New MCP Server: Your Agents Get a Badge, Not a Master KeyMCP Server: Your Agents Get a Badge, Not a Master KeyMCP Server: Your Agents Get a Badge, Not a Master KeyMCP Server: Your Agents Get a Badge, Not a Master KeyMCP Server: Your Agents Get a Badge, Not a Master KeyMCP Server: Your Agents Get a Badge, Not a Master KeyMCP Server: Your Agents Get a Badge, Not a Master Key
Read More
An MCP server is a software layer that exposes a set of typed tools, resources, and prompts to AI clients through the Model Context Protocol, an open standard introduced by Anthropic in November 2024 to give LLM applications a uniform way to connect to external systems.
The protocol uses JSON-RPC 2.0, with stdio for local servers and streamable HTTP for remote servers. The MCP server publishes what it can do at session start; the AI client picks tools at runtime based on user prompts. The architecture exists for a single reason: the consumer is an LLM agent that has to discover what is available, pick the right capability, and chain calls without prior knowledge of the capabilities available.
Most discussion of MCP focuses on protocol mechanics: tool discovery, JSON-RPC, transport layers, and integration patterns. Those topics matter, but they are not what determines whether an enterprise deployment survives a production review. The more challenging issue is governance. Identity propagation, per-user audit attribution, and data-boundary enforcement are where working pilots most often fail.
Learn how Ally applied graph analytics and contextual investigation tools to uncover complex fraud networks and strengthen fraud prevention.
Read Case StudyThe protocol arrived in November 2024. In the eighteen months since, Microsoft, Google, AWS, and Cloudflare have all published reference implementations or first-party integrations. Over thirty Common Vulnerabilities and Exposures (CVEs) were filed against MCP servers and infrastructure between January and February 2026 alone, with vulnerabilities ranging from path traversal flaws to a CVSS 9.6 remote code execution in a package downloaded nearly half a million times. The gap between high adoption rates and lagging security issues.
Solution design is simply a requirements decision. What makes the MCP server vs REST API discussion a live conversation right now is that most current writing on MCP weighs the functional requirements heavily and under-weights the non-functional ones. The non-functional requirements are often where production reviews are won or lost.
The functional axis is the part the field handles well:
The dominant advice of "build both, wrap REST in MCP" stops at this level and treats the choice as resolved.
The non-functional dimension though is where the field gets quieter. Identity propagation. Per-user audit attribution. Data egress and boundary control. Latency under tool composition. Token cost when the agent has to load tool schemas at session start. These are the dimensions that decide whether a working pilot survives a production review, and they are the dimensions the discourse under-weights.
Putting the two axes together gives a simple test:
Two of those three MCP conditions are not enough. Teams regularly satisfy the functional requirements and then discover that governance is the condition that actually qualifies the deployment. It is the difference between a successful pilot and a deployable production system.

The table below provides a comparison of MCP and REST.
| MCP server | REST API | |
|---|---|---|
| What it is | An open protocol layer that exposes typed tools, resources, and prompts to AI clients via JSON-RPC 2.0, using stdio for local servers and streamable HTTP for remote servers. | An architectural style for stateless HTTP access to resources, defined by URL paths and verbs. |
| Primary consumer | LLM agents and AI applications via MCP-compliant clients. The client is non-human and discovers what is available at runtime. | Application code written by humans. The client knows in advance what it is calling and why. |
| Discovery model | In-protocol self-description. The client retrieves tool, resource, and prompt schemas at session start. | Out-of-band documentation. OpenAPI or Swagger schemas, or human-authored docs the developer reads first. |
| State model | Stateful session with shared context across calls in the same connection. | Stateless per request. Each call carries its own auth, parameters, and context. |
| Identity propagation | OAuth 2.1 to the MCP server. Forwarding the requesting user's identity through the agent into the underlying system is implementation-dependent and the most common production failure point. | Per-request auth header. The caller decides what identity context to send, and the back-end enforces against it. The pattern is well-understood. |
| Best-fit case | Agent runtimes that need dynamic tool discovery, multi-tool reasoning, and a self-describing interface for non-human consumers. | Stable, predictable, system-to-system integration where the contract changes slowly and the consumer is known in advance. |
The important distinction is not that MCP and REST serve different consumers. Most architects already understand that. The more consequential distinction is governance. REST inherited decades of patterns for propagating user identity, enforcing permissions, and attributing actions. MCP is still developing those operational patterns. The architectural risk is not adopting MCP. The risk is assuming the protocol solves governance problems it was never designed to solve.

Five components make MCP work: tools, resources, prompts, transport, and authorization.
The first four explain why MCP is useful. Tools expose actions an agent can invoke. Resources expose structured context. Prompts provide reusable workflows. Transport standardizes communication between client and server.
Authorization is different. It determines whether the identity of the requesting user survives the trip from the AI client, through the MCP server, and into the underlying system. That is where most enterprise deployments encounter trouble. A server can expose well-formed tools, use OAuth correctly, and successfully execute requests, yet still lose the identity of the originating user before reaching the back-end system. The result is an agent operating under a shared service account, with accountability detached from the human who initiated the action.
That distinction matters because production reviews rarely fail due to tool schemas or transport protocols. They fail when auditors discover that actions cannot be reliably attributed to individual users.
Three governance failures repeatedly surface in enterprise MCP deployments;
The same pattern sits behind all three failures. Enterprise integration evolved around known applications calling known interfaces. MCP changes the assumption. The consumer is now an agent that discovers capabilities at runtime and decides what to do mid-session. The protocol arrived quickly. The governance patterns needed to support it are still catching up.


Dr. Michael O’Donnell is a Senior Analyst covering data management strategy, with a particular interest in the gap between data and business value. He tracks the full stack (converged platforms, semantic enrichment, knowledge graphs, data products) is interested in what each gets right, where it stops short, and what that pattern keeps revealing. His measure is simple: can the person who needs the answer get it without an engineer in the middle.
Contact