For several years, the model involved users talking to an AI chatbot, which then used tool calling; now, AI systems use the Model Context Protocol (MCP) to interface with external resources.
MCP allows AI to access databases, perform computations, or pull in prompts, with a comprehensive specification that most people don't fully realize.
Future AI workloads involve IT admins spinning up asynchronous AI agents that automate processes, using MCP to access potentially secured internal enterprise tools.
A future scenario involves company users interacting with chatbots that call MCP servers, which then query AI agents in the cloud.
Building an emotional support bot for employees using an API to feed goats is a simple example of tool use.
Traditional tool use is often painful and underutilized, which led to the invention of the Model Context Protocol (MCP).
Reasons to move to MCP include a robust ecosystem of security tooling for safe and reliable interfacing, standardization for models, and stateful connections for better security and context management.
Building an MCP server can be genuinely fun and allows for the creation of cool things.
Many people start building MCP servers as internal demos to connect to an API, often not progressing further.
The next step for robust MCP workloads is adding authentication and authorization, which is currently the main security requirement.
External APIs should not be unauthenticated or lack access controls to prevent significant issues.
When making an MCP server public, features like payment rails (e.g., Stripe) and cloud hosting solutions are added.
Going viral with an MCP server leads to challenges like free credit abuse, requiring bot blocking on sign-ups and robust authentication controls.
Input validation is necessary to prevent prompt injection attacks, and developer dashboards will be flooded due to MCP's dynamic client registration, meaning all management tooling needs adaptation for MCP.
Selling an MCP server into the enterprise requires adopting standard SaaS practices like SSO, lifecycle management, and provisioning.
Enterprises are expected to use SSO to provision access to internal resources exposed via MCP, encouraging employees to automate workflows with AI.
Enterprise sales necessitate fine-grained access controls, robust audit logs (especially for AI workloads due to regulations like GDPR), and data loss prevention to mitigate risks from broad chat interactions with servers.
While user login to AI chats and AI systems connecting to MCP servers are becoming straightforward, several open questions remain.
Challenges include remote asynchronous workloads performing headless authentication with dynamic client registration and ensuring correct authorization controls.
How asynchronous workloads call out to relevant users is being addressed, with a new RFC in the MCP spec for elicitation, allowing models to ask humans for input when needed.
A significant pain point for AI workloads is passing scope and access control between different AI workloads, as the current A2A protocol often relies on "vibes" rather than robust authorization.
Cloud vendors are largely solving hosting, but authorization and access control remain the hardest parts of deploying MCP in external enterprise workloads.