The AI industry spent 2023–2025 arguing about model quality. 2026 is where teams get hurt by something more mundane: integration.
As soon as you let an assistant create a Jira ticket, push a commit, query a customer record, or run a cloud command, you’ve built an automation surface area. And right now, the fastest-growing way to expose that surface area to models is Model Context Protocol (MCP), introduced by Anthropic as an open protocol for connecting models to tools and data sources.
Most teams are implementing MCP like a plugin system: “we’ll wire up some servers, give the model a couple tools, call it done.” That’s backwards. MCP is turning into a control plane—an integration boundary where auth, policy, audit, and blast-radius limits need to live. Treat it like glue code and you’ll end up with an LLM-shaped RCE that logs nicely.
MCP is not an SDK. It’s the new edge of your internal systems.
Here’s the uncomfortable part: MCP makes it culturally acceptable to give software a natural-language operator interface. The model asks for tools; your MCP server answers with capabilities. Once you’ve done that, the model is no longer “chat.” It’s a user of your infrastructure.
We’ve seen this movie before. Slack bots started as fun. Then they got OAuth scopes. Then they got admin approval flows and audit trails. GitHub Apps started as convenient. Then they became a security boundary with granular permissions and mandatory review. Every integration surface eventually grows teeth.
MCP accelerates that cycle because it normalizes an agent that can chain tool calls. That chaining is the point—and it’s also why naive permissioning fails. A tool that is safe in isolation can be dangerous when combined with another tool that changes state. “Read-only customer lookup” plus “send email” plus “generate PDF” is suddenly an exfiltration pipeline.
The tooling stack is converging on “agents + connectors,” and MCP is the connector lingua franca
OpenAI has pushed function calling and a growing ecosystem around tool use. Microsoft has bet heavily on Copilot patterns across Microsoft 365 and GitHub. Google has Gemini integrated across Workspace and Google Cloud. Anthropic has Claude and MCP. LangChain and LlamaIndex have spent years normalizing “tools” and “retrievers” as first-class primitives. The details differ, but the direction is the same: assistants don’t just answer questions; they operate software.
MCP matters because it standardizes the connector side. If you’re a founder building an internal agent, MCP means you can swap models without rewriting every integration. If you’re an operator at a larger company, MCP means your internal systems may soon be reachable from multiple model front-ends—Claude Desktop today, other clients tomorrow.
That is exactly why you should stop thinking about MCP servers as “adapters” and start thinking about them as “gates.”
"If it’s worth protecting, it’s worth putting behind a boundary you can reason about."
A practical mental model: MCP is a privileged integration runtime
Whether you run an MCP server locally (common for desktop clients) or centrally (common for enterprise deployments), it sits between untrusted prompt space and trusted systems. That makes it closer to an API gateway than to an SDK. API gateways got serious once everyone learned that “internal APIs” are still attack surfaces. MCP servers will follow the same arc.
Where teams are getting MCP wrong (and why it’s predictable)
Most of the mistakes are not “AI mistakes.” They’re classic integration mistakes, amplified by a model that will happily try weird tool arguments and then apologize if it breaks something.
- Overbroad permissions: using a single service account token for everything because it’s “easier during prototyping.”
- No per-tool policy: the model can call any tool in any order, including state-changing ones, with no guardrails.
- Implicit data egress: returning raw database rows, logs, or documents that get pasted into model context and then into chat outputs.
- No auditable intent: logs show “tool called,” but not the human request, the model reasoning chain, or the effective permissions.
- Assuming UI equals security: a “confirm” button in a chat UI is not a control if the underlying tool can be reached via other clients.
These are solvable, but only if you treat MCP like a control plane.
Pick your MCP posture: local-first convenience vs centralized governance
The industry is drifting into two deployment styles, and each has sharp edges.
Table 1: Common MCP deployment approaches (what you gain, what you risk)
| Approach | What it’s good at | What breaks first | Best fit |
|---|---|---|---|
| Local MCP servers (developer machine) | Fast iteration; direct access to local files and dev tools | Token sprawl; hard-to-audit access; inconsistent config | Prototyping; individual productivity tools |
| Centralized MCP gateway (shared service) | Uniform policy; centralized logging; easier rotation and revocation | Becomes a critical dependency; outages halt assistants | Production agents; regulated environments |
| Hybrid: local client + remote tool backends | Local UX with centralized permissions and data access | Boundary confusion; two places to debug failures | Teams scaling from pilot to org-wide use |
| Per-app MCP bundles (embedded connectors) | Tight product integration; fewer moving parts for users | Connector duplication; inconsistent security posture | Vertical apps shipping an “agent inside” |
| Third-party connector platforms | Faster coverage across SaaS APIs | Vendor trust and data residency questions | Non-core integrations; early-stage teams |
A contrarian take that holds up in practice: centralizing too early can be worse than staying local. Teams build a “platform” before they know which tools matter, then cement bad abstractions and add change-control friction. But staying local too long guarantees credential chaos. The correct move is to centralize policy and audit earlier than you centralize everything else.
