AI Infrastructure Jun 26, 2026 5 min read

MCP: Why the Model Context Protocol Is the Quiet Standard That Changes Everything

By Arjun Jaggi, AI Researcher & Industry Executive – Jun 26, 2026

Most infrastructure standards that matter don't announce themselves. TCP/IP didn't hold a press conference. USB didn't get a keynote. The Model Context Protocol is following the same pattern - and it may be the most consequential AI infrastructure decision made in 2024 for the enterprise software stack of 2027 and beyond.

Anthropic published the MCP specification in November 2024 with relatively little fanfare. It described a protocol by which AI systems - specifically language model-based agents and assistants - could discover, connect to, and use external tools and data sources through a standardized interface. Within six months, every major AI platform had either shipped MCP server support, announced compatibility, or begun internal implementation. The developer community had published thousands of MCP servers covering every major enterprise software system. And enterprise architecture teams were beginning to ask a question they had not expected to ask so soon: does this change how we think about AI vendor lock-in?

The answer is yes, substantially. But the implications run deeper than the obvious "now I can switch AI providers more easily" framing. MCP changes the integration economics, the governance surface, the developer ecosystem dynamics, and the risk profile of enterprise AI deployments in ways that are not yet fully reflected in most organizations' AI strategies.

3,400+
community-built MCP servers catalogued within 6 months of protocol release
18
major enterprise software vendors shipping official MCP servers by mid-2026
60-80%
reduction in integration development time for organizations adopting MCP-native architectures

What MCP Is, Technically

The Model Context Protocol is a client-server protocol designed specifically for the challenge of connecting AI systems to external context sources and action capabilities. Understanding it at the technical level matters because the design choices embedded in the protocol determine what it can and cannot do, and therefore which architectural claims about it are well-founded and which are overstated.

At its core, MCP defines three categories of capability that a server can expose to a client. The first is Resources - structured data that the AI can read and incorporate into its context. A resource might be a file, a database record, a document retrieved from a knowledge base, or any structured information that the model needs to ground its responses in your specific organizational context. Resources are read-only from the model's perspective; the AI retrieves them but does not write back to the resource store through the resources mechanism.

The second category is Tools - functions that the AI can invoke to take actions or retrieve information that requires computation rather than just data retrieval. A tool might execute a SQL query against a database, call a third-party API, trigger a workflow in a business process system, perform a calculation, or run a code snippet. Tools are the mechanism through which AI agents take actions in the world. They accept parameters, execute, and return results that the model incorporates into its subsequent reasoning.

The third category is Prompts - templated prompt structures that the server exposes to standardize how the AI should approach specific task types. This is the least-discussed category but potentially the most valuable for enterprise deployments where consistency of behavior across different teams and contexts matters. A company's legal MCP server might expose a prompt template that standardizes how the AI should structure contract analysis, ensuring that every legal review follows the same analytical framework regardless of which user or application is invoking it.

The transport layer is deliberately minimal. MCP supports stdio for local process communication and HTTP with Server-Sent Events for remote server communication. The simplicity is intentional: lowering implementation friction was a priority. This choice means MCP servers can be written in any language, deployed on any infrastructure, and tested locally before being published. The barrier to creating an MCP server is genuinely low, which explains the speed at which the community ecosystem grew.

Discovery and the tool registration mechanism

One of the protocol's most significant design decisions is the dynamic discovery mechanism. When an MCP client - an AI agent or assistant - connects to an MCP server, it queries the server for a list of available tools, resources, and prompts along with their descriptions and parameter schemas. The model can then use this discovered capability list to understand what actions are available to it and how to invoke them.

This dynamic discovery is architecturally important because it means you do not need to hardcode your AI system's knowledge of what tools are available. You configure which MCP servers the system has access to, and the AI discovers the available capabilities at runtime. When you add a new capability to an MCP server - a new API endpoint, a new database query template, a new workflow trigger - the AI system discovers it automatically on next connection. This dramatically reduces the maintenance overhead of keeping your AI system's tool knowledge current as your underlying systems evolve.

MCP ARCHITECTURE LAYERS AI Application / Agent Claude, GPT, Gemini, or custom model hosted on any infrastructure MCP Client (Protocol Layer) Handles discovery, connection management, tool invocation, and response parsing MCP SERVERS (one per system or data source) CRM Server Salesforce/HubSpot Data Server Snowflake/BigQuery Docs Server Confluence/SharePoint Workflow Server Jira/ServiceNow BACKEND ENTERPRISE SYSTEMS APIs, Databases, File Systems, SaaS Platforms, Internal Services
MCP architecture layers. A single MCP client layer connects the AI application to multiple specialized MCP servers, each exposing tools and resources for a specific backend system. The AI discovers available capabilities dynamically at connection time. Source: Arjun Jaggi, based on MCP specification, 2026.

