New MCP Server: Your Agents Get a Badge, Not a Master KeyMCP Server: Your Agents Get a Badge, Not a Master KeyMCP Server: Your Agents Get a Badge, Not a Master KeyMCP Server: Your Agents Get a Badge, Not a Master KeyMCP Server: Your Agents Get a Badge, Not a Master KeyMCP Server: Your Agents Get a Badge, Not a Master KeyMCP Server: Your Agents Get a Badge, Not a Master Key
Read More
Consider this scenario: an investigator asks an AI agent to summarize a case, identify connected entities, draft a narrative, and flag unusual transactions. MCP helps the AI agent access the tools needed to do that work. The question is what happens between those tool calls.
Gartner projects that up to 40% of enterprise applications will include task-specific AI agents by the end of 2026, up from less than 5% today. Most of those agents will reach external systems: databases, APIs, knowledge graphs, or document stores. MCP is the standard most of them will use to do it.
MCP is an open standard that defines how an AI agent discovers and calls external tools. Anthropic released it in November 2024 with launch partners including Block, Apollo, and several developer tool providers. Within 13 months, OpenAI, Google DeepMind, and Microsoft had all shipped support. By Q1 2026, there were more than 17,000 public MCP servers across registries and 97 million monthly SDK downloads. Anthropic donated governance to the Linux Foundation in December 2025.,
Before MCP, connecting an agent to ten tools meant ten custom integrations. Five agents meant fifty. MCP changes that math: one server per tool, one client per agent. A tool built once works with any compatible agent, without rebuilding the connector each time.
Learn how Ally applied graph analytics and contextual investigation tools to uncover complex fraud networks and strengthen fraud prevention.
Read Case StudyMCP occupies one specific point in the chain:
User → LLM → Agent → MCP → Tools & Data
The user makes a request. The agent interprets it, plans what to do, and decides which tools it needs. MCP is the connection layer: it exposes those tools in a consistent way so the agent can call them without custom integration work for each one. The tools and data systems on the other side execute the actual work and return results. Three roles, cleanly separated: the agent decides, MCP connects, systems execute.

MCP gives agents a consistent way to find what tools are available, call them, and get results back:
Tool discovery. An agent can ask an MCP server what it offers and receive a structured list. The server publishes this once. Any compatible agent can use it without custom configuration.
Tool invocation. The same call-and-response pattern works across any tool and any provider. A knowledge graph query, a case management lookup, a document reader: all follow the same contract.
Session context. The server remembers what tools it offered during a session. The agent doesn't have to rediscover them at every turn.
In practice, this means a financial crime investigation tool built as an MCP server today works with any MCP-compatible agent: a Claude-based one, a GPT-based one, or a future agent not yet written. The reuse is the real value.

MCP handles the tool calls. It doesn't handle what happens between them.
Four gaps come up consistently in production:
1. Memory between steps. An agent reviewing a contract calls multiple tools, reads several documents, and builds a working picture of the document. MCP doesn't keep that picture between calls. Without a memory layer, the agent starts fresh on each step.
2. Long-running operations. A 30-second tool call fits inside a model turn. A 30-minute data export or an overnight job doesn't. MCP wasn't built for operations that run past a single turn. Teams building those workflows add a task management layer on top.
3. Error recovery. When a tool call fails (a timeout, a service outage, an expired credential), MCP reports the failure and stops. It doesn't tell the agent whether to retry, how long to wait, or when to escalate. That logic sits in the layer above.
4. Coordination between agents. A research agent handing part of the work to a specialist coding agent. MCP defines how an agent connects to tools. It doesn't define how one agent passes work to another. Production multi-agent stacks wire that separately.
None of this is a design flaw. MCP was built to solve tool access. It does that well. The gaps are where the adjacent problems live.
Most teams running agents in production add two or three layers around MCP:
An orchestration layer manages the agent loop: what the agent tries next, what it carries forward from earlier steps, how it handles failures. LangGraph, the OpenAI Agents SDK, and CrewAI all work here. They own the reasoning loop and the working state inside it.
A task management layer handles operations that run longer than a single turn. The agent submits a request, gets a handle back, and checks in later for the result. MCP's 2026 roadmap includes an experimental feature designed for this. Most production teams use their orchestration framework's built-in scheduler or build their own.
A coordination layer handles handoffs between agents. Google's Agent-to-Agent (A2A) protocol covers this as an open standard. In practice it sits alongside MCP: MCP for tool access within each agent, A2A for passing work across agent boundaries.
Anthropic's Claude Managed Agents platform, launched in public beta in April 2026, is a hosted version of this full stack: sandboxing, memory, tool execution, and error recovery all included. The same teams who designed the base MCP protocol now offer the layer that sits above it.
Four questions come up regularly in production evaluations.
What does this cost to run? MCP loads a list of available tools into the agent's context at the start of each session. Every tool call in that session carries that cost. Anthropic's engineering team published a worked example in April 2026: converting a document to a CRM record used around 150,000 tokens through the standard tool-calling path, and 2,000 tokens when the agent generated code to call the tools instead (a 98.7% reduction). At the scale of thousands of daily sessions, that difference is significant.
Who is responsible for security? The protocol doesn't vet the servers an agent connects to. An April 2026 OX Security audit found roughly 7,000 publicly exposed MCP servers with insecure defaults, and estimated 200,000 MCP deployments at risk. Nine of 11 MCP registries accepted a proof-of-concept malicious package without security review. Server vetting and access control are the operator's responsibility.
How much visibility do you have? At the protocol level, MCP records that a tool was called and what it returned. It doesn't record which permissions were active, whether a retry wrote twice, or what the agent decided next. Regulated industries need that audit trail. It lives above MCP, not inside it.
How much are you building versus buying? MCP's 2026 roadmap calls enterprise readiness "the least defined of the four priorities," with audit trails, SSO-integrated authentication, and configuration portability all still in progress. The Stacklok 2026 software survey put MCP at 41% of organizations in limited or broad production. Many regulated-industry buyers are building the missing layers themselves while the spec catches up.


Dr. Michael O’Donnell is a Senior Analyst covering data management strategy, with a particular interest in the gap between data and business value. He tracks the full stack (converged platforms, semantic enrichment, knowledge graphs, data products) is interested in what each gets right, where it stops short, and what that pattern keeps revealing. His measure is simple: can the person who needs the answer get it without an engineer in the middle.
Contact