Key Takeaway
Centralize identity, policy, and audit first. Centralize execution only when reliability and latency requirements are clear.
Design MCP like you’re building an internal AWS: permissions, boundaries, and logs
If you want MCP to survive contact with real users, adopt the boring playbook from cloud security and apply it aggressively.
1) Treat every tool as an API product with scopes
A “tool” isn’t a Python function. It’s an API surface that needs explicit scopes. GitHub taught the industry this with GitHub Apps: narrow permissions per app, per repository, per action. Bring that mindset to MCP.
Make tools smaller than your instincts want. Separate read from write. Separate “search” from “export.” Separate “draft” from “send.” The model can still chain calls—but each hop is a policy checkpoint.
2) Make the effective identity visible at call time
“The model did it” is not an identity. Your MCP server should resolve an effective identity for every call: which human, which role, which environment, which client. If your deployment can’t do that, you’re not shipping an agent—you’re shipping a shared root account with a chat UI.
3) Build an audit trail that answers the only question that matters
When something goes wrong, security and ops ask one thing: what changed, who changed it, and how. Tool-call logs that only store JSON payloads are not enough. You need the human prompt, the model’s selected tool, the arguments, the permission context, and the downstream system response. If you can’t reconstruct the chain, you can’t debug, and you can’t defend.
A minimal “production-ready MCP” checklist (that doesn’t pretend to be research)
Here are concrete controls that map cleanly to how teams already run APIs, CI, and cloud infrastructure.
Table 2: MCP controls that actually reduce blast radius
| Control | What to implement | Why it matters |
|---|---|---|
| Tool scoping | Separate read vs write tools; narrow parameters; deny “raw export” by default | Stops “harmless” tool chains turning into exfil or deletion |
| Per-user auth | OAuth where possible; short-lived tokens; no shared service account for interactive use | Makes actions attributable and revocable |
| Approval gates | Explicit approvals for high-impact tools (payments, deploys, deletes) | Prevents a single prompt from becoming a production incident |
| Audit logging | Log prompts, tool calls, responses, identity context; store immutably | Enables incident response and compliance without guesswork |
| Egress controls | Redaction; allowlists; block secrets and PII patterns leaving the boundary | Limits data exposure via “helpful” model outputs |
A concrete implementation pattern: policy-wrapped tool execution
Don’t bury policy inside each tool handler. Put a single enforcement point in front of tool execution. This can be as simple as a middleware layer that checks identity, tool name, arguments, environment, and required approvals.
# Pseudocode sketch: enforce policy before executing a tool call
def handle_tool_call(user, tool_name, args, context):
effective = resolve_identity(user, context) # user/role/env/client
if tool_name in HIGH_RISK_TOOLS:
require_approval(effective, tool_name, args)
policy = load_policy(effective)
policy.assert_allowed(tool_name, args)
sanitized_args = redact_and_validate(tool_name, args)
result = execute_tool(tool_name, sanitized_args)
audit_log(
user=effective.user_id,
tool=tool_name,
args=sanitized_args,
context=context,
result_metadata=summarize(result)
)
return result
This isn’t fancy. That’s why it works. You can implement this with whatever you already use for API authz (OPA/Rego, Cedar, homegrown RBAC). The key is to stop treating tool calls as “internal function calls.” They’re external calls initiated from untrusted input.
What founders should build (and what they should stop building)
In 2026, there’s a predictable land grab around “connectors.” Everyone wants to be the Zapier of agents. Most of those products will be thin wrappers around SaaS APIs with a new coat of paint.
The enduring businesses will be in control and trust:
- Policy engines tuned for agent tool use: not just RBAC, but argument constraints, approval flows, and environment-aware rules.
- Audit and forensics for tool-chaining: reconstructing the chain across systems, with a clean operator UI.
- Credential hygiene for mixed local/remote agents: rotation, revocation, and “who has access from where” visibility.
- Data-loss prevention adapted to model outputs: redaction and egress controls at the integration boundary, not inside the chat UI.
What to stop building: giant “do everything” MCP servers that embed every integration in one process with a god token. That’s not a product. It’s an incident waiting for a curious user.
A sharp prediction, and a next action you can take this week
Prediction: “MCP server” becomes a job title the same way “Kubernetes platform engineer” did. Not because MCP is complex, but because it becomes the choke point for identity, approvals, and audit across agentic workflows. The teams that win won’t be the ones with the most tools. They’ll be the ones with the safest defaults.
Next action: pick one high-value workflow where an assistant touches production data—support triage, on-call runbooks, invoice lookups, whatever. Then draw a box around the MCP boundary and answer, in writing:
- What is the effective identity for each tool call?
- Which tools are read-only, and which change state?
- Where does approval happen for state changes?
- Where do logs go, and can you reconstruct a chain end-to-end?
- What data is allowed to leave the boundary in tool responses?
If you can’t answer those cleanly, you don’t have an agent system. You have an unaudited automation surface dressed up as chat.