The Before/After for Enterprise Integration

To appreciate what MCP changes, you need to understand what enterprise AI integration looked like before it existed - and what it looked like as recently as late 2024 for organizations that had not adopted the protocol.

The pre-MCP world required custom integration work for every combination of AI system and enterprise tool. If your organization wanted to give your AI assistant access to your CRM data, you built a custom connector: a set of functions that called the CRM API, formatted the results appropriately for the AI system you were using, and were registered with that specific AI system through its specific plugin or function-calling mechanism. When you wanted the same capability with a different AI system, you built it again - possibly with a different API format, different authentication pattern, and different capability description format. Every AI vendor had their own function-calling specification. Every integration was point-to-point.

The maintenance burden was significant. Enterprise software systems change continuously. APIs are versioned and deprecated. Schema evolves. Authentication mechanisms rotate. Every change to a backend system potentially required updates to multiple AI system connectors. In organizations that had deployed multiple AI systems - a common reality as different departments adopted different tools - the integration surface became a significant source of engineering overhead with no direct business value. Teams were spending substantial engineering time maintaining plumbing.

MCP changes this to a hub-and-spoke architecture. You build one MCP server for your CRM system. That server exposes its capabilities through the standardized MCP interface. Any MCP-compatible AI system - Claude, GPT-based applications, open-source agents built on Llama or Mistral, custom model deployments - can connect to that server and use those capabilities without requiring any CRM-side changes. When you update the CRM MCP server to support a new capability or handle an API change, every AI system that connects to it gets the update automatically. The integration point multiplies once, not N times for N AI systems.

"MCP does for AI tool integration what REST APIs did for web service integration a decade ago: it creates a shared contract that allows the ecosystem to compose without requiring bilateral negotiation between every pair of participants."

The productivity numbers from early adopters are striking. Organizations that have moved to MCP-native architectures report 60 to 80% reductions in the engineering time required to add a new capability to their AI systems, compared to the pre-MCP approach. The remaining time is spent on the MCP server implementation itself - which, once built, serves all current and future AI consumers.

Adoption Trajectory and Vendor Momentum

The speed of MCP adoption across the vendor ecosystem has been unusually rapid for an infrastructure standard. Typically, protocol adoption in enterprise software follows a pattern of years-long negotiation between incumbents, committee formation, draft specifications, and incremental rollout. MCP has moved faster, primarily because the protocol was released with working reference implementations and because Anthropic had credibility in the market it was publishing into.

Within six months of publication, the community had catalogued more than 3,400 MCP servers covering tools ranging from web search providers to version control systems, cloud storage platforms, project management tools, database query interfaces, communication platforms, and specialized enterprise software. Many of these were community-built, but the official server roster grew rapidly as well. Major vendors shipping official MCP servers by mid-2026 include Atlassian (Jira, Confluence), Salesforce, ServiceNow, GitHub, Google (Drive, Workspace), Slack, Notion, Linear, and several major cloud data warehouse providers.

The AI platform side moved equally quickly. OpenAI announced MCP compatibility for its API function-calling mechanism. Microsoft integrated MCP into the Copilot stack. Google's Gemini agent framework added MCP client support. The major open-source agent frameworks - LangChain, LlamaIndex, AutoGen - all shipped MCP integration layers. This breadth of adoption from both the tool supply side and the AI consumer side is what distinguishes MCP from previous attempts at AI tool standardization. Both sides of the market showed up.

What it means for switching costs and vendor lock-in

The vendor lock-in implications of MCP adoption deserve careful analysis. The simple version of the story is that MCP reduces lock-in because switching AI providers no longer requires rebuilding all your tool integrations. This is true as far as it goes. If your AI application layer is built on MCP-compatible tool invocations, switching from Claude to Gemini or to a self-hosted open-source model requires changes to the model API calls and the response handling logic, but not to the MCP server layer that exposes your enterprise capabilities. The integration investment is preserved across model changes.

The more nuanced version recognizes that lock-in is layered. At the tool integration layer, MCP substantially reduces lock-in. At the model behavior layer - how the model uses tools, what prompting patterns work well, what the model's specific strengths and failure modes are - significant switching friction remains. Your production prompts, your few-shot examples, your evaluation benchmarks calibrated to a specific model's outputs: these are not portable through MCP. Switching AI providers with MCP is cheaper than without MCP, but it is not free.

