MCP Is Enterprise Infrastructure. Security Hasn't Caught Up.

Model Context Protocol (MCP) was introduced by Anthropic in late 2024 as a technical spec: a standardized way for AI agents to connect to data sources and tools. Eighteen months later, it has become something more consequential: the connective tissue holding together enterprise AI deployments across industries. Medical imaging companies are running MCP-powered diagnostics. Data platforms are shipping MCP servers as core product features. Google has released an MCP Toolbox Java SDK. Atlassian’s Rovo, CData’s Connect AI, and Sectra’s enterprise imaging stack all went generally available with MCP at the center this quarter.

The protocol has earned its comparison to USB-C. It solved the most stubborn problem in enterprise AI adoption: integration complexity. Before MCP, connecting an AI agent to an organization’s existing software stack required bespoke API work, brittle middleware, and specialized engineering time measured in weeks. MCP turns that into configuration. Non-engineers can now wire AI into legacy systems. CIOs facing sprawling application portfolios have a practical path to deploying capable agents without rebuilding their infrastructure from scratch.

But the protocol’s rapid ascent is also exposing a structural gap that enterprise security teams are increasingly alarmed by. MCP servers are, by design, extremely permissive. And the security industry was not built for what’s coming.

The Protocol That Rewired Enterprise AI

MCP’s core value proposition is elegant: instead of negotiating a tightly defined API contract between a client and a server, you place an LLM on either side of the connection and let the models negotiate what to exchange. Veteran security executive Andy Ellis described it last year as “a universal connector” that lets organizations “plug existing applications together instead of building complex systems out of thin air.”

That framing understates what’s happening. MCP doesn’t just simplify integration. It changes who can do the integration. A security analyst with no development background can connect a threat intelligence feed to an AI agent. A hospital administrator can wire patient record access into a diagnostic model. A CRM platform can expose customer data to autonomous service agents. The democratization of AI integration is real and accelerating.

The enterprise adoption curve has followed accordingly. RSA Conference organizers report that a large share of 2026 session submissions focus on MCP - a remarkable concentration for a protocol that didn’t exist two years ago. CData shipped enterprise-grade MCP agent tooling this week. TCS launched a Gemini AI Experience Center for manufacturing. Sectra is demonstrating MCP-powered autonomous imaging at HIMSS. The protocol has crossed from technical curiosity into deployment reality.

Why Security Teams Are Sounding the Alarm

Here is where the picture gets complicated. MCP servers tend to grant AI agents broad access to the tools and data sources they’re connected to. Unlike traditional APIs - which have decades of access control patterns, rate limiting conventions, and audit trail standards baked into their design - MCP implementations are still largely operating without agreed-upon security primitives.

Spiros Xanthos, founder and CEO of Resolve AI, put it bluntly at a recent VentureBeat AI Impact Series event: MCP servers are “actually probably worse than an API” from a security standpoint because APIs at least carry inherited controls that developers understand how to apply. MCP, by contrast, lets agents auto-discover available tools. That capability - which is genuinely useful - is also what makes it “extremely permissive” when access boundaries aren’t explicitly defined.

The accountability problem is equally sharp. Traditional security frameworks assume a human at the origin of an action. There’s a user, an identity, a login event, an audit log tied to a person. Agentic AI operating through MCP breaks that assumption. An agent acting on behalf of a user inherits that user’s permissions - but tracking what the agent did with those permissions, across which systems, and on whose authority, becomes a labyrinth when multiple agents and humans are in the chain simultaneously.

Jon Aniano of Zendesk framed the governance question precisely: “Now you’ve got a human talking to a human that’s talking to an AI. The human tells the AI to take action. Who’s at fault if it’s the wrong action?” No industry standard answers that question yet.

The Gap Between Deployment and Governance

What’s happening in practice is that enterprises are deploying MCP-connected agents faster than they can build guardrails for them. The MCP specification itself shipped without authentication requirements. That decision made adoption frictionless - and created what security researchers have described as a protocol-level exposure that compounds with every new integration.

Netskope previewed dedicated MCP security tooling late last year. Splunk has developed fine-grained access controls for certain agent scenarios. But these are point solutions, not a framework. The industry “completely lacks the framework” for autonomous agents, as Xanthos put it. The tools that exist were designed for humans. Agents have different access patterns, operate at different volumes, and don’t behave the way user traffic models were built to flag.

The scale problem makes this urgent. Today’s agents act on behalf of humans with explicit, scoped permissions. But as Xanthos observed, organizations will soon run tens or hundreds of agents, each with their own identity and access profile. That creates “a very complex matrix” that existing identity and access management systems were not designed to govern.

What This Means for the Organizations Deploying MCP Now

Three things follow from the current state.

First, the integration benefits of MCP are real and the adoption wave is not going to slow down. The protocol solves genuine friction at scale. Organizations that refuse to deploy MCP-enabled agents will fall behind those that do. That is the clear implication of the adoption curve visible across this week’s enterprise announcements alone.

Second, the security gap is not hypothetical. It is structural, acknowledged by the companies building agents on top of MCP, and not yet addressed by any consensus framework. Organizations deploying MCP should be mapping exactly what each agent can access, treating every MCP connection as an extended attack surface, and auditing agent actions with the same rigor applied to privileged human accounts.

Third, standardization is coming, but it is not here yet. The agent infrastructure race has moved far faster than the governance layer beneath it. Enterprise AI infrastructure investment is accelerating, but the security primitives that should accompany that investment are still catching up. The companies that build strong agent governance practices now will have a structural advantage when standards do arrive - because the audit trails, access controls, and accountability frameworks they build for today’s deployments will be what regulators and enterprise buyers check first.

The Inflection Point Is Now

MCP’s trajectory mirrors every major infrastructure standard that preceded it. TCP/IP shipped without security. HTTP shipped without HTTPS. APIs shipped without OAuth. In each case, the connectivity layer moved first, adoption followed, and security primitives arrived later - often under pressure from breaches that could have been avoided.

The question for 2026 is whether MCP follows the same painful arc or whether the enterprise AI community moves faster than it did with those prior transitions. The raw ingredients for a better outcome exist: the protocol is documented, the risks are known, and security vendors are actively building solutions. What’s missing is a consensus framework that moves as quickly as the agents themselves.

Based on the adoption velocity visible this week, that framework needs to arrive before the year is out. The deployments are not waiting for it.