When Anthropic quietly released the Model Context Protocol in November 2024 as an open standard for connecting AI systems to external tools and data sources, most of the industry treated it as a developer convenience. A cleaner way to build integrations. A solution to the repetitive work of writing custom connectors for every tool an AI assistant needed to access. The protocol’s adoption velocity over the following 18 months has produced something considerably more significant than a developer convenience.
OpenAI adopted MCP in March 2025. Google DeepMind confirmed support in April 2025. Microsoft shipped MCP servers for GitHub, Azure, and Microsoft 365 by Q3 2025. By April 2026, the MCP Python SDK had crossed 164 million monthly downloads on PyPI, over 10,000 public MCP servers were active, and 78% of enterprise AI teams reported at least one MCP-backed agent in production. That is not the adoption curve of a developer convenience. It is the adoption curve of infrastructure.
Why the Right Comparison Is Not to AI Tooling Standards
The comparison that matters is not to previous AI tooling standards. It is to the protocols that became the foundational infrastructure of the previous era of computing. HTTP became the universal language of web communication not because it was technically superior to alternatives but because it achieved cross-vendor adoption at the moment when web communication was becoming economically important. OAuth 2.0 became the universal standard for delegated authorisation not because it was elegant but because major platforms converged on it. MCP is following the same pattern at the same kind of inflection point.
AI agents are becoming economically important. The question of how those agents connect to the data, tools, and systems they need to act is being answered by MCP. The Agentic AI Foundation, which now governs MCP under the Linux Foundation with Anthropic, OpenAI, Block, AWS, Google, Microsoft, and Cloudflare as founding members, is the governance structure of infrastructure, not of developer tooling.
What MCP Actually Controls
Understanding why MCP is consequential requires understanding what it actually controls. Before MCP, connecting an AI assistant to a company’s data required building a custom integration for every combination of AI model and data source. The N times M problem meant that a company with five AI tools and ten data sources needed fifty custom connectors. MCP collapses that to N plus M by providing a universal interface that any MCP-compatible AI client can use to connect to any MCP-compatible data server without custom integration work. That efficiency gain is real and valuable, but it is not the strategic implication that matters most.
The strategic implication is that MCP defines the interface layer between AI agents and the rest of the digital economy. Every enterprise system, data source, and tool that an AI agent needs to access to perform useful work must either implement MCP natively or be wrapped in an MCP server. The operator of that MCP server controls what the agent can see, what actions the agent can take, and what data flows back to the AI system. MCP governance therefore determines who sets the rules for how AI agents interact with the world’s data and systems. Anthropic, OpenAI, and Google jointly govern MCP through the AAIF steering group. That three-company steering group is making decisions about the interface layer that will connect every AI agent to every enterprise system for the foreseeable future. The industry has not fully absorbed what that means.
The Infrastructure Control Implications
The USB-C analogy that MCP’s proponents use to describe the protocol is accurate as far as it goes. USB-C provides a universal physical connector standard that allows any device to connect to any peripheral without proprietary cables. MCP provides a universal protocol standard that allows any AI agent to connect to any data source without proprietary integrations. The analogy reveals the strategic significance as much as it explains the technical function. USB-C’s adoption made the USB-C connector a mandatory interface for every device manufacturer who wanted to participate in the consumer electronics ecosystem. MCP’s adoption is making MCP server implementation a mandatory requirement for every enterprise software vendor who wants their systems to be accessible to AI agents.
That mandatory quality is already visible in the enterprise software market. By Q2 2026, community-built MCP servers existed for GitHub, Slack, PostgreSQL, Stripe, Figma, Docker, Kubernetes, and over 200 other tools. HubSpot, Salesforce, and Google Ads have all shipped MCP servers with hundreds of production deployments. Enterprise software vendors who do not ship MCP servers are becoming less accessible to AI agents than competitors who do. That competitive pressure is driving MCP adoption faster than any regulatory mandate could, creating a self-reinforcing network effect that makes MCP’s position as the dominant agent connectivity standard increasingly durable. As covered in our analysis of the export controls splitting the global AI infrastructure market, the standards and protocols that define how AI systems connect to the broader digital economy are as strategically significant as the hardware that runs those systems. MCP is becoming one of those standards.
The Security Dimension That Governance Must Address
The rapid adoption of MCP has produced a security surface area that the protocol’s governance structure is still catching up with. A comprehensive security analysis found that 43% of public MCP servers have at least one vulnerability, and 5.5% already have poisoned tool descriptions in the wild, where malicious instructions hidden in a tool’s metadata can cause an AI agent to take harmful actions without the user’s awareness. In controlled testing, these tool poisoning attacks succeed 84% of the time when agents run with auto-approval enabled. The attack surface is not theoretical. It is present in production systems that enterprise organisations are deploying today, often without adequate awareness of the security implications of connecting AI agents to their data and systems through a protocol whose public server ecosystem has more vulnerabilities than the 18-month-old standard’s governance structure has yet had time to address.
The security dimension matters for the infrastructure argument because infrastructure that is insecure at scale is infrastructure that will face regulatory intervention. The EU AI Act’s requirements for AI systems used in high-risk applications, the evolving FERC frameworks for AI systems interacting with energy infrastructure, and the US government’s growing attention to the security of AI agent access to critical systems all create regulatory trajectories that will eventually intersect with MCP’s role as the universal agent connectivity protocol. The AAIF’s governance of MCP will determine whether the security standards embedded in the protocol are strong enough to satisfy those regulatory requirements or whether external regulation imposes security requirements on top of the protocol. That governance question has infrastructure-scale consequences for every organisation building AI agents on the MCP standard.