There is also a subtler lock-in risk in MCP itself. The protocol is currently governed by Anthropic. While the specification is open and Anthropic has committed to collaborative governance, there is genuine risk that the standard evolves in directions that benefit Anthropic's models specifically, or that governance of breaking changes does not reflect the interests of enterprises that have made significant investments in MCP-based architectures. This is the standard risk of any infrastructure standard governed by a single commercial entity with interests in the market the standard serves.

Governance Questions: Security, Authentication, and Permissions

The governance and security surface that MCP creates is more complex than the integration efficiency story suggests, and it is the area where enterprise architects need to spend the most careful attention. When you give an AI system access to MCP servers covering your CRM, your data warehouse, your workflow automation, and your document store simultaneously, you have given that AI system a very large capability surface. The question is how you control what the AI actually does with that capability.

Authentication is the first layer. MCP servers need to authenticate both the client connecting to them (is this a legitimate AI application authorized to use this server?) and the human or service on whose behalf the client is acting (what permissions does this user have in the underlying system?). Early MCP implementations handled this inconsistently, with some servers using API keys, others OAuth flows, and others relying on network-level access controls rather than protocol-level authentication. The MCP specification has evolved toward more robust authentication requirements, but enterprise deployments need to audit their MCP server implementations carefully rather than assuming authentication is handled correctly.

Authorization is the second layer, and more complex. Even if authentication establishes who the user is, authorization determines what they can do through the AI system. Should an AI assistant be able to delete records from the CRM when asked to? Should it be able to modify financial data in the ERP? Should it execute arbitrary SQL against the data warehouse? These are questions that most organizations have policies about for human users, but the AI path through MCP servers creates a new action surface that may not be covered by existing authorization policies. Mapping your existing authorization framework onto MCP tool permissions is essential work that many organizations have not yet done.

The prompt injection risk is the third and most subtle governance concern. If an AI agent is using an MCP server to read documents, and one of those documents contains adversarial instructions designed to manipulate the AI's behavior, the AI may follow those instructions rather than the user's actual intent. This is the prompt injection attack vector applied to agentic contexts, and MCP's broad document access patterns create a substantial attack surface for it. Mitigation requires a combination of careful system prompt construction, human-in-the-loop checkpoints for high-consequence actions, and content scanning before documents are passed to AI systems through resource MCP servers.

The Developer Ecosystem and What It Signals

The best indicator of a protocol's long-term viability is whether developers choose to build with it when they have alternatives. By that measure, MCP's momentum is clear. The developer community did not wait for enterprise mandates or analyst reports before building MCP servers. Individual developers and small teams shipped MCP servers for the tools they used every day, motivated by the immediate productivity value of having their AI assistant integrated with their work environment.

This ground-up adoption pattern is strategically significant for enterprise decision-makers. When infrastructure adoption happens bottom-up from developers before top-down from enterprise procurement, it typically indicates that the standard is solving a real friction point rather than a theoretical one. Developers are a pragmatic audience. They adopt tools that make their immediate work easier and abandon tools that add complexity without benefit. The scale of voluntary MCP server development is evidence that the protocol addresses genuine integration friction.

The ecosystem also creates a compounding advantage for organizations that adopt MCP architectures. Every community-built MCP server is a potential integration that your AI systems can use with minimal additional investment. The organizational AI capability built on top of a broad MCP server ecosystem is more comprehensive than what could be built through custom integrations alone. Participating in the ecosystem - both by consuming community servers and by contributing MCP servers for your own systems - accelerates your AI capabilities at a fraction of the cost of building all integrations proprietary.

The one material risk worth naming explicitly: governance of the MCP standard remains concentrated at Anthropic, and the evolution path of the specification is not yet subject to the kind of multi-stakeholder governance that makes infrastructure standards genuinely safe to build on long-term. Organizations making significant architectural bets on MCP should monitor the governance structure carefully and engage in any industry consortium efforts that emerge to broaden oversight. The technical merits of the protocol are strong; the governance structure remains a question that the next two years will answer.

Primary Sources

  1. Anthropic, "Model Context Protocol Specification v1.0," modelcontextprotocol.io, 2024
  2. Anthropic, "Introducing the Model Context Protocol," Anthropic Blog, 2024
  3. MCP Community, "Official MCP Servers Repository," GitHub, 2025
  4. OpenAI, "Tool Calling and MCP Compatibility," OpenAI, 2025
  5. Google Cloud, "Gemini Agent Framework MCP Support," Google Cloud Blog, 2025
  6. Perez et al., "Prompt Injection Attacks on LLM-Integrated Applications," arXiv, 2024
  7. NIST, "AI Risk Management Framework 1.0," National Institute of Standards and Technology, 2023

Discuss your AI integration architecture

Book a conversation