCP Apps iframes. Every capability the protocol grows is a new thing to exploit.
Why the wire format won't capture the value
Put the two stories together — MCP won, and MCP leaks — and the investment thesis writes itself. Nobody ever got rich selling TCP/IP. The money went to the routers, the CDNs, the firewalls and the clouds sitting on top of it. MCP is walking the same path: the protocol commoditises, and value accrues to whoever owns the layers the protocol cannot provide for itself — trust, discovery, identity and control.
Look at where the friction actually is. The official registry has scaled — 9,652 server records and a reference repo past 86,000 stars — but it validates almost nothing, which is why practitioners are openly calling for a "Hugging Face for MCP": a trusted authority that vouches for what a server really does before your agent ever connects. Gartner expects 75% of API-gateway vendors to ship MCP capabilities by the end of 2026 — because the gateway is where you enforce allowlists, bind identity and inspect traffic. Identity binding is the quiet linchpin here. An agent acts with delegated authority, so the durable question is never what the model said but which identity a call was bound to, and what that identity was permitted to touch. Registries, gateways, identity brokers and tool-firewalls are the Cisco of the agent web. The wire format is just the cable.
Notes from running a production MCP server
I run an OAuth MCP server in production; it lets Claude operate an entire hosting portal — billing, domain registration, the lot — through 33 tools behind Passport-issued tokens, admin-only. I wired OAuth 2.1 and audit into it before the spec made either mandatory, which turned the July rewrite from a migration into a confirmation. A few lessons that do not show up in the specification:
- OAuth 2.1 is easy to get wrong and the most important thing to get right. The pain is all at the edges: exempting the MCP endpoint from CSRF, returning a proper WWW-Authenticate challenge so clients know how to authenticate, proxying the .well-known metadata routes so discovery works at all.
- Allowlist tools explicitly and scope them to the token. "The model probably won't call the dangerous one" is not a security model. The sub-3% refusal rate is the proof.
- Audit is a feature, not exhaust. OAuth 2.1 plus per-call logging maps almost cleanly onto GDPR accountability and EEA procurement expectations.
That last point is the one European teams should internalise. When every agent action is an authenticated, logged, revocable request tied to an identity, "the AI did something" stops being an unanswerable question. In 2026 that is not a compliance nicety — it is the line between a system you can deploy in a regulated environment and one you cannot.
2027 to 2030: boring plumbing, valuable perimeter
The forecast is not complicated. The base protocol becomes boring — a settled, neutrally-governed, stateless, OAuth-secured wire format nobody argues about, the way nobody argues about HTTP. Adoption keeps climbing even as the headline numbers stay noisy, and you should be skeptical of the tidy ones: the widely-quoted "78% of enterprises in production" figure appears to be unsourced, while the defensible reads put roughly 28% of the Fortune 500 and about 41% of software organisations somewhere in production.
Underneath that boring plumbing, a security-and-governance product category is growing up fast: MCP gateways, trusted registries, identity brokers for the non-human actors doing the work, runtime tool-firewalls. That is where the durable businesses are. If you are placing bets on the agent web, do not bet on the wire format — Anthropic just gave it away, which tells you exactly what it is worth. Bet on the valve, the meter and the seal. The plumbing is standard now; keeping it from leaking is the product.