A year ago, founders pitched “an AI agent that does X.” Now the only question that matters is: where does the agent get its permissions, context, and audit trail?
That question is why Model Context Protocol (MCP)—the open protocol popularized by Anthropic for connecting models to tools and data—quietly changed what “AI startup” means. MCP didn’t make models smarter. It made integrations composable. And once integrations are composable, the value shifts from “a chatbot with prompts” to the toolchain that every serious deployment needs: connectors, policy, identity, observability, and governance.
The contrarian take: the winners in 2026 won’t be the teams shipping the most agent demos. They’ll be the teams selling the shovels—because every enterprise and every regulated startup is about to run into the same hard constraints: credentials, least privilege, data boundaries, and incident response. Those constraints are where budgets live.
MCP made “integrations” feel like a software supply chain
MCP is easiest to understand as a standard way for an AI client (like Claude Desktop) to talk to “tools” exposed by an MCP server: databases, SaaS APIs, internal services, even local files. The moment you can swap tools in and out behind a protocol boundary, you get an ecosystem. And ecosystems attract both good developers and bad behavior.
We’ve watched this movie: npm, PyPI, Docker Hub, browser extensions, Terraform providers. Standard interfaces multiply third-party modules. Then teams realize they’ve created a supply chain. Then they need security, provenance, scanning, allowlists, and policy. AI toolchains are at the “oh wow, look at all these servers” phase. The “we should probably lock this down” phase is next.
Software supply chains don’t become important because engineers love process. They become important because attackers do.
There’s a second-order effect: once MCP becomes common, “AI features” turn into “tool selection + permissions + logs.” The model is the easy part to rent. The hard part is the system around it.
The startup opportunities are in the boring “platform” gaps
Most teams adopting MCP start with a handful of connectors: GitHub, Slack, Google Drive, Jira, Linear, Notion, Postgres. Then it sprawls. Different auth methods, token rotation, multi-tenant isolation, rate limits, and data residency turn “just add a tool” into an ops backlog.
This is where new startups can win: not by building yet another agent, but by selling the control plane and the packaging around MCP.
Gap #1: Credential and permission hygiene (least privilege is not optional)
MCP makes it tempting to hand a model broad API keys. That’s the fastest path to a scary postmortem. Real systems need scoped tokens, per-tool policies, and revocation.
Existing pieces exist, but they aren’t MCP-native: identity providers and secrets managers can store credentials, but they don’t understand “tool calls” as a first-class security primitive.
Gap #2: Observability for tool calls (not model tokens)
Teams track API latency and error rates. They rarely track “what the agent actually did” across tools: which endpoints it hit, which resources it accessed, what changed, and what the user approved. In practice, you need both: model traces and tool-call traces. If you can’t answer “why did this invoice get paid?” you don’t have an agent; you have a liability.
Gap #3: Governance and distribution (an MCP registry with trust signals)
Protocols want registries. Registries want trust. Trust wants signing, provenance, scanning, and reputations. The market will copy what happened to container images and open-source packages: SBOM-like metadata, publisher verification, and automated policy checks at install time.
Gap #4: Enterprise integration patterns (the unsexy connectors)
Every wave of developer tooling eventually hits SAP, ServiceNow, Salesforce, Oracle, and bespoke internal systems. If you can build connectors that are secure, supported, and survive audits, you don’t need virality. You need renewals.
Table 1: Where to build around MCP (and what you’re really competing with)
| Layer | What customers buy | Real incumbents to expect | Hard part |
|---|---|---|---|
| Connector catalog | Supported integrations with docs, updates, and SLAs | Zapier, Workato, MuleSoft, Microsoft Power Automate | Auth edge cases, version churn, support burden |
| Auth + secrets broker | Scoped credentials, rotation, approval flows | HashiCorp Vault, AWS Secrets Manager, 1Password, Okta | Least privilege across many SaaS APIs; human approval UX |
| Policy + governance | Allow/deny rules, environment separation, auditability | OPA (Open Policy Agent), HashiCorp Sentinel, Wiz (cloud security posture adjacent) | Policy authoring that normal teams can operate |
| Observability + forensics | Traces of tool calls, diffs, approvals, replay | Datadog, New Relic, Splunk, OpenTelemetry ecosystem | Meaningful semantic logs, redaction, multi-tenant retention |
| Sandbox + runtime | Safe execution for tools (network/file limits) | Docker, gVisor, Firecracker, Kubernetes | Secure-by-default policies without killing developer velocity |
The agent isn’t the product; the permission boundary is
Most “agent products” collapse into the same pattern: a UI, a model picker, and a list of integrations. That’s a feature, not a company. The enduring value is the permission boundary—what the agent can do, under what conditions, with what approvals, and how you prove it after the fact.
If you’re building for serious customers, assume these requirements show up early:
- Explicit scopes per tool: read vs write, specific projects, specific repos, specific folders.
- Human-in-the-loop gates: approvals for irreversible actions (payments, deletes, production changes).
- Environment separation: dev/staging/prod contexts treated as different worlds.
- Audit trails that stand up in a review: who requested, what was executed, what changed.
- Data minimization: don’t send full records if a summary or subset works.
Key Takeaway
MCP makes integrations cheap. That pushes differentiation into security and operations. Build the control plane, not the demo.
Why this is a startup-sized wedge (and not just for cloud giants)
AWS, Microsoft, and Google will all offer “agent building blocks.” They already sell identity, logging, and policy tooling. The opening for startups is that the enterprise needs one abstraction above cloud silos: a consistent tool-call policy model that works across SaaS and internal services, regardless of which model vendor or cloud you use.
Cloud providers can’t credibly be neutral across each other. Startups can. Neutrality is a product feature now.
Pick your hill: registry, gateway, or “agent SRE”
If you’re a founder deciding where to play, stop saying “we’re building agents for X.” Say which of these you’re willing to own.
1) MCP Registry: the App Store problem (with supply-chain risk)
Registries sound like network effects. They are—after you solve trust. A credible MCP registry needs publisher verification, signed releases, dependency metadata, and automated scanning. If you’ve built anything around package security, you know this is a product plus a policy operation.
This is where the ecosystem is headed because developers want a one-command install experience. The registry will exist. The question is whether it’s a community directory, a vendor marketplace, or an enterprise-managed internal catalog.
2) MCP Gateway: one choke point for auth, policy, and logging
The most practical architecture is a gateway that sits between clients (agent runtimes, desktops, internal apps) and MCP servers (tools). It enforces policy, injects scoped credentials, redacts sensitive fields, and emits audit events. In other words: it turns MCP into something a security team can approve.
Gateways are boring, high-value software. They sell because they reduce fear.
3) Agent SRE: the operational layer nobody staffed for
Even with a gateway, agents fail in strange ways: partial tool failures, retries that cause duplicate actions, stale context, permission mismatches, rate-limit cascades, and “it worked yesterday” integration breakage. This is SRE work with a different set of signals. Teams will pay for tools that make it legible and debuggable.
Table 2: MCP operational checklist (what to implement before you trust production actions)
| Control | What it prevents | Implementation hint |
|---|---|---|
| Per-tool scoped auth | Overbroad access and lateral movement | Use OAuth scopes where available; otherwise proxy through a broker that enforces resource allowlists |
| Write-action approval gates | Irreversible changes triggered by hallucinations or prompt injection | Require explicit user confirmation for “create/update/delete/pay/deploy” categories |
| Semantic audit logs | Unexplainable actions and compliance gaps | Log tool name, endpoint/function, resource identifiers, diff/receipt, approver, request ID |
| Redaction + minimization | Sensitive data exposure in prompts, logs, and traces | Field-level filters; prefer passing IDs and summaries over raw documents |
| Replayable runs (with safeguards) | “Can’t reproduce” incidents and brittle debugging | Store inputs and tool-call sequence; re-run against a sandbox or read-only mode |
What to build this quarter: a minimal MCP gateway that earns trust
If you want something shippable that isn’t another agent UI, build an MCP gateway as a thin layer in front of tool servers. It should do three things well: policy decisions, credential brokerage, and logging.
Here’s a concrete sequence that gets you to a product you can sell to engineers and security without pretending you solved “AGI.”
- Start with one client and three tools: pick Claude Desktop as the client, then one internal API, one database, and one SaaS tool (GitHub is a common starting point).
- Force all tool calls through the gateway: no direct tool-server connections from the client. Make bypass impossible in your reference architecture.
- Implement allowlists: explicit tool list, explicit functions/endpoints, explicit resource patterns (repos, projects, folders).
- Add an approval UI for writes: keep it ugly but clear. The point is to create a reliable human gate, not a pretty dashboard.
- Emit structured logs: JSON events per tool call with stable IDs and redacted payloads.
- Package it: Docker image, Terraform module, Helm chart—something ops teams can install without a week of handholding.
# Example: structured tool-call audit event (shape matters more than vendor)
{
"timestamp": "2026-06-30T12:34:56Z",
"actor": {"type": "user", "id": "u_123"},
"client": {"name": "Claude Desktop"},
"tool": {"name": "github", "action": "create_pull_request"},
"resource": {"repo": "acme/payments", "branch": "fix-retry"},
"approval": {"required": true, "approved_by": "u_123"},
"result": {"status": "success", "external_id": "PR#481"},
"request_id": "req_9f2b..."
}
The 2026 bet: “agent security” becomes a budget line item
Enterprises don’t standardize on protocols because they love openness. They standardize because it reduces integration cost. Then they spend the savings on risk controls. That’s the cycle MCP is kicking off.
If you’re building a startup here, don’t chase the most impressive demo. Chase the first uncomfortable question a security reviewer will ask:
“Show me exactly what this agent can touch, who approved it, and how we revoke it in five minutes.”
Make that answer crisp. Put it on one screen. Make it work across GitHub, Slack, Google Drive, and whatever creaky internal system your customer hates most.
Your next action: pick one MCP client workflow you already run (code review, incident triage, ticket grooming). Draw the tool graph on a whiteboard. Then circle every edge that currently relies on a long-lived token, an admin role, or “trust me.” That circled list is the product.